Setting Wireguard VPN to join network VLAN

Setting Wireguard VPN to join network VLAN

Setting Wireguard VPN to join network VLAN
Setting Wireguard VPN to join network VLAN
2024-06-16 19:40:28 - last edited 2024-06-18 00:56:25
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.2.5

I was able to create a VPN tunnel on the ER605 and have a workstation connect to it. If I set the Allowed IP to 0.0.0.0/0, then it funnels all traffic over and I do not wish to do that. I only want it to connect/join a already established VLAN in that network (10.0.20.1/24) since it has all my servers in it. 

 

I tried the following configure below and it doesn't appear to connect correct (I'm not getting any handshakes). 

 

For the Wireguard Profile, the local IP is 10.0.50.1

For the Peer, the Allow Address is 10.0.50.208/32 and 10.0.20.0/24

 

 

[Interface]
PrivateKey = [redact]
Address = 10.0.50.208/32
DNS = 1.1.1.1

[Peer]
PublicKey = [redact]
AllowedIPs = 10.0.50.1/32, 10.0.20.0/24
Endpoint = [redact]:51820

 

Thanks, 

  0      
  0      
#1
Options
8 Reply
Re:Setting Wireguard VPN to join network VLAN
2024-06-17 01:15:14

Hi @klvny 

Thanks for posting in our business forum.

If you don't even get a connection, you should check your WAN and config of the keys.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#2
Options
Re:Setting Wireguard VPN to join network VLAN
2024-06-17 04:25:43

  @Clive_A 

 

Sorry for the confusion on my end here, but the VPN tunnel works if I set the AllowedIP to 0.0.0.0/0. What I'm trying to do is change it so it just funnels traffic to a specific VLAN instead of all traffic. I have a backup server at a friend's house and it's on VLAN 10.0.20.1/24. I want it so when I connect on Wireguard I'm placed inside that VLAN and can communicate to that device. I don't want other devices on his network to see me (they shouldn't since there's a ACL rule blocking other VLANs from seeing that server's VLAN).

  0  
  0  
#3
Options
Re:Setting Wireguard VPN to join network VLAN
2024-06-17 07:02:23

Hi @klvny 

Thanks for posting in our business forum.

klvny wrote

  @Clive_A 

 

Sorry for the confusion on my end here, but the VPN tunnel works if I set the AllowedIP to 0.0.0.0/0. What I'm trying to do is change it so it just funnels traffic to a specific VLAN instead of all traffic. I have a backup server at a friend's house and it's on VLAN 10.0.20.1/24. I want it so when I connect on Wireguard I'm placed inside that VLAN and can communicate to that device. I don't want other devices on his network to see me (they shouldn't since there's a ACL rule blocking other VLANs from seeing that server's VLAN).

If you say that you can get a connection, and a handshake, so I don't bother troubleshooting that mistyped part.

 

Focus on what you described about the allowed IP stuff. That looks good to me. The allowed IPs are supposed to be set like what you wrote in the OP.

10.0.20.0/24 should be what you configured on the allowed IPs.

 

I would like to know how you set up the WG on both ends and a diagram would be better.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#4
Options
Re:Setting Wireguard VPN to join network VLAN
2024-06-17 17:01:59

Clive_A wrote

Hi @klvny 

Thanks for posting in our business forum.

klvny wrote

  @Clive_A 

 

Sorry for the confusion on my end here, but the VPN tunnel works if I set the AllowedIP to 0.0.0.0/0. What I'm trying to do is change it so it just funnels traffic to a specific VLAN instead of all traffic. I have a backup server at a friend's house and it's on VLAN 10.0.20.1/24. I want it so when I connect on Wireguard I'm placed inside that VLAN and can communicate to that device. I don't want other devices on his network to see me (they shouldn't since there's a ACL rule blocking other VLANs from seeing that server's VLAN).

If you say that you can get a connection, and a handshake, so I don't bother troubleshooting that mistyped part.

 

Focus on what you described about the allowed IP stuff. That looks good to me. The allowed IPs are supposed to be set like what you wrote in the OP.

10.0.20.0/24 should be what you configured on the allowed IPs.

 

I would like to know how you set up the WG on both ends and a diagram would be better.

