Re: Protecting entire LAN subnet with Wiregaurd
Many thanks, I will check out the article. Antonino Sidoti > On 22 Mar 2021, at 3:27 pm, Daniel Jakots wrote: > > On Sun, 21 Mar 2021 23:49:37 -0400, Daniel Jakots wrote: > >> On Mon, 22 Mar 2021 14:34:00 +1100, Antonino Sidoti >> wrote: >> >>> I am confused on how to force all lan clients in my home network to >>> use wireguard tunnel via local firewall. Do I need to add routes and >>> if so how do I do this on my local firewall if the public IP is >>> dynamic and the default gateway changes regularly. >> >> To make all the traffic goes through Wireguard®, you can do >> # route add default -link -iface wg0 >> >> Having a dynamic IP at home means that if the IP changes, the server >> won't be able to initiate the tunnel but AFAIK, that's the only >> problem. > > After thinking more about it, I see what the problem is. > > So maybe using some rdomains/rtables as described in > https://codimd.laas.fr/s/NMc3qt5PQ# >
Protecting entire LAN subnet with Wiregaurd
Hi, Is it possible to protect an entire Lan subnet with a Wireguard tunnel? I have a OpenBSD server hosted at Vultr with static public IP and a local home firewall (OpenBSD) with wireguard configured. Both local firewall and server can ping each other using Wireguard tunnel. I am confused on how to force all lan clients in my home network to use wireguard tunnel via local firewall. Do I need to add routes and if so how do I do this on my local firewall if the public IP is dynamic and the default gateway changes regularly. Server wg0 wg0: flags=80c3 mtu 1420 index 6 priority 0 llprio 3 wgport 51820 wgpubkey some key wgpeer some key wgendpoint 1.144.105.149 14051 tx: 178864, rx: 625268 last handshake: 12 seconds ago wgaip 10.128.1.0/24 groups: wg inet 10.128.1.1 netmask 0xff00 broadcast 10.128.1.255 Local home Firewall wg0 wg0: flags=80c3 mtu 1420 index 5 priority 0 llprio 3 wgport 6589 wgpubkey some key wgpeer some key wgpka 25 (sec) wgendpoint 192.0.2.1 51820 tx: 218300, rx: 82640 last handshake: 41 seconds ago wgaip 0.0.0.0/0 groups: wg egress inet 10.128.1.2 netmask 0xff00 broadcast 10.128.1.255 Route table DestinationGatewayFlags Refs Use Mtu Prio Iface default22.230.51.1UGS6 9188 - 8 em0 224/4 127.0.0.1 URS00 32768 8 lo0 10.99.1/24 10.99.1.1 UCn0 10 - 4 em1 10.99.1.1 00:e0:67:15:e7:83 UHLl 0 949 - 1 em1 10.99.1.25510.99.1.1 UHb0 60 - 1 em1 10.128.1/2410.128.1.2 UCn10 - 4 wg0 10.128.1.1 link#0 UHc09 - 3 wg0 10.128.1.2 wg0UHl0 150 - 1 wg0 10.128.1.255 10.128.1.2 UHb00 - 1 wg0 22.230.51/24 22.230.51.123 UCn10 - 4 em0 22.230.51.182:63:9c:36:23:a2 UHLch 1 3639 - 3 em0 22.230.51.123 00:e0:67:15:e7:82 UHLl 0 1955 - 1 em0 22.230.51.255 22.230.51.123 UHb00 - 1 em0 127/8 127.0.0.1 UGRS 00 32768 8 lo0 127.0.0.1 127.0.0.1 UHhl 2 48 32768 1 lo0 Regards Antonino Sidoti
Re: Protecting entire LAN subnet with Wiregaurd
On Sun, 21 Mar 2021 23:49:37 -0400, Daniel Jakots wrote: > On Mon, 22 Mar 2021 14:34:00 +1100, Antonino Sidoti > wrote: > > > I am confused on how to force all lan clients in my home network to > > use wireguard tunnel via local firewall. Do I need to add routes and > > if so how do I do this on my local firewall if the public IP is > > dynamic and the default gateway changes regularly. > > To make all the traffic goes through Wireguard®, you can do > # route add default -link -iface wg0 > > Having a dynamic IP at home means that if the IP changes, the server > won't be able to initiate the tunnel but AFAIK, that's the only > problem. After thinking more about it, I see what the problem is. So maybe using some rdomains/rtables as described in https://codimd.laas.fr/s/NMc3qt5PQ#
Re: Protecting entire LAN subnet with Wiregaurd
On Mon, 22 Mar 2021 14:34:00 +1100, Antonino Sidoti wrote: > I am confused on how to force all lan clients in my home network to > use wireguard tunnel via local firewall. Do I need to add routes and > if so how do I do this on my local firewall if the public IP is > dynamic and the default gateway changes regularly. To make all the traffic goes through Wireguard®, you can do # route add default -link -iface wg0 Having a dynamic IP at home means that if the IP changes, the server won't be able to initiate the tunnel but AFAIK, that's the only problem. Cheers, Daniel