I am looking for some advice on how to (if possible) setup a wireguard network for my home network and when I am connected to that network have a remote wireguard server act as an exit node, so that all external traffic appears to be coming from that remote server whilst keeping traffic bound for the home network local (only accessible via wireguard network)

Local server is a Debian box and other devices will run a flavour of linux. Remote server is already running wireguard and I can connect to that if I bring up a route on each device, but ideally I want to connect to my home net and automatically have outbound traffic go via the remote server. The remote server’s wireguard config is not under my control, which may make this unfeasible

  • comrade_twisty@feddit.org
    link
    fedilink
    English
    arrow-up
    11
    ·
    edit-2
    3 months ago

    VPN cascading is the term you’re looking for. Yes, it’s possible with wireguard. Who controls the exit server is not of any concern, although you might break the ToS of the commercial VPN provider in question - but they can’t really see that.

  • jubilationtcornpone@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    3 months ago

    I want to make sure I understand your goal correctly. Here’s what I’m getting.

    1. You have a wire guard connection that you want to use for outbound traffic from your local LAN.
    2. You have a Debian box that serves at the client in this situation.

    Here’s the part where I’m a little fuzzy

    1. You want to connect to your local LAN using another wire guard connection and have WAN requests routed from clients connecting to your LAN (via wire guard) out the wire guard connection mentioned in #1.

    Did I get any part of that wrong?

    Edit: NVM. I saw your response to another comment that sounds like this is exactly what you want.

    This should be achievable via routing. I actually do the same thing. The main difference is all the work is done on my router which handles both wire guard connections and routing.

    At the minimim you’re going to need:

    • A NAT rule on your local router to port forward incoming wire guard requests on the WAN to your Debian box. **Assuming the Debian box is also the wire guard server.
    • An iptables DSTNAT rule on your Debian box to route local traffic to the LAN gateway.
    • An iptables DSTNAT rule on your Debian box to route outbound WAN traffic that does NOT originate from your Debian box to the gateway at the other end of the outbound wire guard connection.
  • abeorch@friendica.ginestes.es
    link
    fedilink
    arrow-up
    2
    ·
    2 months ago

    @portnull I’m basically doing that with #Openwrt and #Policybaserouting - I’ve got different wifi ssIds that each have a different default gateway routed via different remote Openwrt routers - I can’t say that I have it perfectly configured yet but it works. Internal traffic is routed across the VPNs depending on where the device is located so my server in one location is accessible from computers in the other two locations.

  • spaghettiwestern@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    3 months ago

    If I’m understanding what you want to do, I have this set up on an OpenWRT router with multiple remote endpoints used for different devices. Our phones go to a hosted Wireguard server in one city, PCs to an OpenWRT router in a different location, and IOT devices that aren’t blocked and guest devices exit access the Internet locally. With some additional work you should also be able to have remote devices connected via WG exit wherever you like.

    Policy Based Routing on OpenWRT makes this possible and it should be doable as long as the devices you want to allow to exit the remote server are included in that server’s “Allowed IPs” setting. (Maybe there’s a way around that, but I haven’t had to deal with it.)

  • null_dot@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    3 months ago

    It’s not really clear exactly what you want.

    When you’re at home, and for services running on your home server, it you want everything to go through the remote wireguard server then that’s achievable.

    However, if you want to be able to access services running on your home server, while you’re not at home, via that remote wireguard server, that generally requires port forwarding which commercial providers generally don’t offer.

    Can you clarify ?

    • PortNull@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      3 months ago

      Sorry to be unclear Yes I want to be able to access my home services from outside over wireguard, but connect directly into the home network. However once connected to the home network I want all traffic to be routed outside via the remote wireguard server.

  • sem@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    3 months ago

    You could maybe do this with tailscale: all your devices will be reachable from each other, and you can specify that you want the external one to be the exit node. It uses wireguard under the hood.

    • PortNull@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      The issue is that the remote server (the one I want to use as the exit node) doesn’t have tailscale on it. Otherwise I’d be doing just that :D

      • abeorch@friendica.ginestes.es
        link
        fedilink
        arrow-up
        2
        ·
        2 months ago

        @sem @portnull The one you want to use as an exit node is a commercial vpn provider right?

        whatever you want - its pretty much achievable with openwrt, wireguard and some routing (maybe using policy based routing)

        Bonus there is a wireguard client app for android that automatically switches off the tunnel back to your home server if you are on its Lan. Its called WG Wireguard.

  • PortNull@lemmy.dbzer0.comOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    2 months ago

    Thank you for everyone’s help and input. I have it working now, albeit not in the way I had hoped (not using docker containers for it) but it works. I followed https://thedevquill.substack.com/p/setting-up-a-tailscale-exit-node but instead of using the NordVPN image I used the plain Wireguard client image. In the wireguard compose I set network_mode: container:wireguard. Now when I connect tailscale over the exit node, traffic is going out over the wireguard IP

  • magikmw@piefed.social
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    3 months ago

    You can set this up with your router connecting to the remote server and routing your client traffic through there instead of the gateway your router is using for WAN.

    Specifics are router… Specific.

    You can do the same with a vm in your network acting as a router or proxy as well, pick your poison.