Turris/Omnia Nat Loopback and Wireguard

iron-maiden · January 8, 2024, 9:16pm

Hi all,

Basically I have Wireguard turned on all the time on my mobile, otherwise I forget to turn-on-off when I am in and out.

So when I am home how does it work?

Does Turris/Omnia have Nat Loopback by default?

hagrid · January 8, 2024, 9:49pm

Can you give more details?

iron-maiden · January 8, 2024, 9:58pm

Wireguard connects to the public ip of my router(eth2). When I am out that is ok.

But when I am home mobile is connected to the router wifi (internal network), it still works wo problem, so how does Wireguard work?
Does router do Nat Loopback and use internal ip instead public ip, or travelling forward backward from public ip(eth2)?

ssdnvv · January 8, 2024, 10:27pm

Just an idea:

allow wireguard port access from all sources
use hosts-file (via workaround, because knot by default doesn’t know that file) to define something like
192.168.1.1 your.wireguard.ddns.tld

That way there should be no loopback needed, the DNS-server does the magic

iron-maiden · January 8, 2024, 11:08pm

Actually it listens like this
0.0.0.0:port
:::port

if you mean that.

Of course it works without problem. I m asking this just out of curiosity, to understand how does it work, by Nat Loopback or something else.

Nat Loopback(or hair pinning) means when a client makes a request(when connected internally) with destination to a public the router knows that public ip belongs to the itself so instead forwarding outside it forwards to the internal.
That is what I am asking, if Turris does nat loopback in such case.

hagrid · January 8, 2024, 11:33pm

Depends on a situation.
If traffic is terminated on the router, there is no need to configure hairpin NAT.
This is only needed if you have port forwarding set up to another machine on the network.

No.

iron-maiden · January 8, 2024, 11:36pm

So better to turn off wireguard when I am home, but it is almost impossible I never remember that

hagrid · January 8, 2024, 11:37pm

Why? You can keep it running, it does not break anything.

iron-maiden · January 9, 2024, 7:14am

So I guess Wireguard probably helps for that, normally I set exclude private ips in Wireguard settings (it still works without it also) so it connects to the internal WG network.

vcunat · January 9, 2024, 8:33am

No, wireguard makes no difference here. The point is whether your public IP is reachable also from your LAN.

AreYouLoco · January 9, 2024, 3:59pm

You could do port forwarding from WAN to the router allowing Wireguard.

And with port forwarding there is an option called reflaction zones. Set there your lan zone. And VPN should work from inside and outside.