VPN client within existing network for NAS access

Hello,

I plan to use an Opal router within an existing network.
Present configuration: LTE router with local network 192.168.8.x. One of the device connected is a NAS with fixed IP 192.168.8.200.
At this time, this NAS connects to a VPN server to be accessible from outside. The firewall is also located on the NAS.
The NAS is therefore locally accessilble and from outside directly as a web server.
The Opal shall take over the VPN client function and grant access to the NAS only.

Could I configure the Opal as 192.168.199, let it connect to the VPN server and install forward rules to 192.168.8.200 for everything ? Or should I install a subnet ? Problem with local access to the NAS ? using LAN or WAN port of Opal to the main switch ?

Thank you for your help to find the easiest solution.
Cheers

You need to make sure that the Opals network (default 192.168.8.x) does not collide with your network where the NAS is. Opal needs to have a different one, as I read your topology.

Check How to troubleshoot WireGuard

OK. Do I have to connect the NAS to the local network of the Opal ? Or just connect the Opal to my main switch.
If I connect the NAS to the subnet of the Opal (192.168.1.x as example)? not sure I get access to the NAS withint the local network (192.168.8.x) ?
Thank you

I don't really understand your setup right now.

Is Opal only for VPN or is it a VPN client by itself?

The Opal shall be a VPN client and forward the incoming traffic from the VPN Server to my NAS. No other function for the Opal.

Could you try to adjust the diagram so it's more clear what network is which one?
Try https://draw.io


This is the present network without Opal. Works perfectly with the NAS acting as VPN client to get connected to the internet as web server.
I want an Opal taking over this VPN client function

Which device is the VPN server?

The VPN server is an external company giving me an fixed IP and domain name for the NAS to act as web server.

And the Opal will connect to the same external VPN? So there is no real site-to-site VPN between your networks, instead everyone acts like a client, correct?

Yes the Opal shall connect to the same VPN server and direct all the traffic to the NAS.
There is no site-to-site VPN. I don't want to access my network from outside. Just the NAS has to be connected to my domain name provider.
And when connected within my local network I want to access the NAS.

Perhaps I should install the Opal as main router for the complete home network and configure that the VPN is only for the NAS. Because I don't want my outcoming traffic from home going thru the VPN ? Is it possible ?

I don't really understand how to solve this because the routing fully depends on your VPN provider. I don't even know if this provider supports it?

For a pure GL network, see Build your own WireGuard Home Server with two GL.iNet Routers - GL.iNet Router Docs 4

But please be aware that hosting a VPN server isn't possible when using cellular internet, mostly.

OK. I will try several configurations based on the available options of the Opal.
(But I want a VPN client, not a server. The server is in Germany and I'm located in France).
I will let you know what I manage to do.

A VPN always needs Server + Client, that's how it works.

You might need "port forward" in the OPAL .
192.168.8.x is your OPAL WAN.
192.168.1.x is your OPAL LAN.

S-NAT from LAN to WAN on OPAL is automatic. The reverse initiated path needs some setup.
WAN-to-LAN Port forwarding or even "DMZ host" will make things much easier, than another WAN to LAN passthrough. (WAN devices then don't have to know, use or route the LAN IP addresses, they use the WAN (192.168.8.x) IP address to connect to the LAN devices)

VPN might need some attention to select for the Port Forwarding. (To be checked with SSH if the VPN interface is in the WAN zone, and no other firewall rules are blocking that traffic.)

LAN to WAN is doing NAT. (using the WAN IP address)
LAN to VPN should also do some NAT (using the VPN IP address) if a L3 VPN

Advantage of port forwarding is that besides the automatic return path (reversed NAT) it can allow WAN initiated connections.

Also for things like Zerotier (L2 VPN) , using port forwarding will avoid the need for "managed routes" in Zerotier's management portal. (Zerotier does not fit on OPAL unfortunately)

Thank you. Was a bit tricky to setup the forward rules, had some issues with SSL certificates but now everything runs perfectly.
Not only the forward rules associated with the VPN are needed. Also at the VPN connection stage, one must allow the access to the LAN. If not, the forward rules are not fully working.