Hi everyone,
after researching and numerous unsuccessful attempts I seeking for assistance here. Thank you in advance.
Summary of problem: Depending in the interface I am connected to, access to specific hosts by the domain name (Dynamic DNS) either works or redirects to the router.
Network/Interface setup:
- Router is a Turris Omnia with Turris OS version
3.11.175.0.1 - let’s assume an IPv4-only network
- router is assigned a dynamic external IP address (a.b.c.d) by my ISP on the WAN interface
- Dynamic DNS is fully functional: domain.xy -> a.b.c.d
- Wireguard is used for VPN and also fully functional (e.g. connections to hosts in LAN)
- Interfaces
- WAN
- IP address is assigned by ISP, e.g. a.b.c.d
- LAN
- IP address of Turris Omnia/interface ‘LAN’ is 192.168.0.1
- This network contains
- Server 1 with IP address 192.168.0.111
- Server 2 with IP address 192.168.0.222
- wg0 (for Wireguard VPN)
- IP address of Turris Omnia/interface ‘wg0’ is 192.168.99.1
- connected clients use IP addresses 192.168.99.*
- WAN
- Firewall
- Port forwards:
- from any host in WAN via any router IP at port 80 to Server 1 port 80
- from any host in WAN via any router IP at port 8443 to Server 2 port 8443
- Port forwards:
Expected and actual behavior:
Scenario | Expected | Actual | Result |
---|---|---|---|
Client “somewhere on the internet” accessing domain.xy:8443 | Service from 192.168.0.222:8443 is offered to client | as expected | OK |
Client in LAN (192.168.0.n) accessing domain.xy:8443 | Service from 192.168.0.222:8443 is offered to client | as expected | OK |
Client within wg0 (192.168.99.n) accessing domain.xy:8443 | Service from 192.168.0.222:8443 is offered to client | Access to Turris Omnia on port 8443 is attempted | Problem |
The same applies to server 1 and port 80.
In other words: clients connected by Wireguard VPN cannot access hosts using hostname:port because they are always directed to Turris Omnia.
It appears as if the external IP a.b.c.d is “translated” to the internal IP and consequently the port forwarding configuration is without effect.
Further notes:
- nslookup domain.xy always returns a.b.c.d, independent from the interface
- access to 192.168.0.111:80 or 192.168.0.222:8443 works, independent from the interface
- I do not want to route all accesses to ports 80 or 8443 initially targeting the router to one of the servers, because I still require access to the Turris Omnia UI while connected to VPN.
Any ideas on how to achieve the same behavior on wg0 as for LAN?
Thanks so much in advance!