Using a Flint 2 here with the latest firmware (updated a couple days ago).
I've been trying to figure out the right way to configure things so that when I'm connected to my network using Wireguard (the server is on the router) that I can access the web services hosted on an internal host using the external DNS name.
From inside the LAN, I have NAT loopback configured, so when I access https://www.mydomain.net, it hits my external IP address and properly forwards to the host, as if I was outside the network.
But over my Wireguard VPN, I end up connecting to the router's management interface.
I've tried a number of things - port forwarding (which broke things really badly - I couldn't access sites off my network at all when connected to the VPN), turning masquerading off on the WG interface. What I seem to need is something similar to NAT loopback, but that sends the request to the LAN rather than reflecting back to the Wireguard network.
Here's a rough network diagram; the green circle/checks show where I can access the internal webserver from. The red circle/x shows where I can't:
What am I missing?
ETA: I should mention that I'm not doing any split tunnel stuff - when connected to the VPN, I want all traffic going over the VPN (I use the adblock add-on for openWRT to block ads, and that's usually why I'm connecting via the VPN).
As I think more about this, the more I am convinced this is just a case of needing something like NAT loopback on the Wireguard interface. That would send the request to the public IP address, which would then forward it correctly.
But the setting is on the port forwards for ports 80 and 443 from the WAN to the LAN. But if I set up similar port forwards on the Wireguard interface, then all of my port 80/443 traffic gets forwarded to the internal host, which means I cannot connect to anything outside the network (and I get certificate errors and such when going to https://www.google.com - naturally, because it's serving my SSL certificate with Google's domain, which isn't defined on my local system because I'm not Google. 
OK, so I've played around a bit and I think I have come up with a solution.
I've added custom rules in the firewall "Custom Rules" configuration:
# DNAT from VPN clients accessing WAN IP on ports 80/443
iptables -t nat -A prerouting_wgserver_rule -i prerouting -d <wanip> -p tcp --dport 80 -j DNAT --to-destination <internal-server>:<port1>
iptables -t nat -A prerouting_wgserver_rule -i wgserver -d <wanip> -p tcp --dport 443 -j DNAT --to-destination <internal-server>:<port2>
# Masquerade so responses go back through the router correctly
iptables -t nat -A postrouting_wgserver_rule -s 10.0.0.0/24 -d <internal-server> -p tcp -m multiport --dports 80,443 -j MASQUERADE
ETA: It looks like these chain names don't work any better than if I set them to PREROUTING and POSTROUTING - so I need to find proper chains to add these rules to, or where to put them in the port forwards/traffic rules sections. I can manually run the /etc/firewall.user script and the rules work, but a restart or "apply changes" in LUCI removes them.
OK, got it working now. I ran the following commands:
uci set firewall.@include[-1].path='/etc/firewall.user'
uci set firewall.@include[-1].type='script'
uci set firewall.@include[-1].enabled='1'
Even though /etc/firewall.user runs when the firewall is started, it doesn't get processed on a reload or a restart. Doing this gets it included at startup, reload, and restart.
1 Like
