Setting Wireguard VPN to join network VLAN
I was able to create a VPN tunnel on the ER605 and have a workstation connect to it. If I set the Allowed IP to 0.0.0.0/0, then it funnels all traffic over and I do not wish to do that. I only want it to connect/join a already established VLAN in that network (10.0.20.1/24) since it has all my servers in it.
I tried the following configure below and it doesn't appear to connect correct (I'm not getting any handshakes).
For the Wireguard Profile, the local IP is 10.0.50.1
For the Peer, the Allow Address is 10.0.50.208/32 and 10.0.20.0/24
[Interface]
PrivateKey = [redact]
Address = 10.0.50.208/32
DNS = 1.1.1.1
[Peer]
PublicKey = [redact]
AllowedIPs = 10.0.50.1/32, 10.0.20.0/24
Endpoint = [redact]:51820
Thanks,
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @klvny
Thanks for posting in our business forum.
If you don't even get a connection, you should check your WAN and config of the keys.
- Copy Link
- Report Inappropriate Content
Sorry for the confusion on my end here, but the VPN tunnel works if I set the AllowedIP to 0.0.0.0/0. What I'm trying to do is change it so it just funnels traffic to a specific VLAN instead of all traffic. I have a backup server at a friend's house and it's on VLAN 10.0.20.1/24. I want it so when I connect on Wireguard I'm placed inside that VLAN and can communicate to that device. I don't want other devices on his network to see me (they shouldn't since there's a ACL rule blocking other VLANs from seeing that server's VLAN).
- Copy Link
- Report Inappropriate Content
Hi @klvny
Thanks for posting in our business forum.
klvny wrote
Sorry for the confusion on my end here, but the VPN tunnel works if I set the AllowedIP to 0.0.0.0/0. What I'm trying to do is change it so it just funnels traffic to a specific VLAN instead of all traffic. I have a backup server at a friend's house and it's on VLAN 10.0.20.1/24. I want it so when I connect on Wireguard I'm placed inside that VLAN and can communicate to that device. I don't want other devices on his network to see me (they shouldn't since there's a ACL rule blocking other VLANs from seeing that server's VLAN).
If you say that you can get a connection, and a handshake, so I don't bother troubleshooting that mistyped part.
Focus on what you described about the allowed IP stuff. That looks good to me. The allowed IPs are supposed to be set like what you wrote in the OP.
10.0.20.0/24 should be what you configured on the allowed IPs.
I would like to know how you set up the WG on both ends and a diagram would be better.
- Copy Link
- Report Inappropriate Content
Clive_A wrote
Hi @klvny
Thanks for posting in our business forum.
klvny wrote
Sorry for the confusion on my end here, but the VPN tunnel works if I set the AllowedIP to 0.0.0.0/0. What I'm trying to do is change it so it just funnels traffic to a specific VLAN instead of all traffic. I have a backup server at a friend's house and it's on VLAN 10.0.20.1/24. I want it so when I connect on Wireguard I'm placed inside that VLAN and can communicate to that device. I don't want other devices on his network to see me (they shouldn't since there's a ACL rule blocking other VLANs from seeing that server's VLAN).
If you say that you can get a connection, and a handshake, so I don't bother troubleshooting that mistyped part.
Focus on what you described about the allowed IP stuff. That looks good to me. The allowed IPs are supposed to be set like what you wrote in the OP.
10.0.20.0/24 should be what you configured on the allowed IPs.
I would like to know how you set up the WG on both ends and a diagram would be better.
I asked him to update the firewall rule so I'm technically on an "admin" VLAN. The ACL for this one allows full access to all VLANs. This is what his VLAN looks like
This is what the Wireguard Sever looks like
This is what I have for Peer
If I have the IP set to 0.0.0.0/0
I can ping 192.168.0.1 (this is where all his Omada devices lie), 10.0.20.1 (Admin VLAN), and 10.0.50.1 (VPN)
If I were to do AllowedIP10.0.20.0/24, then I get this:
- Copy Link
- Report Inappropriate Content
Hi @klvny
Thanks for posting in our business forum.
klvny wrote
Clive_A wrote
Hi @klvny
Thanks for posting in our business forum.
klvny wrote
Sorry for the confusion on my end here, but the VPN tunnel works if I set the AllowedIP to 0.0.0.0/0. What I'm trying to do is change it so it just funnels traffic to a specific VLAN instead of all traffic. I have a backup server at a friend's house and it's on VLAN 10.0.20.1/24. I want it so when I connect on Wireguard I'm placed inside that VLAN and can communicate to that device. I don't want other devices on his network to see me (they shouldn't since there's a ACL rule blocking other VLANs from seeing that server's VLAN).
If you say that you can get a connection, and a handshake, so I don't bother troubleshooting that mistyped part.
Focus on what you described about the allowed IP stuff. That looks good to me. The allowed IPs are supposed to be set like what you wrote in the OP.
10.0.20.0/24 should be what you configured on the allowed IPs.
I would like to know how you set up the WG on both ends and a diagram would be better.
I asked him to update the firewall rule so I'm technically on an "admin" VLAN. The ACL for this one allows full access to all VLANs. This is what his VLAN looks like
This is what the Wireguard Sever looks like
This is what I have for Peer
If I have the IP set to 0.0.0.0/0
I can ping 192.168.0.1 (this is where all his Omada devices lie), 10.0.20.1 (Admin VLAN), and 10.0.50.1 (VPN)
If I were to do AllowedIP10.0.20.0/24, then I get this:
OK. Pretty clear now.
So, it is expected. Unless you add the 10.0.50.0/24 and 192.168.0.0/24 to the allowed IPs. ACL currently does not work for the VPN tunnels. I think that's why it does not work.
Would be great for you to view our guide which I explained what Allowed IPs means: How to Configure WireGuard VPN on Omada Controller
- Copy Link
- Report Inappropriate Content
Got it that makes a bit more sense. Just for a better sense of security, when I set the AllowedIP to 10.0.50.1/24, 10.0.20.1/24 would other devices already in his network be able to see/communicate with mine (assuming they were on other VLANs)? Since you mentioned ACL does not work for VPN tunnels, then does that mean that other VLANs could in theory communicate with 10.0.50.1/24? If so, is there any way to block it? I'd want the device to join and to only be able to communicate with one device on his network. No other devices on his network should be able to see my device.
- Copy Link
- Report Inappropriate Content
Hi @klvny
Thanks for posting in our business forum.
klvny wrote
Got it that makes a bit more sense. Just for a better sense of security, when I set the AllowedIP to 10.0.50.1/24, 10.0.20.1/24 would other devices already in his network be able to see/communicate with mine (assuming they were on other VLANs)? Since you mentioned ACL does not work for VPN tunnels, then does that mean that other VLANs could in theory communicate with 10.0.50.1/24? If so, is there any way to block it? I'd want the device to join and to only be able to communicate with one device on his network. No other devices on his network should be able to see my device.
ACL still applies to other VLANs. If you have defined rules to stop VLANs from accessing other subnets, they cannot access the tunnels.
As for the router, and WG VPN, it would only route and allow traffic of included subnets.
- Copy Link
- Report Inappropriate Content
So in this case, would he need to create a Switch ACL Network group, with all his VLANs selected (minus the one VLAN reserved for me), then a Deny to an IP Group (10.0.50.1/24)? I guess he would also need to create another one from IP Group (10.0.50.1/24) to deny all communication to his other VLANs, mins the one for me?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 712
Replies: 8
Voters 0
No one has voted for it yet.