Need help VLAN + Wireguard
I have been working on my home server for the last few days and wanted to put all services that are accessible from outside into their own VLAN (something like a DMZ).
In my OpenWrt router I have defined another port as VLAN3 with the IP range 10.0.0.1/24.
My local LAN for PCs, WLAN etc. is VLAN1.
VLAN1 192.168.1.0/24-->VLAN3 10.0.0.1/24 works VLAN3-->VLAN1 no connection, thats right VLAN1-->WAN works VLAN3-->WAN works
VLAN3 then contains all LXC containers/VMs that should be accessible from outside, e.g. NginX, Jellyfin, qBit etc.
But now I have the problem that as soon as I start Wireguard in my qBit container, the entire container is no longer accessible via VLAN1.
Locally in the same network (VLAN3 10.0.0.1/24 it is available and can be pinged).
As soon as I deactivate Wireguard again, the container is also accessible or pingable again via VLAN1.
So it should be due to the Wireguard config.
In the Wireguard config I have already tried to enable the network range 10.0.0.1/24 via AllowedIPs. However, this only bypasses the Wireguard server and I communicate with the outside world via my real external IP address.
Allowing the ips from VLAN1 (192.168.1.0/24) did not lead to the desired result either
Wireguard
[Interface] PrivateKey = redacted Address = 10.2.0.2/32 DNS = 10.2.0.1 [Peer] PublicKey = redacted AllowedIPs = 0.0.0.0/0 Endpoint = 194.126.177.7:51820
OpenWrt
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'redacted'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '1.1.1.1'
config device
option name 'eth0.2'
option macaddr 'redacted'
config interface 'wan'
option device 'eth0.2'
option proto 'static'
option ipaddr 'redacted'
option netmask 'redacted'
option gateway 'redacted'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 3 4 5'
option vid '1'
option description 'LAN'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1'
option vid '2'
option description 'WAN'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '0t 2'
option vid '3'
option description 'DMZ'
config interface 'DMZ'
option proto 'static'
option device 'eth0.3'
option gateway '192.168.1.1'
list ipaddr '10.0.0.1/24'
This is due to the policy routing that is implemented by wg-quick when the default route is present in the allowedIPs list. The 2 best ways (imo) is to either set a static route on your wireguard client machine for the other vlan1 (192.168.1.0/24 via your router), or distribute that route via dhcp, or both, if required.
Hi duckITGuy thanks for your advice.
Where exactly do I have to set the routing?
In my LXC container where my Wireguard client is running or in the OpenWRT router itself? Could you maybe help me a bit more?
The routing in the OpenWRT router should actually be correct, as I get a connection to the LXC container if I leave Wireguard switched off.
So I would have to set a routing in the LXC container right?
It would be nice if you could give me a tip