Hi there DietPi fam,
I’m running DietPi on a RPi 3B for quite a while now and i’m loving it. But now i’m reaching the limits of my knowledge and google fu
I’ve succesfully added a second USB ethernet adapter on the RPi to connect a second network. I’m also running WireGuard to gain remote access to my RPi.
By default the WireGuard connection routes everything to the eth0 (default RPi) interface. Splendid
But how can I access my second network from my remote WireGuard client?
I can access network A without any problems, but I cannot access network B from my remote client.
Current routing table on the RPi (ip route show):
default via 192.168.10.1 dev eth0 onlink
10.0.10.0/24 dev eth1 proto kernel scope link src 10.0.10.250
10.9.0.0/24 dev wg0 proto kernel scope link src 10.9.0.1
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.250
Current network interface configuration on the RPi (cat /etc/network/interfaces):
# Drop-in configs
source interfaces.d/*
# Local
auto lo
iface lo inet loopback
# Ethernet onboard
allow-hotplug eth0
iface eth0 inet static
address 192.168.10.250
netmask 255.255.255.0
gateway 192.168.10.1
dns-nameservers 1.1.1.1
# Ethernet plugin USB
allow-hotplug eth1
iface eth1 inet static
address 10.0.10.250
netmask 255.255.255.0
# WiFi
#allow-hotplug wlan0
iface wlan0 inet dhcp
address 0.0.0.0
netmask 0.0.0.0
gateway 0.0.0.0
#dns-nameservers 0.0.0.0
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
Current WireGuard configuration on the RPi (cat /etc/wireguard/wg0.conf):
_Followed the WireGuard instructions as described on DietPi forum https://dietpi.com/forum/t/dietpi-software-details-for-all-installation-options/22/127
$(sed -n 3p /DietPi/dietpi/.network) translates to eth0
[Interface]
Address = 10.9.0.1/24
PrivateKey = *redacted*
ListenPort = *redacted*
PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(sed -n 3p /DietPi/dietpi/.network).forwarding=1
PostUp = sysctl net.ipv6.conf.$(sed -n 3p /DietPi/dietpi/.network).accept_ra=2
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.$(sed -n 3p /DietPi/dietpi/.network).forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $(sed -n 3p /DietPi/dietpi/.network) -j MASQUERADE
# Client 1
[Peer]
PublicKey = *redacted*
AllowedIPs = 10.9.0.4/32
Current WireGuard client configuration on the RPi (cat /etc/wireguard/wg0-client1.conf):
[Interface]
Address = 10.9.0.4/24
PrivateKey = *redacted*
# Comment the following to preserve the clients default DNS server, or force a desired one.
DNS = 1.1.1.1
# Kill switch: Uncomment the following, if the client should stop any network traffic, when disconnected from the VPN server
# NB: This requires "iptables" to be installed, thus will not work on most mobile phones.
#PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
#PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
[Peer]
PublicKey = *redacted*
# Tunnel all network traffic through the VPN:
# AllowedIPs = 0.0.0.0/0, ::/0
# Tunnel access to server-side local network only:
# AllowedIPs = 192.168.10.0/24
# Tunnel access to VPN server only:
# AllowedIPs = 192.168.10.250/32
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = *redacted*
# Uncomment the following, if you're behind a NAT and want the connection to be kept alive.
PersistentKeepalive = 25
If more information is needed, please do tell.