Lets look at how my home intranet looks like. ![[Untitled-2024-12-28-0021.excalidraw|1000]] It consists of three nets:

The Omada network consists of these main devices:

• ER7412-M2 gateway
• EAP773 WIFI 7 access point

Wireguard

The Omada gateway uses port 51820 to forward Wireguard connections to the Wireguard gateway at 192.168.1.1. Wireguard clients are assigned IPs in the 192.168.1.2 - 192.168.1.255 range.

There is no DHCP for Wireguard, so IPs need to be hardcoded for peers (wg clients). A server wg configuration for a peer might look like the following: ![[Pasted image 20250102165450.png]] Two configurations are noteworthy:

• Allowed Address: The wg tunnel IP addresses linked with the peer. Must be a single a single IP or a whole net.
• Public Key: The public key of a client peer.

The Allowed Address should match the Address of the client wg configuration.

[Interface]
PrivateKey = xxx
Address = 192.168.1.2/24
DNS = 192.168.0.101,1.1.1.1
MTU = 1420

[!warning] Note The server peer specifies a single /32 ip while the client peer specifies a ip with a /24 net mask.

Further, the client wg configuration contains the peer settings:

[Peer]
PublicKey = fd/rP7G1ARtaxD1pQkH7SZQYLXmA54xG5H96DpYw9CY=
AllowedIPs = 192.168.0.0/24
Endpoint = maffel.synology.me:51820

• PublicKey: The server public key
• AllowedIPs: The IPs that should be routed through the wg tunnel. Only IPs in the 192.168.0.0 - 192.168.0.255 range in this case. By setting this to 0.0.0.0/0, all traffic is routed through the tunnel.
• Endpoint: The public Wireguard endpoint.