Advice needed on Wireguard implementation

i am running Wireguard into my OpenWRT router and i have created a user for my mobile, were i can connect when i am away from home. So far so good.

i would like to add a remote office that has OpenWRT router, as user to my existing installation. So every user from this place could see my LAN, but not access the Internet locally, instead from the Wireguard tunnel. Could someone guide me through, please?

This post was flagged by the community and is temporarily hidden.

Dear @ulmwind. I will stick to Wireguard. So please, do you have any comments for this solution?

no change needed on local openwrt - you create a second "office" wireguard user like the one for your mobile.
for office you would need a more complex config - with 2 vlans - one for admin - with internet access one for users with wireguard access instead of wan

You can create a new peer in the home OpenWrt and in the allowed IPs use the office subnet.
Then in the office OpenWrt set up wireguard to allow and route only the home router lan IPs.
You may as well add firewall rules to prohibit any office user accessing the internet via your home due to misconfiguration. For more details we'd need to look at the existing configurations, like:
ubus call system board; uci export network; uci export firewall

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.
grafik
Also you can mask any sensitive data, like passwords and keys.

Here are my configs:

ubus call system board

{
	"kernel": "5.4.188",
	"hostname": "OpenWrt_Alix_Black",
	"system": "Geode(TM) Integrated Processor by AMD PCS",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.3",
		"revision": "r16554-1d4dea6d4f",
		"target": "x86/geode",
		"description": "OpenWrt 21.02.3 r16554-1d4dea6d4f"
	}
}

package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf5:627f:2fff::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '1.1.1.1'
	list dns '8.8.4.4'
	option ipaddr '192.168.160.1'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth2'

config interface 'WAN_pppoe'
	option proto 'pppoe'
	option device 'eth1'
	option username 'aaaaaa'
	option password 'bbbbbb'
	option ipv6 '0'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '8.8.4.4'

config interface 'Modem_Cosmote'
	option proto 'static'
	option ipaddr '192.168.178.5'
	option netmask '255.255.255.0'
	option device 'eth1'

config interface 'WG_server'
	option proto 'wireguard'
	option private_key 'yyyyyyyyyyyyyy'
	option listen_port '61820'
	list addresses '10.14.0.1/24'

config wireguard_WG_server
	option description 'Atux_mobile'
	option public_key 'zzzzzzzzz'
	list allowed_ips '10.14.0.3/21'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

uci export firewall

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'WG_server'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'Modem_Cosmote'
	list network 'WAN_pppoe'
	list network 'wan'

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Wireguard'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '192.168.160.251'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '61820'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Wireguard'
	list proto 'udp'
	option src 'wan'
	option src_dport '61820'
	option dest_ip '192.168.160.1'
	option dest_port '61820'

wg show

interface: WG_server
  public key: dddddddddd
  private key: (hidden)
  listening port: 61820

peer: mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
  endpoint: 62.100.a.b:49680
  allowed ips: 10.14.0.0/21
  latest handshake: 8 hours, 36 minutes, 22 seconds ago
  transfer: 3.12 MiB received, 27.22 MiB sent
  persistent keepalive: every 25 seconds

The new client's router will have as IP for the LAN 192.168.10.0/24, with the192.168.10.1/24 to be the router

Could you please edit and put all the output in preformatted text?

1 Like

fix mask to /32 and route_allowed_ips is not needed.

Add the following stanza for the office:

config wireguard_WG_server
	option description 'office'
	option public_key 'xxxxxxxx'
	list allowed_ips '10.14.0.4/32'
	list allowed_ips '192.168.1.0/24' <- office subnet, adjust accordingly.
	option route_allowed_ips '1'
	option persistent_keepalive '25'

This redirect is not needed, you have already a rule to allow the Wireguard.

Finally add a rule to block the office from accessing the internet via the house, in case someone misconfigures the Wireguard peer in the office:

uci add firewall rule
uci set firewall.@rule[-1].name='block office internet'
uci set firewall.@rule[-1].family='ipv4'
uci add_list firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].src='lan'
uci add_list firewall.@rule[-1].src_ip='192.168.1.0/24'
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].target='REJECT'
uci commit firewall
service firewall restart

In the office side, the wg peer must be configured with

list allowed_ips '10.14.0.0/24'
list allowed_ips '192.168.160.0/24'