WireGuard VPN access to local lan
I have home server hosting a website (internal) with some web API and static pages. I can access this site internally via //<ip address>:80 in a browser. However, the wireguard VPN is on a different ip address block and when remotely acesseing the network through the VPN the //<ipaddress>:80 does not work. Is there any way to access this machine through the VPN? also is there a way to set up the DNS to route to that ip with a more user friendly address, or a way to use the machine name and Domain to do the same?
-
Are you routing all traffic through the VPN? If so, you should be able to see that server as long as you don't have any rules blocking it from the WireGuard network to the LAN. If no rules, then you might want to check your httpd.conf (apache if you have it) and make sure you are not blocking the IP address range. You might need to add an "Allow" for the WireGuard network there. I've had to do that with my Work Computer to allow work VPN to access my web server on my local machine.
-
Yes, all depends on the rules. I setup my WireGuard to block access to local network (I allow family members outside my home to connect for VPN/Security). So by default any new WireGuard profile will be blocked if trying to access my local network. I just had to go to my WireGuard VPN Profile Device and add an allow rule to access the specific computer. For Instance, I have a IoT network that a few crypto miners are on. Default block rule I set up was to not allow the IoT network/vlan to access anything on the Local Network or WireGuard Network. Had to add an allow rule for my WireGuard Profile to access that one specific computer.
-
James...Thank you for replying.
Can you tell me what is the default out of the box behavior? I have not configured any block rules on this specific VLAN. Should I then in theory be able to access resources on this vlan using WG VPN without any other changes required?
Also I should note...these devices are connected to a managed switch and are assigned to a VLAN via that switch. The switch is Unfi (managed by a Cloud Key and Controller so there is no default security applied through Unifi). All Ingress flow is trunked through a single port on the FWG. As required, the VLANs on the switch match the VLANs on the FWG.
When connected via WG I can ping the Unifi Devices that are on the native lan...I cannot ping any resources on any of the VLANs. Will a specific allow rule from WG --> VLAN be required for this to work?
-
I don't remember the "default". As long as the FWG has the VLANs tagged, and the switch does also then all should work in that regards. You'll have to look at your rules and see. Take a look at the VLAN network you are trying to access. Look at it's rules and see what blocking rules there are. If all looks good, then look at the WireGuard Network (Not specific device, network as a whole) and see if there are any rules. You can then add an allow rule from your WireGuard profile to access the computer/network and see if that works.
Question.... are you tunneling all traffic through the VPN? Or are you doing a split tunnel?
-
It it is a split tunnel then you have to add the subnet in the list of "allowed IPs". Open the WireGuard app, edit the tunnel, then go down to "Allowed IPs". If it says 0.0.0.0/0 then you are tunneling all traffic. If it says something like 192.168.1.0/24 then it is allowing only that subnet to go through.
If you downloaded the profile from the Firewalla App, then it defaults to tunnel all traffic.
Please sign in to leave a comment.
Comments
9 comments