Add a Wireguard client interface to a router working as a Relay Bridge

Hi,

My home networking has two routers, both on openwrt openwrt-19.07.
One is the main [R1], and the other working as a Relay Bridge [Range Extender] [R2], so that it extends my main router's wifi range. Followed this guide.
This setup works as expected.

Now i need to add a wireguard interface to R2 router , so that the devices that connect to a specific wifi access point from the R2 router are routed to the wireguard VPN. After searching quite a lot, i got hold of this guide that should work.

But the problem that i face on the R2 Router is that, at the first step itself,where adding the WG interface, and doing all the necessary configurations like pvt/pub keys and peers on the WG interface setup page, i cant connect to the VPN server. I get: Network device is not present error.

Also, wg command on the Router shell prompt does not return anything either.

I know that the wireguard settings that i use on R2 are perfectly fine, as the same settings are working on R1, the main router i.e i get connected to my VPN provider. Its just that i dont want the R1 router to be serving as a VPN tunnel in my setup.

Any help would be appreciated.

/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fea2:5f1d:f460::/48'

config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
list dns '192.168.1.105'

config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'

config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr 'e4:c3:blah:blah:blah:blah'

config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'

config interface 'wwan'
option ipaddr '192.168.1.30'
option netmask '255.255.255.0'
option proto 'static'

config interface 'repeater_bridge'
option proto 'relay'
list network 'lan'
list network 'wwan'
option ipaddr '192.168.1.30'

config interface 'WGClient'
option proto 'wireguard'
list addresses '12.34.56.78/32'
list addresses 'fc00:bbbb:bbbb:bb01::4:3e1c/128'
option private_key 'blahblah'

config wireguard_WGClient
option public_key ':blahblahblahblah'='
option description 'Peer1'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option route_allowed_ips '1'
option endpoint_port '51820'
option endpoint_host '192.34.56.78'
/etc/config/firewall (Haven't customised myself)
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan repeater_bridge wwan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 WGClient'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

Thanks.

In your config R2 (itself) has no Internet access, so it cannot connect to the VPN server.

Change the wwan interface protocol to dhcp (with static lease), or enter the necessary additional parameters, like gateway and DNS.

No, it works as expected. The current state is exactly what the Relay Bridge guide wants the router R2 to be in. And i can use it to access the internet just fine.

Attaching the interface screenshot:

As you can see, the WAN in this relay bridge mode doesent do anything, the data goes through LAN -> Repeater_bridge -> WWAN.
Thanks.

“Using relayd as instructed in this article isn't guaranteed to work and only supports IPv4.”

*You have IPv6 mixed in your config files. Strip it out? That’s how I configured my WG.

:warning: WDS seems to suffer from frequent loss of network connectivity between the routers and as such cannot be recommended. A superior option would be a wireless mesh such as the 802.11s mesh in OpenWrt or mesh functionality of vendor-provided firmware.

*What routers are you using? (WDS doesn’t like mix and match routers/chipsets/mediatek). 19.07.7?

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=319049

![Post|12x9](file:///tmp/lu7766b9mofz.tmp/lu7766b9mogo_tmp_dcf747875fe9937c.gif) Posted: Fri Mar 22, 2019 16:42 Post subject: ![Reply with quote|59x18](file:///tmp/lu7766b9mofz.tmp/lu7766b9mogo_tmp_bfc326556d806ca.gif)
SUCCESS!!! Thanks for the tips everyone. I abandoned WDS and focused on Client Bridge mode.

*Per the above dd-wrt link, client-bridge (ap/sta) is easier and supports more protocols by default.

*WDS doesn’t support VLAN, RADIUS, WPA3, mDNA, etc.. WDS is old and I think 802.11s w/ B.A.T.M.A.N. would be a better choice.

*Are you trying to make a VPN between the 2 routers specifically? Might not work – see above. Maybe that is why it works on the first router but not the second.

*All traffic from the extended router should go through the Wireguard iface on the main router – why set up a second Wireguard config on the 2nd one? WDS probably just won’t do it?

*I have an 802.11s mesh configured (w/o B.A.T.M.A.N.) with Wireguard on the root node and the AP node both configured to access the internet. It worked first time.

*Make sure you set the WG DNS credentials to your LAN iface?

*You didn’t set option mtu '1380' in config interface ‘WGClient’.

*The VPN service should have some tutorials on how to set up VPN bypassing or you can just make another AP/subnet/VLAN/firewall rules to deal with it – or buy more routers to create the toplogy you want might be easier and more robust.

*Are you using wpad-openssl?

*Are you using dnsmasq-full?

*Are all the wireguard dependencies installed?

*Are you out of keys? Most VPNs only allow 5 keys / clients.

I’m not an expert on this stuff but WDS is not recommended based on everything I have read.