Assistance sharing Wireguard traffic with other routers (separate from LAN/WAN traffic)

My Setup:

Main Router:

  • Raspberry Pi 5 running pretty much the latest SNAPSHOT build
  • Configured with PPPOE for internet access
  • Wireguard Tunnel set up (and working)

3 Other routers currently running DD-WRT:

  • Used as Access points for WIFI
  • All Hardwired to each other (and the RPi)

Task:

  • Create separate SSID on DD-WRT routers for Wireguard tunnel.
  • Separate SSIDs for normal LAN/WAN traffic
  • All LAN ports on DD-WRT routers to serve normal LAN/WAN traffic

I am pretty new to OpenWrt, so still learning, but from my understanding I need to go down the VLAN route? (I've never used VLANs before)

I have tried finding tutorials/videos/blogs with similar use cases but not had much luck.

Can somebody please give me some pointers as to how to best achieve this?

Thanks in advance. :slight_smile:

If you want to have some of the SSIDS from your access points to use the WG tunnel and others not than vlans are a viable option.

1 Like

Yes, you will need VLANs. And you will also need Policy Based Routing to handle the give you the ability to define which VLAN goes via the WAN vs which goes via the VPN.

The rest of this will be questions for the DD-WRT forums... the firmware is very different and it isn't supported here. We can, however, help you get your Pi configured appropriately so that you can move to the next steps with DD-WRT (although it will be difficult to prove the functionality until the DD-WRT side is ready, too... a bit of a chicken or egg).

Alternatively, if your routers that are running DD-WRT are supported by OpenWrt, you could install OpenWrt instead and we can help you with them.

1 Like

Unfortunately the other routers have a broadcom chip, so I dont think moving to OpenWrt on them is the best way forward. I appreciate this forum will not provide any support for DD-WRT. :slight_smile:

Quick question before I start reading up on VLAN - If I define a SSID on the DD-WRT on 192.168.2.1/24 (main LAN is on 192.168.0.1/24), can I receive that traffic on the RPi? If so, can I just not set up something on the RPi to also work on that subnet and use PBR to route any traffic over the Wireguard interface?

It depends on how you're approaching this.

If you make the DD-WRT device a router rather than just a bridged AP, it can, of course, have a different subnet. And you can avoid double-NAT by adding a static route in the main router (i.e. the Pi). However, the Pi would no longer be doing the routing, so your goal of having a split-tunnel would not work.

For your goal to be realized, you need to setup VLANs on your main router and then on the DD-WRT devices. The DD-WRT devices would then, in turn, link each SSID to a different VLAN.

On OpenWrt and many other firmware, a bridged-AP with VLANs would only have an address on a single subnet -- that is the network that manages the device. The other subnet(s) would simply be transparently bridged through, and the AP would not have an address on that subnet at all. I don't know how DD-WRT handles this, though.

1 Like

Actually, I take this back... I think it might be possible. But, it would certainly be considerably different, and possibly harder/more complex.

The best method is to have all the routing and policies on the main router, and the rest will just serve as APs/switches.

I think that might be possible (I am also using/administering DDWRT routers so have ample experience with it).
On the DDWRT router do not NAT traffic coming out of the lan (br0) but set a static route on the Pi for the return traffic e.g. ip route add 192.168.2.0/24 via [ip-adress-of DDWRT-router] (you can make a route for that in the OpenWRT GUI).
You need PBR to route 192.168.2.0/24 via the WG tunnel

1 Like

@egc, I know very well who you are, you have helped me many times on the DD-WRT forum. :slight_smile:

(I have loosely followed this tutorial I found on the DD-WRT forum :
https://wiki.dd-wrt.com/wiki/index.php/Linking_Subnets_with_Static_Routes)

I have done the following but not able to get any internet access:

On Main Router (RPI5, OpenWrt)
Routing


Firewall - Traffic Rule:

PBR

On the DD-WRT (where SSID with different subnet is hosted):
image
I've changed from "Gateway" mode to "Router"

I must have missed a step somewhere..

Pi for the return traffic e.g. ip route add 192.168.2.0/24 via [ip-adress-of DDWRT-router] (you can make a route for that in the OpenWRT GUI).

Can you explain this one? I think this is where I might be going wrong, as I have not routed anythind back to DD-WRT router.

Hmm that is basically all wrong.

Delete all the routing rules and routes and disable PBR for now!

