Lets say I have the following setup, where i’ve setup a point to point VPN:
https://preview.redd.it/y2z9kn3uf1q91.png?width=540&format=png&auto=webp&s=b962645eae2ce0c8fbd43bb2771260c3a6168a12
Now if I checked my public facing IP at the office, it would be the Headquarters one, but if I wanted to port forward a server in the satellite office, how would I go about doing that, because the subnets are different, my understanding is that the router on the HQ end would not have a valid ip to port forward. (I think this because my ISP provided box only allows me to port forward devices on its own 192.168.0.0/24 subnet, so if the client end has a subnet of 192.168.1.0/24, it wont allow me to make a rule.)
Another question, if i setup something like the above, where the Offices network has a strict NAT, would setting up a site to site vpn on a switch allow it to bypass the restrictions of the netowrk with** a VPN?
Thanks and sorry in advance if some of my wording is unclear.
I think this because my ISP provided box only allows me to port forward devices on its own 192.168.0.0/24 subnet, so if the client end has a subnet of 192.168.1.0/24, it wont allow me to make a rule.
Do you get an error message on the router or is that a guess?
One issue is that the site with the server needs a site-to-internet VPN, not a site-to-site VPN, because the forwarded packages can contain any source address. And you need a policy-based routing if you don’t want to use the tunnel for all internet access.
Also each router needs a route to the lan of the remote site.
Ok so this may end up being pointless, because the client network called Eduroam, blocks random port access as a security measure, to the point you can’t even use other DNS severs. I will probably have to change the port of wg to one thats more common and see if that is let through.
Eg, i have a web server on the satellite side, and want to access it from the HQ wan from an external device. Normally, i would setup a server, port forward the port 80 and then access my webserver from the wan ip:80.
So the ISP provided router only lets me define the last digits of the IP, eg. 192.168.0.___ so it’s impossible to put in a IP for any other subnet.
The situation is, that at the client side, i dont have access to any management tools, simply just a simple internet connection, without any ability to open ports etc. What i wanted is, for example a pi with 2 interfaces, one connected to the internet (and the HQ VPN server) and one to a switch, where the switch would be connected to the “HQ” Lan, and so i can open ports/have an open NAT etc.
If you’re saying you can’t establish a WG tunnel at all, then that’s a problem of course.
But if you can establish a tunnel, as in your diagram, then connecting to any port on any machine on either side of the tunnel should be fairly straightforward.
if I wanted to port forward a server in the satellite office, how would I go about doing that, because the subnets are different, my understanding is that the router on the HQ end would not have a valid ip to port forward.
With a WG tunnel in place, you’re only using the internet-facing routers to establish the tunnel. Beyond that, traffic can be routed through the tunnel.
However, WG is not “port forwarding”. It’s actually routing traffic. The difference in a case like this is that you can use the actual IP addresses of the target machines to access them.
For example, on the WG machine in the satellite office, if you include a line in the WG conf under the HQ Peer section that says AllowedIPs = 10.15.0.0/24, this will cause WG to route any packets it receives for those address to the HQ gateway. Assuming you have your routing rules set up correctly (e.g. with iptables on Linux), this will allow you to access any machine in HQ directly using its LAN address.
You can similarly specify AllowedIPs = 10.23.0.0/24 in the satellite Peer section of the HQ gateway to be able to route traffic to the machines in the satellite office.
This is a maximally permissive situation, which gives both networks complete access to each other. You can list specific IPs in the configuration if you want to be more restrictive.
By external device you mean outside the HQ network? (If it’s inside HQ, the tunnel as already discussed should take care of it.)
In that case, one option would just be to connect to both WG gateways separately from the external machine (or external network if you’re setting up another WG gateway there.) Traffic for each network will be routed through the appropriate interface based on the AllowedIPs setting, and there’s no need to go through an extra hop via HQ.
But if you do want to go through the HQ WG gateway to get to the satellite network, that can work also. In that case on the external side you’d specify both HQ and satellite networks as AllowedIPs, and connect to the HQ WG gateway. When the traffic hits that, the routing rules there should send it to the satellite network.
So the ISP provided router only lets me define the last digits of the IP, eg. 192.168.0.___ so it’s impossible to put in a IP for any other subnet.
You shouldn’t need to use your ISP router to route traffic for WG addresses (unless it has built-in VPN support.) WG itself will handle that, in combination with routing rules on the WG machines (e.g. iptables).
See my other comment for more.
Thanks for the reply, it was very helpful, I i did realise that for my normal von i use to access my home-lab, i included my home networks subnet in the Allowed IPs section, which allowed me to access my servers, TrueNAS, for example as if I was on the network.
What I was wondering was that if I wanted to access one of the servers in the satellite office via the HQ WAN (through the tunnel), how would I specify that to the router, but I think that wouldn’t be possible because the ISP provided router does not let me define any riles outside of its own subnet.
I think that wouldn’t be possible because the ISP provided router does not let me define any rules outside of its own subnet.
You wouldn’t use the ISP router for that, but you should be able to configure Wireguard to do it.
if I wanted to access one of the servers in the satellite office via the HQ WAN (through the tunnel)
Do you mean from a machine on the HQ network? Or from a machine outside both networks, like your home?
If you’re on the HQ network, as long as:
- AllowedIPs on the HQ side includes the IP address of the server you want to access in the satellite office, and…
- The HQ machine you’re accessing from has routing rules to route that address through the WG server
…then you should be able to access a machine in the satellite office.
Perhaps you’re asking whether you can use the ISP router to handle #2 above, so that you don’t have to set up routing rules on individual machines in the HQ network? If so then you’re correct, the ISP router may not be able to handle that. In that case there may be other solutions, depending on the protocol(s) you’re trying to use - e.g. using a proxy to set up something more like port forwarding.