wireguard.lists.zx2c4.com archive mirror
 help / color / mirror / Atom feed
* Setting Wireguard for enabling remote access to a SOHO DMZ service
@ 2019-08-14 11:42 Dimitar Vassilev
  0 siblings, 0 replies; only message in thread
From: Dimitar Vassilev @ 2019-08-14 11:42 UTC (permalink / raw)
  To: wireguard


[-- Attachment #1.1: Type: text/plain, Size: 1973 bytes --]

Dear Wireguard users and developers,

I'm in the planning phase of enabling remote access to a SOHO DMZ service
for myself and a few peers. I would appreciate if you could help me clear
the uncertainties before me on the drawing board /implementation level.
My setup is:

   - LibreCMC 1.4.8 with latest stock wireguard from the LibreCMC repo. The
   router is being fed with Internet by DHCP from my ISP.
   - DMZ VLAN
   - DMZ network hosting the service - /24. Say 192.168.200.0/24
   - Internal LAN - /24, fed by the internal DHCP. Say 192.168.100.0/24
   - default route  -  say 192.168.20.1
   - DMZ firewall zone. Only outgoing DMZ traffic is allowed for the time
   being.
   - LAN firewall zone. outgoing traffic to wan + DMZ is allowed
   - NAT-traversal
   - DynDNS
   - Peer with "public" /24 network - 10.10.10.0/24

What I would like to achieve is


   - Setup a wireguard interface in the same DMZ network range or a subset
   of it
   - Port-forward the wireguard traffic from my peer to the DMZ wireguard
   VPN entry-point for the particilar service
   - Route the rest of the traffic unencrypted


I've checked the manual and quick deployment guide and would appreciate
your feedback on doing the things in the proper way. The specific questions
I have are:


   - Is it a good idea to put the wg interface in the same network range as
   the DMZ or should I split the DMZ into 2 x /25 networks or pick a separate
   wireguard network
   - Given that I'm assigned a default route via DHCP, should I create
   custom static routes like in the example below on the command line

              # ip route add 10.10.10.0/24 via 192.168.20.1 dev eth1

or should I leave this up to the routing daemons to decide themselves? I'm
still mixing up the concepts of the different VPN implementations. I also
see by web searching that in LuCI I got a checkbox to resolve my problems
with routing the private networks.

Thanks for your comments and feedback!

Dimitar

[-- Attachment #1.2: Type: text/html, Size: 2507 bytes --]

[-- Attachment #2: Type: text/plain, Size: 148 bytes --]

_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2019-08-25 15:34 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-14 11:42 Setting Wireguard for enabling remote access to a SOHO DMZ service Dimitar Vassilev

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).