Hi,
Is it possible to protect an entire Lan subnet with a Wireguard tunnel? I have
a OpenBSD server hosted at Vultr with static public IP and a local home
firewall (OpenBSD) with wireguard configured. Both local firewall and server
can ping each other using Wireguard tunnel.
I am confused on how to force all lan clients in my home network to use
wireguard tunnel via local firewall. Do I need to add routes and if so how do I
do this on my local firewall if the public IP is dynamic and the default
gateway changes regularly.
Server wg0
wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
index 6 priority 0 llprio 3
wgport 51820
wgpubkey some key
wgpeer some key
wgendpoint 1.144.105.149 14051
tx: 178864, rx: 625268
last handshake: 12 seconds ago
wgaip 10.128.1.0/24
groups: wg
inet 10.128.1.1 netmask 0xffffff00 broadcast 10.128.1.255
Local home Firewall wg0
wg0: flags=80c3<UP,BROADCAST,RUNNING,NOARP,MULTICAST> mtu 1420
index 5 priority 0 llprio 3
wgport 6589
wgpubkey some key
wgpeer some key
wgpka 25 (sec)
wgendpoint 192.0.2.1 51820
tx: 218300, rx: 82640
last handshake: 41 seconds ago
wgaip 0.0.0.0/0
groups: wg egress
inet 10.128.1.2 netmask 0xffffff00 broadcast 10.128.1.255
Route table
Destination Gateway Flags Refs Use Mtu Prio Iface
default 22.230.51.1 UGS 6 9188 - 8 em0
224/4 127.0.0.1 URS 0 0 32768 8 lo0
10.99.1/24 10.99.1.1 UCn 0 10 - 4 em1
10.99.1.1 00:e0:67:15:e7:83 UHLl 0 949 - 1 em1
10.99.1.255 10.99.1.1 UHb 0 60 - 1 em1
10.128.1/24 10.128.1.2 UCn 1 0 - 4 wg0
10.128.1.1 link#0 UHc 0 9 - 3 wg0
10.128.1.2 wg0 UHl 0 150 - 1 wg0
10.128.1.255 10.128.1.2 UHb 0 0 - 1 wg0
22.230.51/24 22.230.51.123 UCn 1 0 - 4 em0
22.230.51.1 82:63:9c:36:23:a2 UHLch 1 3639 - 3 em0
22.230.51.123 00:e0:67:15:e7:82 UHLl 0 1955 - 1 em0
22.230.51.255 22.230.51.123 UHb 0 0 - 1 em0
127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
127.0.0.1 127.0.0.1 UHhl 2 48 32768 1 lo0
Regards
Antonino Sidoti
