I am trying to setup a wireguard server that does not have access to the internal network, but I need access from my LAN to the address behind the macvlan so I can access the server configuration.
I have setup the macvlan on the linux machine that will be running the docker container with wg-easy, currently I have setup the macvlan to use the iprange of 192.168.4.0/24 while my network is in 192.168.1.0/24.
How do I proceed? It would also be a good idea to add vlan tagging to the mix? How would I setup the routing on this? I am open to suggestions
Not sure I understand this correctly, but it sounds like you’re trying to set up wg-easy as your Wireguard server and make sure that clients on that server do not have access to your LAN while still being able to connect to the wg-easy interface from your LAN.
What I’m not clear about is why you would want to use macvlan in this case. Probably because there’s missing detail of what your WG clients are supposed to be able to reach, so, assuming that they should just be able to reach each other you’d not need to do anything special other than disabling IP forwarding for your wg-easy container.
No need to get your Mikrotik router or macvlan involved, in that case.
If they are supposed to reach the internet but not your LAN you’d need to set firewall rules (using iptables) in the wg-easy container that block traffic to and from your LAN into the VPN subnet. Again, no need to use your Mikrotik router for anything.
VLANs would only be beneficial if you needed to somehow transport traffic from the VPN network to another host on the same physical layer 1 network but wanted to achieve separation on layer 2 between the traffic on that subnet and your LAN. As long as it all stays within the wg-easy container and possibly just out to the internet I wouldn’t add any VLANs.
What I wanted is the clients to be able to reach the internet but without having access to my lan, but also wanting to be able to configure clients on the wg-easy interface.
I have a raspberry pi, and I want to run 2 wireguard servers, one that works as usual, and the other one isolated from the network to allow only internet access, and I want to be able to access from my lan the configuration page of the secondary page.
In the end I ended up configuring the second wireguard server on a docker container (wg-easy) with a macvlan to it, the macvlan configured to 192.168.4.0/24 with vlan 4. and then configuring the mikrotik with this that AI spit up:
# Add new rules for the container
/ip firewall filter add chain=forward comment="Allow access to Wireguard container web UI" dst-address=192.168.4.2 dst-port=5001 protocol=tcp src-address=192.168.1.0/24 action=accept
/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.4.0/24 comment="NAT for WireGuard clients"
/ip firewall nat add action=dst-nat chain=dstnat comment="Wireguard internet only" dst-port=51821 in-interface=pppoe-out1 protocol=udp to-addresses=192.168.4.2 to-ports=51821