Hi @klvny 

Thanks for posting in our business forum.

If you don't even get a connection, you should check your WAN and config of the keys.

Hi @klvny 

Thanks for posting in our business forum.

klvny wrote

  @Clive_A 

 

Sorry for the confusion on my end here, but the VPN tunnel works if I set the AllowedIP to 0.0.0.0/0. What I'm trying to do is change it so it just funnels traffic to a specific VLAN instead of all traffic. I have a backup server at a friend's house and it's on VLAN 10.0.20.1/24. I want it so when I connect on Wireguard I'm placed inside that VLAN and can communicate to that device. I don't want other devices on his network to see me (they shouldn't since there's a ACL rule blocking other VLANs from seeing that server's VLAN).

If you say that you can get a connection, and a handshake, so I don't bother troubleshooting that mistyped part.

Focus on what you described about the allowed IP stuff. That looks good to me. The allowed IPs are supposed to be set like what you wrote in the OP.

10.0.20.0/24 should be what you configured on the allowed IPs.

I would like to know how you set up the WG on both ends and a diagram would be better.

Hi @klvny 

Thanks for posting in our business forum.

klvny wrote

Clive_A wrote

Hi @klvny 

Thanks for posting in our business forum.

klvny wrote

  @Clive_A 

 

Sorry for the confusion on my end here, but the VPN tunnel works if I set the AllowedIP to 0.0.0.0/0. What I'm trying to do is change it so it just funnels traffic to a specific VLAN instead of all traffic. I have a backup server at a friend's house and it's on VLAN 10.0.20.1/24. I want it so when I connect on Wireguard I'm placed inside that VLAN and can communicate to that device. I don't want other devices on his network to see me (they shouldn't since there's a ACL rule blocking other VLANs from seeing that server's VLAN).

If you say that you can get a connection, and a handshake, so I don't bother troubleshooting that mistyped part.

 

Focus on what you described about the allowed IP stuff. That looks good to me. The allowed IPs are supposed to be set like what you wrote in the OP.

10.0.20.0/24 should be what you configured on the allowed IPs.

 

I would like to know how you set up the WG on both ends and a diagram would be better.

  @Clive_A 

 

I asked him to update the firewall rule so I'm technically on an "admin" VLAN. The ACL for this one allows full access to all VLANs. This is what his VLAN looks like

 

This is what the Wireguard Sever looks like

 

This is what I have for Peer

 

If I have the IP set to 0.0.0.0/0

I can ping 192.168.0.1 (this is where all his Omada devices lie), 10.0.20.1 (Admin VLAN), and 10.0.50.1 (VPN)

 

If I were to do AllowedIP10.0.20.0/24, then I get this:

 

OK. Pretty clear now.

So, it is expected. Unless you add the 10.0.50.0/24 and 192.168.0.0/24 to the allowed IPs. ACL currently does not work for the VPN tunnels. I think that's why it does not work.

Would be great for you to view our guide which I explained what Allowed IPs means: How to Configure WireGuard VPN on Omada Controller

Hi @klvny 

Thanks for posting in our business forum.

klvny wrote

  @Clive_A 

 

Got it that makes a bit more sense. Just for a better sense of security, when I set the AllowedIP to 10.0.50.1/24, 10.0.20.1/24 would other devices already in his network be able to see/communicate with mine (assuming they were on other VLANs)? Since you mentioned ACL does not work for VPN tunnels, then does that mean that other VLANs could in theory communicate with 10.0.50.1/24? If so, is there any way to block it? I'd want the device to join and to only be able to communicate with one device on his network. No other devices on his network should be able to see my device. 

ACL still applies to other VLANs. If you have defined rules to stop VLANs from accessing other subnets, they cannot access the tunnels.

As for the router, and WG VPN, it would only route and allow traffic of included subnets.