I have recently bought GL-SFT1200 (Opal) Travel Router and am so far loving it. However, I have one issue that I need to rectify. So the reason I bought this travel router is because I have a remote cabin uplinked with a Satellite Internet connection. Due to some recent activity we would like to keep track of the items on the property. Hence, we installed a security camera and connected wired to one of Opal’s LAN ports which work successfully locally. However, the uplink we have does not allow us to open ports through their firewall essentially we are Double NAT’d or CGNAT’d. I configured the router to be a client to a Wireguard VPN server back at the main residence and it works great the issue is I need to figure out how to open a port or do a static route so traffic that has a destination to its internal Wireguard IP address can route to the camera or route to it on a port number. I tried looking for this and could not find a solution. I can do OpenVPN also I just started with Wireguard because of it’s faster speeds I also don’t think I can do the cloud option as it would require an open port.
I do think it is a question of the server.
Per default, most implementations I’ve seen, are keeping the Wireguard clients separated. If you want to communicate between the WireGuard Clients, inside the tunnel, you need to allow it on the server side.
As far as I can read you are using an Opal as client, but how is the server-side provided?
Thanks so much for getting back to me!
I use the PIVPN script to set it up. It’s just a standard Wireguard setup nothing special here is the configuration I am using to connect the client (Opal) router to the Server:
[Interface]
Yeah. Big issue, here at my side.
I’ve used some script → Worked.
Now I am about to set it up by myself, and I am learning new things, every day.
The main issue with most scripts I’ve see: they are outdated. Some of them got some Wrapper around, so it seems to work.
I think it is an issue with the routing (take a look in PostUp and PostDown in /etc/wireguard/wg0.conf). Yesterday I’ve learned iptables is now nftables since Debian 10. I’m still about to understand writing the rules.
I got a connection, but no traffic will be routed. Maybe at the end of this week I can tell more
edit: I’ve used the linked script at ubuntu/jammy. My own Server is a Debian 11.3 … I do think this is also a reason why it is harder to archive.
It could be helpful to know on what OS do you install the server. Debian is behaving a little different than ubuntu. I would say ubuntu is easier to start, but Debian is much clearer to analyse.
It even works virtualized as LXC, just mount the /dev/net/tun from the host in the container.
I found my error. Okay, some errors. Here is the actual working Configuration:
root@walter01:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:51820
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.7.0.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@walter01:~# ip r
default via 192.168.21.1 dev eth0 onlink
10.7.0.0/24 dev wg0 proto kernel scope link src 10.7.0.1
192.168.21.0/24 dev eth0 proto kernel scope link src 192.168.21.51
192.168.21.0/24 is my home net 192.168.21.51 is my WireGuard ‘Server’
The server configuration
root@walter01:~# cat /etc/wireguard/wg0.conf
# Do not alter the commented lines
# They are used by wireguard-install
# ENDPOINT vpn.mydomain.net
[Interface]
Address = 10.7.0.1/24, fddd:2c4:2c4:2c4::1/64
PrivateKey = UGHxxxxx
ListenPort = 51820
# BEGIN_PEER amy
[Peer]
PublicKey = hI8xxxxx
PresharedKey = Ew7xxxxx
AllowedIPs = 10.7.0.2/32, fddd:2c4:2c4:2c4::2/128
# END_PEER amy
As far as I understand, the AllowedIPs = 0.0.0.0/0 will send all traffic over the tunnel. So I don’t need to specify my network.
If you’d like to have the normal traffic over the normal net and only your site, you can specify a host or net, here.
Now I will rewrite the iptbales rules to nftables …
On a different note if I redid everything and got everything routed how would I allow a device behind the Opal router (it’s connected with VPN policies so only that device can use the VPN) to be port forwarded through?
Example: User → Server Hosting VPN tunnel → VPN Tunnel → Opal Router → Device that needs to be accessed
EDIT: I have to edit posts now since I am a new user I can’t reply anymore.
Wireguard, does not support a mesh setup by default, i.e. let the client ping each other. To achieve, need to let the clients knows each other by the public key. This is achieve in our GoodCloud S2S solution.