Turris/Omnia Nat Loopback and Wireguard

Hi all,

Basically I have Wireguard turned on all the time on my mobile, otherwise I forget to turn-on-off when I am in and out.

So when I am home how does it work?

Does Turris/Omnia have Nat Loopback by default?

Can you give more details?

Wireguard connects to the public ip of my router(eth2). When I am out that is ok.

But when I am home mobile is connected to the router wifi (internal network), it still works wo problem, so how does Wireguard work?
Does router do Nat Loopback and use internal ip instead public ip, or travelling forward backward from public ip(eth2)?

Just an idea:

  • allow wireguard port access from all sources
  • use hosts-file (via workaround, because knot by default doesn’t know that file) to define something like your.wireguard.ddns.tld

That way there should be no loopback needed, the DNS-server does the magic :slight_smile:

Actually it listens like this

if you mean that.

Of course it works without problem. I m asking this just out of curiosity, to understand how does it work, by Nat Loopback or something else.

Nat Loopback(or hair pinning) means when a client makes a request(when connected internally) with destination to a public the router knows that public ip belongs to the itself so instead forwarding outside it forwards to the internal.
That is what I am asking, if Turris does nat loopback in such case.

Depends on a situation.
If traffic is terminated on the router, there is no need to configure hairpin NAT.
This is only needed if you have port forwarding set up to another machine on the network.


1 Like

So better to turn off wireguard when I am home, but it is almost impossible :sweat_smile: I never remember that

Why? You can keep it running, it does not break anything.

So I guess Wireguard probably helps for that, normally I set exclude private ips in Wireguard settings (it still works without it also) so it connects to the internal WG network.

No, wireguard makes no difference here. The point is whether your public IP is reachable also from your LAN.

You could do port forwarding from WAN to the router allowing Wireguard.

And with port forwarding there is an option called reflaction zones. Set there your lan zone. And VPN should work from inside and outside.