Question

Join 2 different subnets Wireguard VPN

Posted March 10, 2021 4.1k views
Networking

I have setup a small Wireguard VPN network between 3 devices:

  • Digital Ocean VPS (server, 10.222.0.1)
  • Raspberry Pi on my home network (peer, 10.222.0.2)
  • iPhone 11 (peer, 10.222.0.3)

From any device, I can ping the others. The VPN is functional. What I want now is for the iPhone (which is outside of my home network) to see an IP camera on my home network which has an IP address of 192.168.1.64. This is beyond my capabilities to do alone so I was looking for some assistance.

Ultimately, I need the iPhone which his entering the Pi to be connected/routed from the 10.222.0.x subnet to the 192.168.1.x subnet.

Would appreciate an suggestions, thanks.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
2 answers

Hi there,

What I would usually do in this case is to setup PiVPN on the Raspberry Pi. That way you will be able to connect to the PiVPN directly and access all of the devices on your home network.

Regards,
Bobby

  • Thanks for the reply. I initially looked into PiVPN but I gave up on it (probably because I don’t understand enough).

    I think I could achieve what I want to do using a dynamic host like no-ip.com and port forwarding, but I want to avoid using both of those. I have successfully setup remote ssh which means I can log into my home pi without port forwards. I was hoping to achieve the same using a vpn, so that in theory I could unplug my Pi and move it onto any other lan, and I would be able to access it (with the exception of updating ip tables to forward requests from the vpn’s subnet to the local subnet.

Hi,

I believe the most convenient way to get an access to your camera (and the other home LAN nodes) through VPN would be to configure your home router to interconnect your home LAN and VPN. In that case, your router must have WireGuard VPN software implemented or must give you a chance to download, install, and configure it. Good example of latter ones are routers based on OpenWRT OS. However, there are another ways for some network brands, e.g. for Ubiquity router you can check relevant project on GitHub, for MikroTik you can check their beta 7.xx RouterOS that includes WireGuard VPN (since release 7.1beta2), etc.
Having a router that supports WireGuard VPN, its configuration would be similar to any other peer in your VPN network. Additionally, you would have to open a particular port in its firewall, and add a static route for traffic from LAN to VPN, however, it may be added automatically during WireGuard (wg) interface configuration. You need to allow IPs of your home LAN subnet in iPhone’s WireGuard configuration as well.

If your router does not support WireGuard VPN software, it may still be possible to access your camera through VPN. Check if your camera embedded software allows you to add a static route. Then, you might use your Raspberry Pi as a gateway to VPN.

  • Thanks for the reply. My main router at home is a Unifi USG. I have looked into this and I think it would work. I’m still very curious to know how to get things right with ip tables because I’m sure that if I can reach the pi on 10.222.0.x subnet from my iPhone (which I can) then it must just be a matter of nat or routing to forward requests to and from the 192.168.1.x network.

    • @seanocaster wrote
      I’m sure that if I can reach the pi on 10.222.0.x subnet from my iPhone (which I can) then it must just be a matter of nat or routing to forward requests to and from the 192.168.1.x network.

      I think you are absolutely right. It may be done in both ways you mentioned.
      However, adding a static route to camera’s routing table seems to be the quicker (and more flexible, IMO) solution.

      Let’s make some assumption:

      • Your LAN subnet: 192.168.1.0/24
      • VPN subnet: 10.222.0.0/24
      • Camera’s LAN IP: 192.168.1.64
      • Camera’s network interface: eth0
      • Pi’s LAN IP: 192.168.1.32
      • Pi’s VPN IP: 10.222.0.2
      • Pi’s OS: Ubuntu Server

      1. Check if you can add a static route to your camera'a routing table.
      If there is no way to manipulate camera’s routing table, you can try to apply the other solution - with NAT canfiguration.

      2. Enable IP v4 packet forwarding in Pi’s OS.
      By default, ipv4 packet forwarding is disabled in Linux distros. Check its status executing

      sysctl net.ipv4.ip_forward
      

      If you get 0 as a result, you need to enable forwarding. To set it up permanently you need to edit /etc/sysctl.conf file or (a more convenient way) create a new .conf file in directory /etc/sysctl.d/, putting a following line there:

      /etc/sysctl.d/10-ipv4-fwd.conf
      net.ipv4.ip_forward=1
      

      Restart the OS to apply the changes.

      sudo shutdown -r now
      

      3. Ensure Pi’s firewall allows forwarding packets from/to LAN/VPN subnets.
      Just for test, you can turn the firewall off. When you get all configuration worked, you will turn it on and modify some rules, if necessary.

