There is a router (Router 1) that is connected to the Internet. It provides Internet access for all devices connected via LAN or WiFi. The network is 192.168.178.1/24.
There is another router (Router 2) that is connected to Router 1 via its WAN interface.
In addition, Router 2 acts as a Wireguard VPN client.
All devices connected to Router 2 are in an own subnet 192.168.1.1/24 and should use the VPN tunnel to access the internet.
However, all local devices should be able to access each other. So all devices connected to Router 1 should be able to access all devices connected to Router 2 and vice versa.
I created the attached diagram to show the desired setup.
Can you tell me if that is possible and if yes how I can achieve this?
You need to add a static route on router 1 to 192.168.1.0/24 via 192.168.178.2, and allow the traffic in router 2's firewall. If it works as intended then you can continue to configure wireguard.
I would create a couple of rules on router2 for the hosts in 192.168.1.0/24
One rule for the 192.168.178.0/24 to be routed normally and one for 0.0.0.0/0 to be routed over WG.
Thank you. The connection between the subnet works and the wireguard connection is set up as well.
The only thing that does not work yet is that all clients in LAN2 and Wi-Fi2 use the VPN connection.
IP address in wan is 178.4, but in diagram it is 178.2
Make sure this is correct, as a route on Fritzbox must point to the correct address for static route to 192.168.1.0/24 to work.
Remove the static route you have for 192.168.178.0/24, it is wrong and not necessary.
From WG interface remove route_allowed_IPs if you don't want the Netgear to use the WG tunnel for internet.
In firewall zone lan and wan remove:
option masq '1'
option mtu_fix '1'
Remove rules:
allow wan -> lan
and
allow lan -> wan
and
config rule
option enabled '1'
option target 'ACCEPT'
option src 'lan'
option name 'VPN'
option dest 'WGZONE'
as you have configured forwardings already.
Then add a rule:
Sorry, that was a mistake in the diagram. The ip address in wan is 192.168.178.4.
The communication between the two networks works, but devices connected to Router 2 are not routed via VPN. This is my config after the changes that you proposed:
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package dropbear
config dropbear
option PasswordAuth 'on'
option Port '22'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '22'
option name 'Allow Luci access from WAN SSH'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '80'
option name 'Allow Luci access from WAN HTTP'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'WGZONE'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'WG0'
config forwarding
option dest 'WGZONE'
option src 'lan'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'lan'
option src 'wan'
package luci
config core 'main'
option lang 'auto'
option mediaurlbase '/luci-static/bootstrap'
option resourcebase '/luci-static/resources'
config extern 'flash_keep'
option uci '/etc/config/'
option dropbear '/etc/dropbear/'
option openvpn '/etc/openvpn/'
option passwd '/etc/passwd'
option opkg '/etc/opkg.conf'
option firewall '/etc/firewall.user'
option uploads '/lib/uci/upload/'
config internal 'languages'
config internal 'sauth'
option sessionpath '/tmp/luci-sessions'
option sessiontime '3600'
config internal 'ccache'
option enable '1'
config internal 'themes'
option Bootstrap '/luci-static/bootstrap'
config internal 'apply'
option rollback '30'
option holdoff '4'
option timeout '5'
option display '1.5'
config internal 'diag'
option dns 'openwrt.org'
option ping 'openwrt.org'
option route 'openwrt.org'
config ifstate
option interface 'wan'
option ifname 'eth0.2'
option bridge 'false'
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda3:c34c:9449::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_dev'
option name 'eth0.1'
option macaddr 'ff:ff:ff:00:00:00'
config interface 'wan'
option ifname 'eth0.2'
option proto 'static'
option netmask '255.255.255.0'
option gateway '192.168.178.1'
option dns '192.168.178.1'
option ipaddr '192.168.178.4'
config device 'wan_dev'
option name 'eth0.2'
option macaddr 'ff:ff:ff:ff:ff:ff'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'WG0'
option proto 'wireguard'
