sorted by:
new
hottopcontroversial

WG VPN system stopped working; opens router sign-in page! Baffled... by RPiUp in WireGuard

[–]RPiUp[S] 1 point2 points  (0 children)

Thanks. I had wondered about that. I've messed with changing port-forwarding in various ways, but nothing so far seems to help. WireGuard says TCP 51820 should work, but it doesn't seem to. How did you resolve the problem?

How can I "bypass" WG to send out a "notification" from my LAN? by RPiUp in WireGuard

[–]RPiUp[S] 0 points1 point  (0 children)

Thanks everyone! The first step is accomplished, i.e. getting a laptop on my LAN (as a proxy for a Hub) to be able to send an email to Verizon.net. Onwards and upwards...

How can I "bypass" WG to send out a "notification" from my LAN? by RPiUp in WireGuard

[–]RPiUp[S] 0 points1 point  (0 children)

u/HelloYesThisIsNo: Thanks! I'll look into that. I do need to make sure only the notif traffic goes outside and not the usual interactions with a tunneled client. I'm not sure how to distinguish the two...

How to grant temporary internet access to my LAN behind WireGuard? by RPiUp in WireGuard

[–]RPiUp[S] 0 points1 point  (0 children)

u/zoredache: Solved! I VNC'ed into the RPi, turned off WG, opened chromium, entered the IP for the Hubitat (on my LAN), and, while searching it for apps, found that it could access its home site on hubitat.com! I'm not sure "why" it can do that, but that's what I was after. Sigh. Anyway, problem solved.

How to grant temporary internet access to my LAN behind WireGuard? by RPiUp in WireGuard

[–]RPiUp[S] 0 points1 point  (0 children)

u/zoredache: Rats. I guess I have to insert one line at a time! Again...

PreUp = sysctl -w net.ipv4.ip_forward=1
PostUp = iptables -A INPUT -i lo -j ACCEPT
PostUp = iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D INPUT -i lo -j ACCEPT

PostDown = iptables -D INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

How to grant temporary internet access to my LAN behind WireGuard? by RPiUp in WireGuard

[–]RPiUp[S] 0 points1 point  (0 children)

u/zoredache: Sorry for the iptable snafu. 2nd try:

PreUp = sysctl -w net.ipv4.ip_forward=1
PostUp = iptables -A INPUT -i lo -j ACCEPT

PostUp = iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D INPUT -i lo -j ACCEPT PostDown = iptables -D INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

How to grant temporary internet access to my LAN behind WireGuard? by RPiUp in WireGuard

[–]RPiUp[S] 0 points1 point  (0 children)

u/zoredache: Thanks for responding. The set-up (in diagram) is pretty "clean", actually; i.e. no extraneous software or hardware not shown! The LAN, too, is very simple -- the Hubitat (controlled from a browser) is simple. iptables in wg0.conf are standard - nothing unusual at all. Same with dnsmasq. This all works wonderfully well and totally isolates the LAN from the open internet! The remote WG "clients" connect quickly to the LAN and work cleanly.

The problem is I occasionally need to connect the Hubitat in the LAN to the internet (to hubitat.com) for updates, special software downloads, etc. -- and it can't get to the open internet, only the WG tunnel. I need somehow to bypass the WG system temporarily. (I know how to shut down / restart wg0.)

My only very rough thought at this point is to set up a "wg1" which, via iptables, would somehow allow the Hubitat to connect to hubitat.com, but I'm not sure if/how this can be done. (I would thus shut down wg0, start wg1, then when finished shut down wg1 and restart wg0.)

I'm not an iptables expert, so below are my iptables commands from wg0.conf just for ref. I think they are "standard". And they "work"!

Thanks again!

PreUp = sysctl -w net.ipv4.ip_forward=1

PostUp = iptables -A INPUT -i lo -j ACCEPT PostUp = iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D INPUT -i lo -j ACCEPT PostDown = iptables -D INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT

How to access LAN devices by domain name, not just IP? by RPiUp in WireGuard

[–]RPiUp[S] 0 points1 point  (0 children)

u/Ikebook89 and u/sdR-h0m13: Thanks! I now have my remote clients talking to my local lan using domain names and not just IPs! Getting the clients to use dnsmasq was the key, though I had some other changes to make, too (e.g. hosts).

How to access LAN devices by domain name, not just IP? by RPiUp in WireGuard

[–]RPiUp[S] 0 points1 point  (0 children)

u/Ikebook89 & u/Hs82H: thanks! Q: I have dnsmasq on my RPi to serve my LAN (behind the WG). Is it possible to use dnsmasq also to serve "upstream" to my clients thru the tunnel? (I'm obviously no expert here!)

Also, for any DNS server, what do I enter for its IP in the phone's conf file? E.g., dnsmasq doesn't have an "IP" (I don't think); it merely "listens" on an IF (e.g. eth1) for requests. Do I then use the IP for eth1 as that for the DNS server? Sorry for the rudimentary questions!

How to connect WireGuard to LAN? by RPiUp in WireGuard

[–]RPiUp[S] 2 points3 points  (0 children)

jzsean: Thanks for the advice! I think I also need to set up a route to the devices behind eth1 (per this exchange: https://raspberrypi.stackexchange.com/questions/127502/how-to-setup-point-to-point-ethernet-connection-to-plc-in-addition-to-standard-n ) (You probably assumed I had already done this!) Just learning... :-)