VPN-Server in RED?


I tried to implement my VPN-Server (Wireguard) in the DMZ, but failed.

So I give up with that.

What about just connecting it to the ISP router in the RED network (without access to anything else on ipfire). I can not use PiHole in GREEN then, but that would be not a big problem for I install Adguard on the VPN-Server directly.

Or do you think, it’s better to put the VPN-Server to the GREEN because of the firewall layer (ipfire)?


Personally I would put it behind IPFire because I have no idea how secure and kept up to date your ISP router is. If I had an ISP Router between me and the internet I would be looking to find out how to bridge it to get rid of the double nat but that is my preference.

The benefit of putting it into green is that you can find out if the problems are because you don’t have good access to your pihole on green from orange. If the problem is related to the double nat and needing to sort out the multiple port forwards then you will have to resolve that with the vpn server in either orange or green.

why that? Does it have some benefits without double NAT?

What I don’t understand is, if I put it to GREEN, then it has access to all of my private hardware AND it can be accessed from outside. Is it not better to leave such things (with access from outside) in RED or DMZ, even if the ISP router is not secure? As it seems, no… but why exactly?

It is simpler. You no longer have to remember to edit the port forward rules in both each time you make a change or you fully open up everything on the first router, in which case you might as well have it in bridged mode.

I was not clear enough in my communication.

You can temporarily put it in green and see if it works.
If it does then you need to find what is missing in the communication from orange to green.
If it does not then you need to solve the port forward rules.
Once everything is proven working then you can move it back to orange and make the appropriate firewall rules for orange to green communication for the pihole and modify the port forward rules in IPFire to forward to orange instead of green.

The tunnel will be encrypted, presumably with the strongest ciphers available and also with a strong TLS Channel hash algorithm to encrypt the channel setup, so the systems that the tunnel goes through will not be able to break in. If you do the decryption in RED then anything at that location could have the possibility to access the plain text communication.
So I would have the decryption point after IPFire in either orange or green depending on usage requirements.

That is what occurs with the IPFire OpenVPN tunnel. It is decrypted within IPFire, as the server is run within IPFire, then fed to the appropriate zones depending on what has been enabled.

1 Like

ok, now I understand, what you mean. Thanks.

I try to connect it in GREEN.

  1. GREEN IP for the VPN server
  2. Pinhole from RED to GREEN: Source - standard RED + Destination NAT with RED + GREEN IP from the server + allowed wireguard TCP/UDP port
  3. the IP of the wireguard server is, so the client has

I get no connection to the VPN server. Maybe I should change the wireguard server IP also to green? Is it the problem? I suppose, that’s the point, because I’m in GREEN network. But then the GUI of the Brume2 (GL-MT2500), it’s the VPN server, gives to the client the green IP of some hardware, I already use in GREEN. I see no possibility to set another range for the VPN Clients within green. Maybe I ask in the GliNet forum for that.

OT: I am curious why WireGuard VPN and not the IPFire OpenVPN or IPsec VPN?
(sorry for taking this off track, I am just curious)

1 Like
  1. I want to separate the firewall from other services.
  2. I had openVPN and it killed the battery of my smartphone in hours
  3. wireguard is much faster and I need speed

So it would be nice, if somebody can help me with that. As it seems, I make smth false in IP ranges or forwarding.

From my point of view (and I am in the cheap seats) you are getting lots of help from a few different people. It is difficult to help with the WireGuard issues since most everyone here has no experience with WireGuard or Brume 2.

1 Like

sure! Did not want to say, that there was no help. I’m just stucking with that thing it the forum here as in the forum of the GliNet.