Thu Dec 01, 2022 6:26 pm
Step1 - on windows laptop settings.................
You probably have the wrong settings on your remote windows settings.
The peer setting should be either one of two things.
allowedIPs=0.0.0.0/0 { which is necessary for Internet access elsewhere, and conveniently covers all the items below (allowed IPs without internet need) }
allowedIPs=wireguard_Subnet,mainsite_subnet(s), anyother-site_subnet(s) if required { will allow you to ping all connected wireguard sites, and connect to other sites and to config other sites }
Step2 - on main site, allowed IPs
allowed IP for peer windows laptop is simply the wireguard address for the windows laptop. This will allow the windows laptop to get to the main site LAN.
Step3 firewall rules main site.
you need to allow peer to enter LAN and if they have to re-enter tunnel to get to another peer to re-enter tunnel.
The easiest method is
add chain=forward action=accept in-interface=wgMAIN out-interface=wgMAIN
This allows any wg user to reach another wg site on the same wg interface network.
You may not want all users to have this easy reach so you could make such rules and use source or destination address to provide some limits.
If the remote user needs access to MAIN SITE subnets then make another rule
add chain=forward action=accept in-interface=wgMAIN src-address=windowsPC-WG-IP dst-address=mainsite-subnet
If the remote user needs to config the MAIN SITE
add chain=input action=accept in-interface=wgMAIN src-address=windowsPC-WG-IP
Step 4 routes at main site.
In the case of single users, the wireguard subnet creates a <DAC> routing (automated) and thus for example your windows laptop has no problems getting routed back into the tunnel.
At least for pinging purposes and for local MAIN site subnet access!
To reach another site subnet, then you will need a rule to reach that subnet from the main site, probably local users on the main site do to and thus you already have one but if not,
dst-address=subnet_at_other_site gwy=wgMAIN table=main Now when the remote user exits the tunnel at the Main site with destination address of a subnet at the other site, the router will know that the route there is through the tunnel
On the Main router, always ensure you have three items (routes, firewall rules and allowed Ips considered) What is key is that yes you have a route to the subnet on the other site and need to ensure, on the MAIN SITE, that peer settings for the allowed IPS for the OTherSite, includes the destination subnet (existing at the other site)
Step5 other site routes
Already done for windows laptop, as <DAC> provides routing here back through the tunnel etc.
IF however the incoming traffic is not a remote user but a user from a subnet coming from the MAIN router you would need a route back to the MAIN site subnet
dst-address=MaiNSite_subnet gwy=OtherSiteWG table=main
Step6 other site firewall rules.
need to allow WG to access the LAN
add chain=input action=accept in-interface=OtherSiteWG src-address=windowsPC-WG-IP dst-address=????
need to allow WG to access the router for config purposes
add chain=input action=accept in-interface=OtherSiteWG src-address=windowsPC_WG-IP