I'm happy with my ASUS/Merlin router except that I'd like to run a Wireguard client instead of OpenVPN. Can I put a separate device running OPNsense/Wireguard into/onto my LAN? I can't see a way to do it, but maybe you can! Right now I have a bunch of wired and Wi-Fi clients going into the router, and the router connected to a cable internet "modem." The router is applying policy rules about which LAN hosts use the OpenVPN client in the router.
It's straightforward enough to have a device on your LAN that sets up a Wireguard tunnel to a remote peer. All you need is 51820 open outbound.
If you want your LAN clients to use the tunnel, you'll need to add a static route on them that makes them use the VPN device for the tunnel and any remote network(s) at the far end.
Similarly, the computers at the remote end need to have a route for your LAN to get the reply packets back.
Bart...
Thanks, Bart. This helps me clarify my question.
There are disparate devices on my LAN: printer, tablets, mobile phones, five or so entertainment system devices, a small special-purpose server, etc. They mostly communicate, through the router, with the external internet rather than with each other. Some use ethernet and some use Wi-Fi to connect to the router. I assign devices that are eligible to use the VPN for internet communication static local IPs in the router's DHCP server. Then I can dynamically connect/disconnect such devices to the router's VPN client using the router's VPN Director feature. The VPN server is in the cloud.
I definitely want to avoid altering each LAN device's network configuration. Rather, I am wondering whether I could insert a new Wireguard client device between the router and the cable modem. As I said in my OP, I don't see how that could work, but I'm not a networking expert so maybe my vision is limited.
The alternative is replacing the current router with a new router+Wireguard client, such as a device running OPNsense and its Wireguard plugin, perhaps demoting the current router to a Wi-Fi access point.
You can place the Wireguard or OpenVPN device in your LAN behind your router, add a static route in your router for the remote network and be done with it. Why would you put the VPN device between router and modem?
Quote from: pmhausen on April 26, 2022, 03:19:46 PM
You can place the Wireguard or OpenVPN device in your LAN behind your router, add a static route in your router for the remote network and be done with it. Why would you put the VPN device between router and modem?
Please bear with me; I need more detail to understand how a VPN client device ("VCD") behind the router would work. In your suggestion, wouldn't all the devices which are candidates for use of the VPN client, including Wi-Fi devices, have to connect to the VCD? I would dynamically change which of them actually uses the VPN client by using the VCD's UI? The VCD would have one connection to the router?
The VCD initiates a wireguard tunnel to the VPN "server". Quotation marks because in WireGuard it is really all peers. The "server" establishes a route through the tunnel for the network that is your LAN. On your lokal router in front of the VCD you add a static route for the network that is the LAN behind your "server". That's it. Two LANs talking to each other.
Limiting to specific devices is a question of firewall rules, not the VPN. You "simply" do a site-to-site connection for two LANs. As long as only one of the sites is behind a NAT and the other one has got a static IP address this works exactly like with two OPNsense or two Cisco/Juniper/whatever firewalls.
Ah, some light is beginning to come on; thanks!
One question (for now): suppose there are two LAN devices plugged in to the OPNsense/Wireguard device ("VCD"), and that in turn is connected to the router. Say that for now, but not necessarily always, I want one LAN device to be tunneled, and the other not. I configure that in OPNsense's GUI. Now with respect to the not-tunneled device, the VCD is acting as a mere switch -- is effectively transparent -- in front of the router, correct?
The VCD is behind, not in front of the router. At least in my understanding. Please draw a network map of what you want to achieve. This is getting too confusing.
Sorry -- I mistyped. Indeed I meant behind, not in front of.