Skip to main content How to setup, configure properly (VLAN, no NAT)? : r/WireGuard
Go to WireGuard
•

How to setup, configure properly (VLAN, no NAT)?

Hi, I have a question regarding how to setup Wireguard:

I have multiple VLANs. VLAN 10 is VPN (10.10.10.0/28).

I will put Wireguard server (Alpine + Wireguard) in this VLAN with IP 10.10.10.5.

I only need 2 peers to connect via Wireguard.

In Wireguard I will create network 10.10.11.0/28

When the connect they should receive static IP 10.10.10.11.10 (peer A) / 10.10.10.11.11 (peer B).

They should be visible (no NAT) and managed by my router.

They should be able to go to internet via my router (I will make firewall rules on router to allow this vlan to wan).

#############

  1. Is this setup ok?

SERVER

------------------

[interface]

Address = 10.10.11.5/28

ListenPort = 51820

PrivateKey = ... your server private key

[Peer]

PublicKey = ... client1's public key

AllowedIPs = 10.10.11.10/32

[Peer]

PublicKey = ... client2's public key

AllowedIPs = 10.10.11.11/32

------------------

PEER

[Interface]

Address = 10.10.11.5/28

PrivateKey = ... the client1's privkey

[Peer]

PublicKey = ... the server's pubkey

AllowedIPs = 0.0.0.0/0

Endpoint = myvpndomain.com:51820

#############

2) PostUp / PostDown config --> Is this ok (do I need to add/remove something)?

PostUp = iptables -A FORWARD -i %i -j ACCEPT

PostDown = iptables -D FORWARD -i %i -j ACCEPT

3) Alpine --> do I need to make any changes to network configuration?

4) Do I need to make routes on my router?

I think I need to make route to 10.10.11.0/28 via 10.10.10.5 ?

Will peers have same firewall rules as a host (host acts as gateway if I understand properly)?

Is there a way to make firewall rules per specific peer?

Apple Card is a no-fee credit card that gives you up to 3% unlimited Daily Cash back on all of your purchases. Apply now and use right away. Terms apply.
Apply Now
learn.applecard.apple
Thumbnail image: Apple Card is a no-fee credit card that gives you up to 3% unlimited Daily Cash back on all of your purchases. Apply now and use right away. Terms apply.
Sort by:
Best
Open comment sort options
•

VLAN 11 is VPN (10.10.11.0/28).
...
When the connect they should receive static IP 10.10.10.11.10 (peer A) / 10.10.10.11.11 (peer B).

I hope you haven't configured 10.10.11.0/28 on an actual VLAN, only on the WireGuard interface. (WireGuard is a routed protocol, which means you can't bridge it to a VLAN interface.)

•

Thank you.
I understand a little bit more now and I have edited my questions. Please check updated post.

More replies
•

Do I need to make routes on my router?

I think I need to make route to 10.10.11.0/28 via 10.10.10.5 ?

It looks good.

Will peers have same firewall rules as a host (host acts as gateway if I understand properly)?

Not really, since traffic to/from the host is handled in the INPUT/OUTPUT chains, and traffic forwarded between interfaces is handled by the FORWARD chain.

Is there a way to make firewall rules per specific peer?

Yes, you can use the IP addresses of the peers in the firewall rules, using the -s och -d options to iptables.

•

I couldn't find any info regarding " -s och -d options" - can you please explain it little bit more?

Where should I put iptable with these options (wg config, host, fw)?

More replies