option private_key 'PRIVATE_KEY'
list addresses 'MY-VPN-ADDRESS'
option listen_port '51820'
option force_link '1'
config wireguard_WG0
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
option public_key 'PUBLIC_KEY'
option endpoint_host 'HOST_NAME'
config rule
option in 'lan'
option lookup '100'
config route 'internet'
option interface 'wan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option gateway '192.168.178.1'
option table '100'
package rpcd
config rpcd
option socket '/var/run/ubus.sock'
option timeout '30'
config login
option username 'root'
option password '$p$root'
list read '*'
list write '*'
package system
config system
option hostname 'OpenWrt'
option timezone 'UTC'
option ttylogin '0'
option log_size '64'
option urandom_seed '0'
config timeserver 'ntp'
option enabled '1'
option enable_server '0'
list server '0.openwrt.pool.ntp.org'
list server '1.openwrt.pool.ntp.org'
list server '2.openwrt.pool.ntp.org'
list server '3.openwrt.pool.ntp.org'
config led 'led_wan'
option name 'wan'
option sysfs 'r6220:green:wan'
option trigger 'netdev'
option mode 'link tx rx'
option dev 'eth0.2'
config led 'led_wifi_led'
option name 'wifi'
option sysfs 'r6220:green:wifi'
option trigger 'netdev'
option mode 'link tx rx'
option dev 'wlan0'
config led 'led_usb'
option name 'USB'
option sysfs 'r6220:green:usb'
option trigger 'usbdev'
option interval '50'
option dev '1-1'
package ucitrack
config network
option init 'network'
list affects 'dhcp'
list affects 'radvd'
config wireless
list affects 'network'
config firewall
option init 'firewall'
list affects 'luci-splash'
list affects 'qos'
list affects 'miniupnpd'
config olsr
option init 'olsrd'
config dhcp
option init 'dnsmasq'
list affects 'odhcpd'
config odhcpd
option init 'odhcpd'
config dropbear
option init 'dropbear'
config httpd
option init 'httpd'
config fstab
option exec '/sbin/block mount'
config qos
option init 'qos'
config system
option init 'led'
option exec '/etc/init.d/log reload'
list affects 'luci_statistics'
list affects 'dhcp'
config luci_splash
option init 'luci_splash'
config upnpd
option init 'miniupnpd'
config ntpclient
option init 'ntpclient'
config samba
option init 'samba'
config tinyproxy
option init 'tinyproxy'
package uhttpd
config uhttpd 'main'
list listen_http '0.0.0.0:80'
list listen_http '[::]:80'
list listen_https '0.0.0.0:443'
list listen_https '[::]:443'
option redirect_https '1'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cert '/etc/uhttpd.crt'
option key '/etc/uhttpd.key'
option cgi_prefix '/cgi-bin'
list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
config cert 'defaults'
option days '730'
option bits '2048'
option country 'ZZ'
option state 'Somewhere'
option location 'Unknown'
option commonname 'OpenWrt'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
option htmode 'HT20'
option country '00'
option legacy_rates '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'WingardiumLeviosa VPN'
option encryption 'psk-mixed'
option key 'WIFI_PASSWORD'
config wifi-device 'radio1'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
Did I misunderstood something?
You mentioned that I have configured forwardings already? Can you tell me where?
config forwarding
option dest 'WGZONE'
option src 'lan'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding
option dest 'lan'
option src 'wan'
You don't need to post all these configs, it is too much and we can get lost. Just uci export network ; uci export firewall is enough.
I hope the mac addresses assigned to lan and wan are masked and not actual values.
Ok, so that should be what I masked with "MY-VPN-ADDRESS", correct?
I tried that, but it did not work. The only way I got it to work was checking "Route Allowed IPs" in the WG interface.
That would be enough for my use case, but I'm curious why it did not work. Do you have a clue?
Nope, this is the WG IP of this endpoint. You need to use the IP of the other side.
It works with "route allowed IPs" but your router will use the VPN for reaching the internet too. I don't know if that is desired.
Okay, so i put in the IP of the endpoint (as shown in the wireguard status as peer endpoint), but it still doesn't work.
Requests are still routed through 192.168.178.1.