I wanted to setup a MV1000 with a local IP handed out by my clients LAN’s DHCP server (Static assignment). Then use the MV1000 as a dedicate WireGuard box. Ideally I wanted to keep the GUI available so that the end user can add new users if need be. (really like the QR code or conf file for client setups).
If I put the device in AP mode you loose the VPN GUI. If I leave in in Router mode, then the admin pages are only available when connected to the LAN (or the VPN).
- Can I enable management via WAN?
- Would I be better off flashing stock OpenWRT?
3.Ideally I would only want the VPN to handle LAN traffic and not route users internet traffic over the VPN.
- Client has a static IP that I am going to setup a sub-domain (vpn.client.com). But I do not see a place to make the config in the GUI. CLI only?
Answered some of my own questions. Added some traffic rules to open 22 and 80 allowing me to SSH via the WAN port.
!!!DO NOT DO THIS IF YOUR DEVICE IS DIRECTLY CONNECTED TO THE INTERNET!!!
You can enable ddns and only enable https. Better not use http.
For static IP I am not sure what you want to do.
I was referring to the IP of the VPN server. Since my client has a static IP address i would like to set that as the EndPoint Host. The only place I can see it set that manually is via the LUCI or CLI interface. It’s not exposed in the GL-iNEt overlay.
For science projects…
MV1000 - set up WG, with user1, user2, user3
MV1000 - set static IP (or DHCP reservation) on the edge router
Edge Router - Open the WG port for port 51280/UDP
That’s all you need to connect inbound to the WG server…
Here’s an example, where the WG server (Brume) is on 192.168.15.22… the Edge Router here being PFSense 2.4.5
For remote access - consider GoodClound maybe to admin the WG server/host.
Thanks, I’ve sorted out the port forwarding on my edge router (OPNSense). I guess my main concern was that the GL-iNEt interface was not exposing all of the options for the WireGuard server. I get why, but a “simple” vs “advanced” mode would be nice. For now I’m just going to use the tools that are built in an manually change the generated client configs to use the proper endpoint (DNS name, not IP) and the LAN subnet (10.0.1.0/24) instead of 0.0.0.0/0