I have an issue with creating something that to most of you its a walk in the park but due to my incompetence its not so easy for me.
I thought I would make a schematic/topology to how I was thinking of implementing my plan.
(See Attached schematic before reading more)
WG Tunnel Created and working.
Question 1: Should Wireguard MTU between server and clients be 1420? (just a yes or no would do)
Question 2: Every time i reboot the client peer on WG tunnel, the tunnel doesn’t go up automatically. Why is that?
Question 3: My target is to route all traffic from the Wifi Client dhcp pool over to WG Server (Internet Gateway)
Should my gateway be the remote WG Server IP, the local WG Client IP, the WLAN IP or the bridge1 ip?
What about DNS IP?
Question 4: What are the basic rules to allow all traffic and protocols to pass over the tunnel?
Currently I am having problems with HTTPS Sites, Teams and sometimes Webex.
Attached (client.config.txt) you will also find the configuration I have. Its a lot of trial and error so if you find something unnecessary or wrong do correct me.
I find it impossible to make Microsoft Teams to work with the default wireguard config.
For Teams to function correctly, you must open TCP ports 80 and 443 from the clients to the internet, and UDP ports 3478 through 3481 from the clients to the internet. The TCP ports are used to connect to web-based content such as SharePoint Online, Exchange Online, and the Teams Chat services.
I would like some help to set this up, is this through Filter Rules or NAT? ANy ideas?
One should match the client and server MTU settings if possible.
If you are going to a third party provider they often provide MTU settings and so you should try to match that.
In this case seem to be connecting to another MT device.
First of, give the wireguard address something unique and NOT the same as your LAN.
10.10.1.1/24 at the server network=10.10.1.0
10.10.1.2/24 at the Client network=10.10.1.0
Why does your bridge need an address if you are giving the WLAN an address?
Either attach the WLANs to the bridge or dont have a bridge!!
YOu should post both configs or else cannot comment in context and accurately on the setup.
It would appear the entire bridge needs to go through the tunnel…
Is this router facing the internet, you dont have adequate filter rules…
You are missing a table and routing rules…
You are missing a route…
Because, I read somewhere in forums, in order to have a WLAN IP you need to set the ip on the bridge due to MT Prerequisites (Cannot have a slave interface with IP or something).
(1) Address/Subnets
a. The wireguard subnet should be separate and distinct.
b. The wlan1 address is a nonsense entry as you already have it attached to the bridge as a bridge port and you gave the bridge DHCP responsibility.
Fix those issues up first.
(2) Firewall rules are non-existant and not helpful.
(3) The first two routes make no sense to me.
(4) no need to sourcnat wg, as the traffic is going to another MT device under your control (where you can identify allowed IPs of Client LAN subnet )
Other source nat rule seems a bit off ditch the icmp bit.
(5) Why is upnp enabled??
(6) Is there any other subnet on the router? The reason I ask is how do you expect as admin on this router ( one of the IPs on the subnet ) to be able to access the router for config purposes if you are being sent into the tunnel for wireguard???
