I am a proud owner of two GL.iNET routers—one serves as my main router, and the other as my travel router. Each router is configured with multiple subnets or segregated networks. I am using WireGuard VPN to connect my travel router (as a WireGuard Client) to my main router (as a WireGuard Server).
I would like to know if it is possible to restrict a specific subnet or segregated network, such as 192.168.13.0/24, within the travel router when connecting via WireGuard to my main router using the remote LAN feature. My goal is to only allow this particular subnet or segregated network to have internet access only.
If this is feasible, could someone please provide examples of how to achieve this using LuCI or command line?
Unfortunately, I have only noticed global remote LAN restrictions for all subnets in the GL.iNET router web interface.
I appreciate your support and thank you in advance!
But I don't get what is your goal about the internet access. Should devices connected to a different subnet not be able to talk to the Internet at all or just not by using VPN?
Currently, my travel router is configured with three segregated networks, each connected to my main router via WireGuard VPN. However, one of these networks should not have Remote LAN access. Specifically, this segregated network should be restricted from accessing local resources, such as the main router's web interface or SMB shares, and should only have VPN access to surf the internet through my main router.
My goal is to allow my family members when traveling abroad, who are part of the segregated network 192.168.12.0/24, to use my main router's IP address to access country-specific website content. At the same time, I want to prevent them from having the rights to open my main router's web interface or access any other remote LAN resources.
Meanwhile, the other two segregated networks from my travel router should have remote LAN and internet access through WireGuard VPN at my main router.
I appreciate your time and the screenshot contributions in reviewing my multiple posts. As I stated in my initial post, I am well aware of the Enable or Disable feature for Remote LAN Access on the WireGuard Server side.
However, as I reiterated in my recent post, I believe that a global solution for the WireGuard Server side may not be feasible, as I have multiple devices connected to it, and they would all be affected, which is not my intention.
I am currently intensively reviewing the documentation provided by @admon , yet I find it challenging to understand without similar examples available within the forums. (Perhaps it's time for me to engage in some much-needed catch-up on routing VPN knowledge.)
Perhaps, a Friday night troubleshooting session will one day shed more light on this dark tunnel.
May your weekend be as adventurous exploring the GL iNet forums as mine.
I am grateful for the concise and comprehensible tutorial.
Following thorough testing and troubleshooting with several VLANs, or segregated networks, I can confirm that your explanation is effective.
Hypothetically, if I wished to configure a device such as an iPhone, or any single device without a subnet with wgclient, to not have Remote LAN access while other devices do, should I incorporate the example you provided into the traffic rules within the remote router or wgserver LuCi?
Specifically, should I replace the source zone with wgservers, include the wgclient IP address as the source address, and designate the destination zones as the local LAN with the subnet?
I also tried setting on wgserver. It's much more complicated. That's because the wgserver can't distinguish wgclient's LAN clients with "WireGuard Client Options - IP Masquerading" on.
I appreciate your prompt response to my additional question regarding the "Subnet Remote LAN Restriction." While I have a basic understanding of your previous post, I still have a few queries:
Regarding the provided screenshot "WireGuard Server Route Rule": How did you determine the Gateway IP address? Am I correct in assuming this is the IP address of the assigned WireGuard client IP address?
Based on your first post: Since I confirmed at the wgclient side that the restriction is working, is it necessary for me to add the settings from your last post to the wgserver side?
For restricting a specific device: Do I need to execute the same wgserver side settings if I only want to restrict, for instance, an iPhone device without a subnet?
To gain a comprehensive overview, I believe these questions might help clarify the settings for both wgclient and wgserver.
I'm curious to know if anyone else has posed this question before, given your impressive knowledge.
As this information is very interesting and comprehensive, I look forward to trying it out as my go-to evening entertainment while I admire the troubleshooting process.
I appreciate your support and the knowledge you’ve shared.
