I have a work LAN (192.168.0.0/24) with a bunch of Windows 10 and Linux machines that I need to have access to from anywhere. Since it is behind an ISP NAT and is not accessible from outside, I had to arrange a globally accessible remote server (my_server.my_domain.com) on Arch Linux k:5.4 with Wireguard VPN (10.11.12.0/24) on board. Here is the picture:
Every personal device that I use as VNC or SSH clients to have access to work machines get connected to the VPN individually, and I also have one Windows 10 Home Edition machine at work with a Wireguard connection set up. This is shown as dash lines on the chart. All networking between the VPN clients within the VPN subnet works like a charm: I can connect from a personal host (10.11.12.21) to the mentioned work host (10.11.12.11) easily.
The problem is to get access to the other machines on the work LAN from the remote hosts. I have set up IP forwarding through regedit on the work host connected to Wireguard (let us refer it as the "WG gateway") and static route (10.11.12.0/24 via 192.168.0.11) on work LAN / WAN router. Pinging a remote device from the work host not connected to Wireshark directly (work host #2) is ok (zero packets lost). Still, I cannot get connected to, say, 192.168.0.12/24 from a remote personal device. Tracerouting shows packets being lost after the WG gateway. My guess is the work Win10 hosts' firewalls being the issue (though I have set up an explicit "Allow all traffic from and to 10.11.12.0/24 subnet" Windows Defender firewall custom rule). Trying to VNC to 192.168.0.12:5900 is timed out, and Wireshark traffic sniffing on the WG gateway shows ICMP messages "192.168.0.12 -> 10.11.12.21 Destination unreachable (Port unreachable)" being returned, though I can VNC to 5900 on that machine from inside the LAN easily. I cannot get a LAN printer to be set up on a remote personal device, though connecting to the printer's web interface on its 80 port from the remote personal device's browser magically works!
Please help to set this all up correctly.
Minor issue #2: Wireguard's Windows client does not add additional routes as per its config's AllowedIPs second and consequent networks (AllowedIPs = 10.11.12.0/24,192.168.0.0/24) to the device's routing table, while Linux does. I have to set this up manually through Powershell on personal Windows devices all the time, and this is not convenient at all. Is this a bug, or just a feature lack?
Wireguard configs:
Server:
[Interface]
Address = 10.11.12.1/24
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 60000
PrivateKey = [KEY]
## Personal Host 1
[Peer]
PublicKey = [KEY]
AllowedIPs = 10.11.12.21/32
## WG gateway at work
[Peer]
PublicKey = [KEY]
AllowedIPs = 10.11.12.11/32
AllowedIPs = 192.168.0.0/24
Personal Host 1 (Win 10):
[Interface]
Address = 10.11.12.21/24
PrivateKey = [KEY]
[Peer]
PublicKey = [KEY]
AllowedIPs = 10.11.12.0/24,192.168.0.0/24
Endpoint = my_server.my_domain.com:60000
PersistentKeepAlive = 20
WG gateway at work (Win 10):
[Interface]
Address = 10.11.12.11/24
PrivateKey = [KEY]
[Peer]
PublicKey = [KEY]
AllowedIPs = 10.11.12.0/24
Endpoint = my_server.my_domain.com:60000
PersistentKeepAlive = 20
Relevant WG gateway's system routing table slice (route print):
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.11 25
10.11.12.0 255.255.255.0 On-link 10.11.12.11 261
10.11.12.11 255.255.255.255 On-link 10.11.12.11 261
10.11.12.255 255.255.255.255 On-link 10.11.12.11 261
192.168.0.0 255.255.255.0 On-link 192.168.0.11 281
192.168.0.11 255.255.255.255 On-link 192.168.0.11 281
192.168.0.255 255.255.255.255 On-link 192.168.0.11 281
