Bridge & VPN between 2 OpenWrt Pi

Installing and Using OpenWrt
42

Sorry Vladislav, I was so upset that I didn't read & so try your proposal. Actually I did remove the LAN GW but OpenWrt sets the WAN one in place.

Actually what I did, I created 2 new µSD cards with the exact same OpenWrt versions they previously had. Did all the config by hand... AND IT WORKS!

Now the problem is that I am afraid of rebooting and to see it OOO again. I think I saved everything but how can I be sure? Is there a way to save the running config?

Thx for your help all of you...

1 Like
43

Thx again to all for your help,
I will now try to configure access to any of my Raspberry for my iPhone. I suppose that I will need the WireGuard iOS application and create at least a new peer if not a new wg interface.

If I need help I will surely open a new thread, & in the meantime I will try to complete the openwrt doc on Site-2-Site if I am allowed

44

Yes, you'll need the app and a new peer on one of the Raspberrys. You shouldn't need a new wg interface though.

1 Like
45

OK Done... This works perfectly now. Thanks to all what you taught me here and 2 others articles:
Serverside and Graham Stevens I managed to have this running
My phone is connected in the 192.168.99.0 network simulating internet and I can connect to any of the elements in one of the internal networks .96 OR .98

A few elements are quite bothering:

  • When I connect to .96 network I can't use the Site-2-Site link to access the .98 network
  • Once connected via the VPN I can't attach to the eth0 of the OpenWrt (to make some modifications) So I need to ssh a device & hop to the FW from there
  • Once I am connected via the VPN, no internet browsing possible...

But I can live with it so :+1: and again thx too all & specially @krazeh @dlakelan & @vgaetera

46

Is this all related to your phone? What's the peer config on the OpenWrt device and the full config on your phone?

47

So here are the configs:

config interface 'lan'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.98.254'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.99.254'
        list dns '8.8.8.8'
        list dns '9.9.9.9'
        list dns '1.1.1.1'

...

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'PRIVATE_KEY'
        option listen_port '55555'
        option delegate '0'

config wireguard_wg0
        option description 'ow3'
        option public_key 'PEER1_PUBLIC_KEY'
        list allowed_ips '192.168.96.0/24'
        option route_allowed_ips '1'
        option endpoint_host '192.168.99.96'
        option endpoint_port '55555'

config wireguard_wg0
        option description 'iPhone'
        option public_key 'IPHONE_PUBLIC_KEY'
        list allowed_ips '192.168.95.120/32'
        option route_allowed_ips '1'
        option endpoint_host '192.168.95.120'
        option endpoint_port '55555'

On the iPhone,

Name		ow 
Public key	'IPHONE_PUBLIC_KEY'
Addresses	192.168.95.120/32
ListenPort	55555
DNS Servers	192.168.99.254

Peer 
Public key	'wg0_PUBLIC_KEY'
End Point	192.168.99.98:55555
Allowed IP 	0.0.0.0/0

So when the iPhone connects to the end point 192.168.99.98 everything is OK, It is able to connect to any device on the 192.168.98.0 network through its IP but not via its name that is in the dnsmasq.
As there is no DNS, no internet browsing however I can ping google.fr address 216.58.206.227
It is not able to go through the Site2Site & reach the 192.168.96.0 network

48

Remove this from the iPhone peer on the router. You only want to include endpoint details for a peer if that peer has a fixed address (either static IP or DDNS) and will be running wireguard all the time (e.g. a router).

Is the 192.168.99.254 device running OpenWRT and using dnsmasq for DNS queries?

To get to the 192.168.96.0 network you need to add list allowed_ips '192.168.95.120/32' to the existing peer config on the 192.168.96.254 router. So it should look like:

config wireguard_wg0
	option public_key ‘PEER_PUBLIC_KEY
	option endpoint_port '55555'
	list allowed_ips '192.168.98.0/24'
	list allowed_ips '192.168.95.120/32
	option route_allowed_ips '1'
	option endpoint_host '192.168.99.98'
	option description 'ow4'

Then restart the wg interface.

1 Like
49

Done removing in the router the peer options. Still work but doesn't change behavior. I suppose that you mention this to be more compliant with the usage: my iPhone is not a router that uses OpenWrt.

The 192.168.99.254 is not running OpenWrt. Actually it is my ISP box (running Linux) and being configured as DNS. Open ports on the LAN interface are 53, 80, 180, 443, 445, 548, 554,

Concerning the change for allowing IP 192.168.95.120/32 in the tunnel, I did the modification but it didn't work, I must have forgotten something

50

Can you access 192.168.99.254 from your phone while it's connected by WG?

Did you restart the wg interface on the 96.254 router and making changes to the peer config?

51

This is wrong.
You must not specify gateway or upstream DNS on the downstream interface.

https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#dns_over_vpn

52

Yes I can access 192.168.99.254 from my phone while it's connected by WG.

I did restart the wg interface after each change too.

BtW I restarted the Allowed IPs for the tunnel and it worked. :+1: I might have mistyped something the first time.

53

OK i was not aware about this.
So deleted the custom dns on eth0 on the router & everything OK
Then I made the change mentioned in the guide:

uci set dhcp.@dnsmasq[0].localservice="0"
uci commit dhcp
/etc/init.d/dnsmasq restart

However I kept the router as DNS in the iPhone client as I couldn't manage to use nmcli :wink:

So DNS problem solved & so internet browsing too...

1 Like
54

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.