Dear Wireguard users and developers,
I'm in the planning phase of enabling remote access to a SOHO DMZ service for myself and a few peers. I would appreciate if you could help me clear the uncertainties before me on the drawing board /implementation level.
My setup is:
- LibreCMC 1.4.8 with latest stock wireguard from the LibreCMC repo. The router is being fed with Internet by DHCP from my ISP.
- DMZ VLAN
- DMZ network hosting the service - /24. Say 192.168.200.0/24
- Internal LAN - /24, fed by the internal DHCP. Say 192.168.100.0/24
- default route - say 192.168.20.1
- DMZ firewall zone. Only outgoing DMZ traffic is allowed for the time being.
- LAN firewall zone. outgoing traffic to wan + DMZ is allowed
- NAT-traversal
- DynDNS
- Peer with "public" /24 network - 10.10.10.0/24
What I would like to achieve is
- Setup a wireguard interface in the same DMZ network range or a subset of it
- Port-forward the wireguard traffic from my peer to the DMZ wireguard VPN entry-point for the particilar service
- Route the rest of the traffic unencrypted
I've checked the manual and quick deployment guide and would appreciate your feedback on doing the things in the proper way. The specific questions I have are:
- Is it a good idea to put the wg interface in the same network range as the DMZ or should I split the DMZ into 2 x /25 networks or pick a separate wireguard network
- Given that I'm assigned a default route via DHCP, should I create custom static routes like in the example below on the command line
# ip route add
10.10.10.0/24 via 192.168.20.1 dev eth1
or should I leave this up to the routing daemons to decide themselves? I'm still mixing up the concepts of the different VPN implementations. I also see by web searching that in LuCI I got a checkbox to resolve my problems with routing the private networks.
Thanks for your comments and feedback!
Dimitar