i am running Wireguard into my OpenWRT router and i have created a user for my mobile, were i can connect when i am away from home. So far so good.
i would like to add a remote office that has OpenWRT router, as user to my existing installation. So every user from this place could see my LAN, but not access the Internet locally, instead from the Wireguard tunnel. Could someone guide me through, please?
no change needed on local openwrt - you create a second "office" wireguard user like the one for your mobile.
for office you would need a more complex config - with 2 vlans - one for admin - with internet access one for users with wireguard access instead of wan
You can create a new peer in the home OpenWrt and in the allowed IPs use the office subnet.
Then in the office OpenWrt set up wireguard to allow and route only the home router lan IPs.
You may as well add firewall rules to prohibit any office user accessing the internet via your home due to misconfiguration. For more details we'd need to look at the existing configurations, like:
ubus call system board; uci export network; uci export firewall
Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.
Also you can mask any sensitive data, like passwords and keys.
Here are my configs:
ubus call system board
{
"kernel": "5.4.188",
"hostname": "OpenWrt_Alix_Black",
"system": "Geode(TM) Integrated Processor by AMD PCS",
"release": {
"distribution": "OpenWrt",
"version": "21.02.3",
"revision": "r16554-1d4dea6d4f",
"target": "x86/geode",
"description": "OpenWrt 21.02.3 r16554-1d4dea6d4f"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf5:627f:2fff::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '1.1.1.1'
list dns '8.8.4.4'
option ipaddr '192.168.160.1'
config interface 'wan'
option proto 'dhcp'
option device 'eth2'
config interface 'WAN_pppoe'
option proto 'pppoe'
option device 'eth1'
option username 'aaaaaa'
option password 'bbbbbb'
option ipv6 '0'
option peerdns '0'
list dns '1.1.1.1'
list dns '8.8.4.4'
config interface 'Modem_Cosmote'
option proto 'static'
option ipaddr '192.168.178.5'
option netmask '255.255.255.0'
option device 'eth1'
config interface 'WG_server'
option proto 'wireguard'
option private_key 'yyyyyyyyyyyyyy'
option listen_port '61820'
list addresses '10.14.0.1/24'
config wireguard_WG_server
option description 'Atux_mobile'
option public_key 'zzzzzzzzz'
list allowed_ips '10.14.0.3/21'
option route_allowed_ips '1'
option persistent_keepalive '25'
uci export firewall
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'WG_server'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'Modem_Cosmote'
list network 'WAN_pppoe'
list network 'wan'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Wireguard'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.160.251'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '61820'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Wireguard'
list proto 'udp'
option src 'wan'
option src_dport '61820'
option dest_ip '192.168.160.1'
option dest_port '61820'
wg show
interface: WG_server
public key: dddddddddd
private key: (hidden)
listening port: 61820
peer: mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
endpoint: 62.100.a.b:49680
allowed ips: 10.14.0.0/21
latest handshake: 8 hours, 36 minutes, 22 seconds ago
transfer: 3.12 MiB received, 27.22 MiB sent
persistent keepalive: every 25 seconds
The new client's router will have as IP for the LAN 192.168.10.0/24, with the192.168.10.1/24 to be the router
Could you please edit and put all the output in preformatted text?
fix mask to /32 and route_allowed_ips is not needed.
Add the following stanza for the office:
config wireguard_WG_server
option description 'office'
option public_key 'xxxxxxxx'
list allowed_ips '10.14.0.4/32'
list allowed_ips '192.168.1.0/24' <- office subnet, adjust accordingly.
option route_allowed_ips '1'
option persistent_keepalive '25'
This redirect is not needed, you have already a rule to allow the Wireguard.
Finally add a rule to block the office from accessing the internet via the house, in case someone misconfigures the Wireguard peer in the office:
uci add firewall rule
uci set firewall.@rule[-1].name='block office internet'
uci set firewall.@rule[-1].family='ipv4'
uci add_list firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].src='lan'
uci add_list firewall.@rule[-1].src_ip='192.168.1.0/24'
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].target='REJECT'
uci commit firewall
service firewall restart
In the office side, the wg peer must be configured with
list allowed_ips '10.14.0.0/24'
list allowed_ips '192.168.160.0/24'