I started playing with wireguard on a pfsense router to try to see if I could overcome a CG Nat on a hotspot I want to use when visiting my mother a couple hours from home. I stay in an RV when up there and have a couple of options for internet (cellular and local wifi) that I now connect to using Wifi offloading on a new Netgear Nighthawk hotspot.
I would like to have the ability to access my home and work networks when I'm in the RV, but would also find it very useful to be able to access the computer(s) I have set up in the RV any time I leave it on-site. (if I can find a reliable way through the CG Nat, I'm considering putting a solar-powered system running year round to monitor the RV via the hotspot/cellular connection to play with IoT type devices, remote camera, etc)
I was initially going to try routing all of this through home, but I also have a small website set up on the amazon cloud on an ubuntu based EC2 and figure that will make for a better, 'always on' routing hub.
I can post my existing configs if necessary, but they are bare-bones at the moment. The things I am confused the most about is what I enter on each side for 'AllowedIps' and what I do for Pre/Post rules. Most of the examples use some kind of dns masq or snat configuration, but I would prefer something akin to bridging with routing rules.
My goal would be to have any pc connected to associated subnets to see the others as specified in the 'access to' entries for each.
Any assistance is greatly appreciated!
SW
wireguard subnet: 10.10.90.0/24
amazon ec2 running ubuntu: (primary routing hub in cloud) wireguard ip: 10.10.90.1
public ip: 11.11.11.11 (obfuscated - not the real ip)
private ip: 172.31.18.77
would like to access: 10.10.20.0/24 and 10.3.141.0/24
home network: (comcast/xfinity cable w/public ip) wireguard ip: 10.10.90.2
home subnet outer nat: 10.10.10.0/24 (tp-link router on 10.10.10.1)
home subnet inner nat: 10.10.20.0/24 (pfsense firewall on 10.10.10.254)
would like to access: 172.31.18.77/32 (aws server), 10.3.141.0/24 (remote rv inner nat) and 192.168.0.0/23 (work)
remote RV network: (AT&T hotspot behind cgnat) wireguard ip: 10.10.90.3
remote subnet outer nat: 192.168.10.0/24 (Netgear Nighthawk on 192.168.10.1)
remote subnet inner nat: 10.3.141.0 (RaspAp wlan 10.3.141.1 via USB tether 192.168.10.4)
would like to access: 172.31.18.77/32 (aws server), 10.10.20.0/24 (home inner nat) and 192.168.0.0/23 (work)
work network: (pfsense on xfinity fiber) wireguard ip 10.10.90.4
subnet: 192.168.0.0/23
would only need limited access to home ips: (optional if possible but not a priority seeing 'out')
10.10.20.35 port 22 TCP (ssh)
10.10.20.39 port 22 TCP (ssh) and 3389 TCP (rdp)
10.10.20.45 port 80 TCP (octopi web interface)
10.10.20.1 (or 10.10.10.254) port 443 TCP (pfsense web interface)
10.10.10.1 port 443 TCP (tp-link management)
optional/additional: cellphone: (AT&T Galaxy Note 10)
wireguard ip: 10.10.90.5
would like to access: 172.31.18.77/32 (aws server), 10.3.141.0/24 (remote rv inner nat), 10.10.20.0/24 (home inner nat) and 192.168.0.0/23 (work)
a reliable way through the CG Natsimply connect from behind CG-NAT to the Amazon server, then CG-NAT is no longer an issueany pc connected to associated subnets to see the others as specifiedyou'll probably need to set up some static routing on your gateway routers and/or the PC's you want to use and probablySNATas well - an alternative is something like tailscale (or the self hosted headscale alternative)