      4. Add a static route to camera’s routing table.
      It is very likely you can do that using graphic interface in camera’s configuration options. Just as example, in Ubuntu it would look like:

      sudo ip route add 10.222.0.0/24 via 192.168.1.32 dev eth0
      

      Thanks to this route, all packets, addressed to VPN network, will be sent from camera’s interface eth0 through Pi’s network interface holding IP 192.168.1.32.

      5. Ensure you allow IPs of your LAN in WireGuard VPN (WG) configuration.

      Here are the examples of server’s and peers’ config files.

      WG config file - server
      [Interface]
      Address = 10.222.0.1/24
      ListenPort = 51820
      #Private Key of Server
      PrivateKey = pr1v4t3m34n5pr1v4t3
      
      [Peer]
      #Public key of Pi
      PublicKey = y0urp1p00bl1ck3y
      AllowedIPs = 10.222.0.2/32, 192.168.1.0/24
      
      [Peer]
      #Public key of IPhone
      PublicKey = y0ur1ph0n3p00bl1ck3y
      AllowedIPs = 10.222.0.3/32
      
      WG config file - iPhone
      [Interface]
      Address = 10.222.0.3/24
      ListenPort = 51820
      #Private Key of iPhone
      PrivateKey = 3-pr1v4t3m34n5pr1v4t3-3
      
      [Peer]
      #PublicKey of the server
      PublicKey = y0urs3rv3rp00bl1ck3y
      AllowedIPs = 10.222.0.0/24, 192.168.1.0/24
      # Server's public IP
      Endpoint = 111.222.333.444:51820
      PersistentKeepalive = 15
      
      WG config file - Pi
      [Interface]
      Address = 10.222.0.2/24
      ListenPort = 51820
      PrivateKey = 2-pr1v4t3m34n5pr1v4t3-2
      
      [Peer]
      #PublicKey of the server
      PublicKey = y0urs3rv3rp00bl1ck3y
      AllowedIPs = 10.222.0.0/24
      # Server's public IP
      Endpoint = 111.222.333.444:51820
      PersistentKeepalive = 15
      
      

      OMG, I must go to work !!! We will continue with NAT solution in a few days, if necessary.

      • Hi Yannek,

        Many thanks for this detailed reply, I hope you were not late!! I am so interested to read it an understand even more about how these processes work. I can certainly disable the pi’s firewall to eliminate that obstacle. And I can look into the ip tables of the camera… however, if I end up having multiple devices on the network (like multiple cameras, other devices etc.) then I think it would become complicated to do this process on each device - don’t you? I am really surprised to see that it’s not a straightforward solution to just somehow bridge the 10.222.0.x and the 192.168.1.x subnets

        • @seanocaster wrote
          I hope you were not late!!

          No worries, I was on time :-)

          @seanocaster wrote
          if I end up having multiple devices on the network (like multiple cameras, other devices etc.) then I think it would become complicated to do this process on each device

          The most of the tasks of this process are to do once on your Pi. If you add another camera to your LAN, you will have to follow just point 4 to add a static route to new camera’s routing table. However, this solutions makes sense if your devices (cameras, in your particular case) allow you adding the static routes.

          Notice
          If your camera's OS/software does not allow you to add a static route to its routing table, you could apply a workaround entering Pi's LAN IP as a default gateway in camera's network settings. Thanks to that, all packets addressed outside of your LAN subnet would be sent through Pi, including packets addressed to your VPN. However, this workaround has got one significant disadvantage, your camera will not be able to communicate with the Internet (unless you configure the DO VPN server as an Internet gateway for your Pi, and set up SNAT in your Pi's firewall but it seems to be a bit more complex solution).
          @seanocaster wrote
          I am really surprised to see that it’s not a straightforward solution to just somehow bridge the 10.222.0.x and the 192.168.1.x subnets

          It can be more straightforward, if you configure your LAN router as a peer in your VPN, and allow your LAN subnet from behind this peer in WG VPN configuration. In that case you will not have to modify routes in your LAN because your router is a default gateway for your LAN devices and contains appropriate route to your VPN.