Accessing a wireguard VPN server behind NAT

skychan

New Member
Joined
Jan 20, 2024
Messages
1
Reaction score
0
Credits
28
Hi everybody

I'm trying to setup a Wireguard VPN server on an Ubuntu orange PI device behind a NAT but I'm struggling to make it work... I'm quite new to this and might be asking a dummy question, sorry...

My goal is to enable my VPN clients to access a node-red dashboard hosted on the PI VPN server ONLY: I neither want VPN clients to access the rest of the LAN nor for them to browse the Internet through the VPN tunnel.

Here's my network setup :

- The orange PI is connected via WIFI (wlan0) to the Internet router with a static IP address: 192.168.1.10

- The Internet router LAN IP is 192.168.1.254 and it is configured to NAT incoming WAN traffic on UDP port 45000 to 192.168.1.10:45000 (I cannot add routes to it so can't NAT directly to the PI VPN IP address)

- Wireguard is installed on the orange PI and very simply configured to create a network interface wg0 using IP 192.168.12.0 and for its clients to use 192.168.12.x. its config file is:
[Interface]
PrivateKey = <server-private-key>
Address = 192.168.12.0/24
ListenPort = 45000
[Peer]
PublicKey = <client-public-key>
AllowedIP = 192.168.12.1/32

- Wireguard clients are set to use the Internet router WAN IP on port 45000, and then allowed to access 192.168.12.0/32. Here is one of their config files:
[Interface]
PrivateKey = <client-private-key>
Address = 192.168.12.1
[Peer]
PublicKey = <server-public-key>
AllowedIPs = 192.168.12.0/32
Endpoint = my.public ip.address:45000

When I start the tunnel from a client and try to browse 192.168.12.0:1880/ui, I end up getting either a timeout or a rejected connection... But there's no firewall on the PI. I've also tried to get rid of the dedicated VPN network and to assign both the Wireguard server and clients IPs on 192.168.1.x subnet, but it changes nothing. What am I missing?

Do I need to add routes on the PI so it forwards all traffic coming on 192.168.1.10 to 192.168.12.0 even if it's on the same device?

Do I need to edit /etc/sysctl.conf and set net.ipv4.ip_forward=1 even if I don't want VPN clients to access the rest of the LAN?

Do I need to add PostUp and PreDown iptables instructions in the server config file?

Or is it something else?

Many thanks in advance for your help !
 


Latest posts

Top