So I put to WAN list following interfaces: eth1, which is connected to ISP, and both VPN-clients (WireGuard and OVPN), - and put bridge with eth2-eth10 and wlan1-wlan2 in LAN list. Is it correct or I should put away VPN-clients in my case?
OKAY, remove the VPN clients from WAN, you have one WAN here and thats through your ISP. There may be cases where considering them as a WAN connection might make sense but lets stick to "NORMAL" before we need to explore more radical approaches, which invariably get more complex.
For VPNs, at least from the MT perspective the VPN connection is a service on the router and does NOT need to be put on the WAN interface.
[quote=anav post_id=920979 time=1648065736 user_id=115581]
(1) for at least a start to firewall rule.
{ADD ANY NEEDED VPN RULES HERE TO ACCEPT INCOMING VPN connections}
[/quote]
As far as I got, I should not add anything, becasue both my VPNs on home router are outcoming (they connect to remote VPN-servers)? All other rules I made.
Good, makes sense!!! You are a master at this!!
According to other questions:
1. 10.128.38.182 - address, which VPN-provider gave me in his config for WG-client, 10.128.0.1 - address of WG-DNS, which VPN-provider gave me in his config (you can check it in WG.txt file in attachments for original post). 10.132.15.129 - address, which was assigned me by my company net-adminisstrator for my OVPN-client.
OKAY CLEAR
+++++++++++++++++++++++++++++++++++++++++++
2. I'd be glad to rationalize routes, if you explain, why any of them are unnecessary. Basilcally the thing is:
- add disabled=no distance=1 dst-address=185.107.94.25/32 gateway=100.69.16.1 - reaching WG-server's endpoint for initial handshake
NOT REQUIRED AND WRONG
- add disabled=no distance=1 dst-address=B.B.B.B/32 gateway=100.69.16.1 -
reaching OVPN-server for initial handshake
Dont know if you need this I suspect NOT if simply an outgoing connection???
- add disabled=no dst-address=0.0.0.0/0 gateway=WG routing-table=
main -
reaching public Internet resources through WG-client for all home devices
NOT required UNLESS you want users to fall back to using your normal internet if wireguard internet is not available!!!! Confirm you want failback.........
- add disabled=no distance=1 dst-address=A.A.A.A/19 gateway=10.132.15.129 -
reaching public business net through OVPN-client for all home devices ****
- add disabled=no distance=1 dst-address=10.0.0.0/8 gateway=10.132.15.129 -
reaching private business net through OVPN-client for all home devices ****
- add disabled=no distance=1 dst-address=192.168.0.0/16 gateway=10.132.15.129 -
reaching private business net through OVPN-client for all home devices ****
- add disabled=no dst-address=10.128.0.1/32 gateway=WG -
reaching WG-DNS though WG-client
NOT SURE THIS IS REQUIRED???
[/quote]
**** Seems like duplicates to me.............
What I see is that you need a total of 3 Routes one for traffic to each subnet (so that the MT router knows for those destinations to use the OVPN tunnel.
The question is how many users on your home router need access (how many IP addresses???
To be frank I dont understand why the OVPN server has a public IP, as I am used to the router having the public IP, but if thats the case, then disregard any advice I have as I dont understand the way to approach this correctly (wireguard I can handle)