So I’m running OPNsense at home for my firewall/router. I have many different VLANs for separating different things into different networks. 3 of them are LAN, Trusted and Untrusted. LAN is well my regular devices like all mobile phone, TV, laptop etc connect.. Now I self host a lot of services at home using my Proxmox server at home.. the services I expose outside my home via my domain I keep in Untrusted and services I don’t expose outside my home and use locally only I keep in Trusted.. I also rent a VPS on which I run WireGuard VPN.
Now I recently watched this video of Tom’s,
and configured a tunnel on the VPS wg1 so I can forward traffic on port 80 and 443 (which will be coming from my domains) to my OPNsense box at home, and at home I run NginxProxyManager and I forward the traffic of this tunnel to NginxProxyManager’s IP and from their I forward any domain to the requested service at home.
here is the config for wg1
[Interface]
Address = 192.168.240.1/24
PrivateKey = WG1_PRIVATE_KEY
ListenPort = 52821
# Forward traffic on port 80 and 443 to OPNsense via WG
PostUp = iptables -A FORWARD -j LOG --log-prefix "wg1-forward: "
PostUp = iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.240.2:80
PostUp = iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.240.2:443
PostUp = iptables -t nat -A POSTROUTING -p tcp -d 192.168.240.2 --dport 80 -j SNAT --to-source 192.168.240.1
PostUp = iptables -t nat -A POSTROUTING -p tcp -d 192.168.240.2 --dport 443 -j SNAT --to-source 192.168.240.1
PostUp = iptables -A FORWARD -p tcp -d 192.168.240.2 --dport 80 -j ACCEPT
PostUp = iptables -A FORWARD -p tcp -d 192.168.240.2 --dport 443 -j ACCEPT
PostDown = iptables -D FORWARD -j LOG --log-prefix "wg1-forward: "
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.240.2:80
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.240.2:443
PostDown = iptables -t nat -D POSTROUTING -p tcp -d 192.168.240.2 --dport 80 -j SNAT --to-source 192.168.240.1
PostDown = iptables -t nat -D POSTROUTING -p tcp -d 192.168.240.2 --dport 443 -j SNAT --to-source 192.168.240.1
PostDown = iptables -D FORWARD -p tcp -d 192.168.240.2 --dport 80 -j ACCEPT
PostDown = iptables -D FORWARD -p tcp -d 192.168.240.2 --dport 443 -j ACCEPT
# OPNsense
[Peer]
PublicKey = WG1_OPNsense_PUB_KEY
AllowedIPs = 192.168.240.2/32
PersistentKeepalive = 25
so there is only one peer here as this tunnel only needs to forward traffic my OPNsense and the rest is handled on OPNsense box as Tom shows in the video, firewall rules, NAT port forwarding to NginxProxyManager IP etc. This setup works great.
Now I have another tunnel wg0 which I use as “regular” VPN and I have connected a couple of services I don’t expose outside my home to this tunnel so I can access them over VPN. Like HomeAssistant, Shinobi both are running in VM and I installed and configured WireGuard on both VM’s so I can have them as a peer of wg0 and hence accessible over the wg0 tunnel where my phones and all devices connect for “regular” VPN use. It works, but the problem is I have to change the IP in the HomeAssistant and Shinobi app when I am outside and connect to VPN to use VPN subnet and when I’m home I have to change to home subnet for these services.
Here is the config for wg0,
[Interface]
Address = 192.168.210.1/24
PrivateKey = WG0_PRIVATE_KEY
ListenPort = 52820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT ; iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT ; iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE
[Peer]
PublicKey = WG0_PEER1_PUB_KEY
AllowedIPs = 192.168.210.2
PersistentKeepalive = 25
[Peer]
PublicKey = WG0_PEER2_PUB_KEY
AllowedIPs = 192.168.210.3
PersistentKeepalive = 25
[Peer]
PublicKey = WG0_PEER3_PUB_KEY
AllowedIPs = 192.168.210.4
PersistentKeepalive = 25
[Peer]
PublicKey = WG0_PEER4_PUB_KEY
AllowedIPs = 192.168.210.5
PersistentKeepalive = 25
there are many peer in this tunnel config but I am just showing a few as examples, you can assume some of the peers are my phones, laptop and also HomeAssistant and Shinobi peer.
What I would like to have is that this wg0 tunnel connects to my OPNsense box as well and I can access anything on my network without needing to change the IP in the app every time I switch from VPN to WiFi or 4/5g or whatever.. and also if possible route all VPN traffic for wg0 out my home WAN so I can use PiHole running at home as DNS for all the peers of wg0.
I saw Tom had this video on his channel,
but this assumes that the home network has a public IP, which I don’t as my network uses CGNAT (PPPeE) so I can’t use this setup shown in the video.
What are my options? I asked ChatGPT and it gave these addition PostUP and PostDown rules that I can add,
PostUp = iptables -t nat -A POSTROUTING -s 192.168.210.0/24 -d 10.15.25.0/24 -j MASQUERADE
PostUp = iptables -A FORWARD -i %i -o %i -s 192.168.210.0/24 -d 10.15.25.0/24 -j ACCEPT
PostUp = iptables -A FORWARD -i %i -o %i -s 10.15.25.0/24 -d 192.168.210.0/24 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -s 192.168.210.0/24 -d 10.15.25.0/24 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -o %i -s 192.168.210.0/24 -d 10.15.25.0/24 -j ACCEPT
PostDown = iptables -D FORWARD -i %i -o %i -s 10.15.25.0/24 -d 192.168.210.0/24 -j ACCEPT
10.15.25.0/24 is my LAN subnet at home. But I’m not sure if this is correct or not as my knowledge in networking is very limited.