Setting Wireguard for enabling remote access to a SOHO DMZ service

Dimitar Vassilev dimitar.vassilev at gmail.com
Wed Aug 14 13:42:30 CEST 2019 

Dear Wireguard users and developers,

I'm in the planning phase of enabling remote access to a SOHO DMZ service
for myself and a few peers. I would appreciate if you could help me clear
the uncertainties before me on the drawing board /implementation level.
My setup is:

   - LibreCMC 1.4.8 with latest stock wireguard from the LibreCMC repo. The
   router is being fed with Internet by DHCP from my ISP.
   - DMZ VLAN
   - DMZ network hosting the service - /24. Say 192.168.200.0/24
   - Internal LAN - /24, fed by the internal DHCP. Say 192.168.100.0/24
   - default route  -  say 192.168.20.1
   - DMZ firewall zone. Only outgoing DMZ traffic is allowed for the time
   being.
   - LAN firewall zone. outgoing traffic to wan + DMZ is allowed
   - NAT-traversal
   - DynDNS
   - Peer with "public" /24 network - 10.10.10.0/24

What I would like to achieve is


   - Setup a wireguard interface in the same DMZ network range or a subset
   of it
   - Port-forward the wireguard traffic from my peer to the DMZ wireguard
   VPN entry-point for the particilar service
   - Route the rest of the traffic unencrypted


I've checked the manual and quick deployment guide and would appreciate
your feedback on doing the things in the proper way. The specific questions
I have are:


   - Is it a good idea to put the wg interface in the same network range as
   the DMZ or should I split the DMZ into 2 x /25 networks or pick a separate
   wireguard network
   - Given that I'm assigned a default route via DHCP, should I create
   custom static routes like in the example below on the command line

              # ip route add 10.10.10.0/24 via 192.168.20.1 dev eth1

or should I leave this up to the routing daemons to decide themselves? I'm
still mixing up the concepts of the different VPN implementations. I also
see by web searching that in LuCI I got a checkbox to resolve my problems
with routing the private networks.

Thanks for your comments and feedback!

Dimitar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190814/d17fbc1b/attachment-0001.html>

More information about the WireGuard mailing list