  @Clive_A 

 

I asked him to update the firewall rule so I'm technically on an "admin" VLAN. The ACL for this one allows full access to all VLANs. This is what his VLAN looks like

 

This is what the Wireguard Sever looks like

 

This is what I have for Peer

 

If I have the IP set to 0.0.0.0/0

I can ping 192.168.0.1 (this is where all his Omada devices lie), 10.0.20.1 (Admin VLAN), and 10.0.50.1 (VPN)

 

If I were to do AllowedIP10.0.20.0/24, then I get this:

 

  1  
  1  
#5
Options
Re:Setting Wireguard VPN to join network VLAN
2024-06-18 00:56:02

Hi @klvny 

Thanks for posting in our business forum.

klvny wrote

Clive_A wrote

Hi @klvny 

Thanks for posting in our business forum.

klvny wrote

  @Clive_A 

 

Sorry for the confusion on my end here, but the VPN tunnel works if I set the AllowedIP to 0.0.0.0/0. What I'm trying to do is change it so it just funnels traffic to a specific VLAN instead of all traffic. I have a backup server at a friend's house and it's on VLAN 10.0.20.1/24. I want it so when I connect on Wireguard I'm placed inside that VLAN and can communicate to that device. I don't want other devices on his network to see me (they shouldn't since there's a ACL rule blocking other VLANs from seeing that server's VLAN).

If you say that you can get a connection, and a handshake, so I don't bother troubleshooting that mistyped part.

 

Focus on what you described about the allowed IP stuff. That looks good to me. The allowed IPs are supposed to be set like what you wrote in the OP.

10.0.20.0/24 should be what you configured on the allowed IPs.

 

I would like to know how you set up the WG on both ends and a diagram would be better.

  @Clive_A 

 

I asked him to update the firewall rule so I'm technically on an "admin" VLAN. The ACL for this one allows full access to all VLANs. This is what his VLAN looks like

 

This is what the Wireguard Sever looks like

 

This is what I have for Peer

 

If I have the IP set to 0.0.0.0/0

I can ping 192.168.0.1 (this is where all his Omada devices lie), 10.0.20.1 (Admin VLAN), and 10.0.50.1 (VPN)

 

If I were to do AllowedIP10.0.20.0/24, then I get this:

 

OK. Pretty clear now.

So, it is expected. Unless you add the 10.0.50.0/24 and 192.168.0.0/24 to the allowed IPs. ACL currently does not work for the VPN tunnels. I think that's why it does not work.

Would be great for you to view our guide which I explained what Allowed IPs means: How to Configure WireGuard VPN on Omada Controller

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#6
Options
Re:Setting Wireguard VPN to join network VLAN
2024-06-18 03:08:20

  @Clive_A 

 

Got it that makes a bit more sense. Just for a better sense of security, when I set the AllowedIP to 10.0.50.1/24, 10.0.20.1/24 would other devices already in his network be able to see/communicate with mine (assuming they were on other VLANs)? Since you mentioned ACL does not work for VPN tunnels, then does that mean that other VLANs could in theory communicate with 10.0.50.1/24? If so, is there any way to block it? I'd want the device to join and to only be able to communicate with one device on his network. No other devices on his network should be able to see my device. 

  0  
  0  
#7
Options
Re:Setting Wireguard VPN to join network VLAN
2024-06-18 03:17:23

Hi @klvny 

Thanks for posting in our business forum.

klvny wrote

  @Clive_A 

 

Got it that makes a bit more sense. Just for a better sense of security, when I set the AllowedIP to 10.0.50.1/24, 10.0.20.1/24 would other devices already in his network be able to see/communicate with mine (assuming they were on other VLANs)? Since you mentioned ACL does not work for VPN tunnels, then does that mean that other VLANs could in theory communicate with 10.0.50.1/24? If so, is there any way to block it? I'd want the device to join and to only be able to communicate with one device on his network. No other devices on his network should be able to see my device. 

ACL still applies to other VLANs. If you have defined rules to stop VLANs from accessing other subnets, they cannot access the tunnels.

As for the router, and WG VPN, it would only route and allow traffic of included subnets.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#8
Options
Re:Setting Wireguard VPN to join network VLAN
2024-06-18 12:19:15

  @Clive_A 

 

So in this case, would he need to create a Switch ACL Network group, with all his VLANs selected (minus the one VLAN reserved for me), then a Deny to an IP Group (10.0.50.1/24)? I guess he would also need to create another one from IP Group (10.0.50.1/24) to deny all communication to his other VLANs, mins the one for me? 

  0  
  0  
#9
Options