About the DDWRT router:
First use build 56490 or earlier
You have it setup as a Wireless access point and want to have an unbridged Virtual Access Point on this WAP (VAP on a WAP) see: https://raw.githubusercontent.com/egc112/ddwrt/main/DDWRT%20Virtual%20Access%20Point-7.pdf
See the paragraph about a VAP on a WAP carefully follow all points.

Set this up first, reboot both routers and see if it works, from your unbridged VAP you should have internet access, if not head over to the DDWRT forum for advice.

If it works proceed with removing or commenting out the NAT rule on the DDWRT router iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr) and set a static route on the OpenWRT router:
in /etc/config/network add, (replace 192.168.0.X with the IP address of the DDWRT router):

config route
	option interface 'lan'
	option target '192.168.2.0/24'
	option gateway '192.168.0.X'

If that works the only thing left is to make a rule in the PBR GUI to route 192.168.2.0/24 via the wg interface , this needs to be a prerouting rule

1 Like

@egc I failed on the first hurdle.. I've tried to set up a VAP using your tutorial and its not working.. As its on the DD-WRT I've created a post on that forum to keep things separate:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1303163#1303163

Funny thing is, the bridged VAP i've also got running on that router works fine, and gets me an IP no problem.

Let me first fix that problem, then I'll move on the the next step. :slight_smile:

The usual way to do this is to make the APs simple bridges (dumb). Each SSID bridges its wireless users into a different VLAN on the cable. The main router has a network associated with each VLAN to control DHCP, firewalling and routing.

The APs only need to hold an IP on one (trusted) interface VLAN so that there is a way to log into them. The AP's IP does not matter to wireless users, they never see it.

1 Like

@egc I've now got the vap working (as in getting ip from correct subnet), but no Internet.

is this statement from you correct?

Set this up first, reboot both routers and see if it works, from your unbridged VAP you should have internet access, if not head over to the DDWRT forum for advice

If the wap and vap are setup correctly you should have internet access

1 Like

I've got the VAP up and running on the DD-WRT now, giving me a 192.168.2.0/24 IP address.. I also have internet access.

However if I add the following rule to PBR I still get my ISP IP address and no traffic is routed through the wg interface.

Of course because you are NATting all traffic coming out of the DDWRT router, so there is no 192.168.2.0/24 subnet yet arriving at the main router.

Disable PBR
Set a static route on the main router to route 192.168.2.0/24 via 192.168.0.7


/etc/config/network:

config route
	option interface 'lan'
	option target '192.168.2.0/24'
	option gateway '192.168.0.7'

Assuming 192.168.07 is the address of the DDWRT router

Disable the NAT rule on the DDWRT router by commenting/removing:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

Reboot and check if you have internet access

Looking back, I already provided these instructions, well as my French teacher always said "Frappez toujours" :wink:

1 Like

Yes you did.. In my defence I have spent days trying to get this to work, and one tutorial/setting spills over into the next and its just difficult to keep the focus - even if solution it is staring you right in the face.

Anyway: We got it working!! :partying_face: Not a VLAN in sight (although it might well be that using VLANs is the "correct" way of going about doing this, I dont know. ).. For for my use case the end result is perfect.

Thank you everybody for their input, especially @egc

1 Like

Glad you got it working, using VLANS originating at the router is the royal solution as you can then have this spread out to multiple Access points.

But if this works for you all the better.

Always keep the KISS principle in mind :slight_smile:

@egc Im not sure if the policy on this forum is 1 problem per thread, but you being the expert in PBR; after a reboot of the main router the traffic starts to get routed through the WAN rather than the wg.. If I turn PBR off and on again it starts to route correctly through the route set up in PBR. Surely thats not right?

I think , at least that would be my idea, that one problem per thread is the recommended way so that solutions are searchable

I am not the expert on PBR that is @stangri, but you can set a startup delay for PBR.
See: https://docs.openwrt.melmac.net/pbr/ paragraph Service Configuration Settings
There is boot_timeout and procd_boot_delay

You can set/increase those in the config file (/etc/config/pbr)

note that standard boot_timeout is 30 sec so it can take about 40 seconds after the router is up before PBR kicks in

1 Like

Setting 'procd_boot_delay' in /etc/config/pbr to 30s sorted the problem out for me, you can see in the log that everything loads after the reboot, then PBR kicks in..

Thanks again for all your help. :slight_smile:

1 Like