Amoeba00
commented
4 years ago You may want to post this on the UI Wireguard forums as that's a place more apt to help folks with troubleshooting.
Closed joshuaellinger closed 2 years ago
Amoeba00
commented
4 years ago You may want to post this on the UI Wireguard forums as that's a place more apt to help folks with troubleshooting.
FossoresLP
commented
4 years ago @joshuaellinger AFAIK EdgeOS does not allow multiple network interfaces to share the same subnet. This is not something to do with WireGuard so this might be a wrong place to document this limitation. Your devices and the WireGuard interface should share one subnet while your normal network is on another one.
Hey, as someone as software engineer who is new-ish to IP routing, I'm having a little trouble understanding what my subnet should be to support VPN clients. I suspect I can figure it out with a little trial and error but it would be helpful if you state what the starting configuration of the router is. The key question (for me) is should the WG interface be on the same subnet as the switch or not.
I have a 10.0.0.1/16 setup for the switch interface. I have a server that I want to connect to on 10.0.0.10, say with HTTP to keep it simple. Let's say the public IP of the firewall is 192.95.5.69
The client part seems simple. I create a public key on the server for this particular client. On the client, I create a wg interface that uses the public key and tell it to direct traffic to 192.95.5.69:51820. I set up the client's wg interface so that it handles all traffic to 10.0.0.0/16.
I point a web browser to 10.0.0.10:80. The traffic goes to the local wg instance, gets encrypted with the public key and sent to 192.95.5.69:51820 using UDP.
When it gets to the server, I'm not as confident in what happens. Should my server side subnet be 10.0.200.0/24 or 10.1.0.0/24 or does it matter?
Let's assume 10.0.200.0/24 works. The firewall get checks the port and forwards it to WG. WG decrypts it and associates it locally as coming from 10.0.200.1. Then it routes the request to 10.0.0.10:80 using TCP. The web server sends the reply back to 10.0.200.1 which then reverses the process and pushes it out to the client.
But maybe it doesn't work that way because the WG interface is not owned by the switch and the switch owns all of 10.0.0.0/16. Then it breaks unless I put the WG interface as another interface under the switch.
I just don't know enough about IP routing to reason through it so it would be helpful it the examples documented the basic setup of the firewall (public IP, switch subnet) for clarity.