hey
i use pivpn with a wireguard tunnel
my devices connect flawlessly and get assigned a virtual IP
how exactly does it work, that devices do not have an “official” ip from my dhcp and can still use the network?
and why are they not registered by my router’s network-map (unifi dream router)?
is there a way to “translate” a virtual ip for my router to a) display the device and b) apply specific firewall rules to it?
When you access the network with the VPN, the Raspberry Pi replaces the virtual IP with its local IP, so clients see connections from VPN client as if these were coming from the Raspberry Pi itself.
You can disable this network address translation (NAT) but then you need to add routes on each client on the network, or on the router, to reach the virtual IPs using the Raspberry Pi as gateway.
thank you
I have no idea so I ask naively… how do I deactivate the piVPN’s NAT? a command or a config file? how do the VPN clients acquire an ip after NAT deactivation?
and how do I route the manual routes? what would be the function typically be called in a router ui or what do I try to achieve? is it like traffic routing or do I have to “translate”
would this be the correct approach to guide the VPN clients to specific vlans?
I have no idea so I ask naively… how do I deactivate the piVPN’s NAT?
Should be a “masquerade” rule in the firewall ufw or iptables.
how do the VPN clients acquire an ip after NAT deactivation?
They still acquire a virtual ip
how do I route the manual routes? what would be the function typically be called in a router ui or what do I try to achieve?
Should be called “static routes”, “manual routes”
would this be the correct approach to guide the VPN clients to specific vlans?
You can’t assign vpn client an ip address in the local network (there is no dhcp involved and the IPs are bound to WireGuard) but if you do what i said above, you can firewall based on the source virtual ip.
thank you very much - i understand better now
i have found the static route on my unifi - but what i do not currently understand (and hope you can help me 
) is, how i can “translate” clients from the static route to a vlan
what do i mean or what do i want to do?
i have a vlan for trusted devices and IoT devices - i want to be able to seperate these two “demographics” via vpn, too
can i do that?
edit: i just learned, that i can only map one vpn net to one vlan - and that i can run two vpn nets via two seperate ports in one pivpn instance
so that’s a non issue for now
but i haven’t found out yet, is, how do i map the static route to a vlan? how do i tell my router that the virtual ip range xxx.xxx.222.0/24 should be translated to a specific vlan (should i map it to an existing vlan or create a new one?)
how do i tell my router that the virtual ip range xxx.xxx.222.0/24 should be translated to a specific vlan (should i map it to an existing vlan or create a new one?)
I do not have an answer for that, though if you want for some reason to limit what VPN clients can do, like preventing them from accessing certain devices on the local network, or even a whole network, you can do that using iptables on the Raspberry Pi itself.
I don’t think you can have your gateway change the IP route of this because you’re VPNing into the raspberry pi, not the USG. The RPi is assigning its own IP internally and not on your network. It essentially just as if your IP is part of the RPi’s internal network. Notice this by looking on the client tab of your console. You wont see your device connected (such as your phone).
If you were to VPN to your network as a whole through the USG then your USG would assign an IP in the VPN vlan which you could then route all DNS through the pihole as if you were on the network and not need the pivpn at all.
as u/CreepyZookeepergame4 said, check your IP tables. This gives some insight how to do that.
I have the iptables configured to drop all traffic to the network through pivpn so nobody but my phone can access the rest of my network. found out that everyone i gave pivpn to had full access to my network.
eventually when I upgrade to a Dream Machine SE I’ll use the built in VPN and eliminate pivpn entirely for myself. The USG-3p vpn is super slow like 3-4Mbps.