I have a TP-LINK archer a7 running v21. It is also running as a wireguard VPN server. I have another openwrt router running v23 and wireguard server at another location. I can use wireguard and my cell phone to connect to either of these routers from any arbitrary location.
I would like to know if there is an easy way to set up the Archer OpenWrt router so that a specific external RJ-45 port is mapped to the VPN connected to my other location. That is, so that anything plugged into that port will think and act like its physically connected to my router at the other location?
The router would need to do what it can to keep the VPN connection active, but if it fails, the VLAN connector must be dead and not roll over to the local LAN.
Yes, this can be done. You're already on the right track with a VLAN. Setup an new subnet and attach the port to this new network. Then use Policy Based Routing to direct all traffic to/from that port to use the VPN, and disallow use of the regular upstream network.
Because this router actually runs with a critical system, I can't afford the risk of down time because of a transition from 21 to 23 right now. However I have ordered and identical router which should be here in a few days that I will be installing v23 on. For now I'm going to use the system backup and hope that restore works if I get into trouble.
Although wire guard server is running on this router, wire guard Peer is not. I'm thinking I need to get that working first.
While this particular router may be running v21, I was told that the VLAN system was not upgraded to the new system like other routers were. Supposedly there was a hardware issue that does not support the new vLAN system.
The A7 and the rest of ath79 are still swconfig. VLANs can be set up using the swconfig interface the same as with previous versions.
What you describe is a bridge. Wireguard is a routed VPN it does not bridge. Layer 2 operations such as IPv4 DHCP cannot be routed, so creating a transparent "like physically connected" won't work directly through Wireguard.
There are options:
use GRE inside Wireguard.
Use a different VPN connection that has a layer 2 mode, such as OpenVPN or Zerotier.
I don't know anything about zerotier, but I tried OpenVPN and I wasn't happy with its security. I went with Wireguard and all my security issues went away. I like Wireguard even though its not super easy to set up.
We tried installing Wireguard Peer on Win10 and I was never able to get it to work properly. It connects to the remote internet, but denies access to the remote LAN. Searching online and its obvious that this bug in wireguard is well known with no solution. Meanwhile, wireguard android works fine.
Anyhow, that's what I was trying to do here so I could get the Wireguard in the router to do all the heavy lifting and let windows just plug into the right port.
Sounds like you don't really need layer 2 then. The remote Windows machine can be on a different LAN that routes through wireguard to the home LAN. Start by setting up a second LAN using the guest network instructions. The IP range of this LAN must be different from the home LAN.
I made a system backup and then created an empty interface with the subnet 192.168.7.x. The new interface is called VpnLan.
Also, is there an easy way to get the RJ-45 jack number without digging through wires? The only wired machine into the router is the one I am typing on right now. So I have the MAC and IP but not the jack #. If its a pain, I can dig through all that stuff if necessary.
When I try to set up the router as a wireguard peer, it says to use the vpn interface but there is already a vpn server interface. I tried adding a VpnPeer address, but it looks like its trying to set up another server.
Solution for: Wireguard for Windows not allowing access to local LAN.
This thread originated from the desire to find a work around for a problem with wireguard for windows. The problem is that wireguard for windows has a bug that does not allow connections to the server's LAN, but does allow connections to the Internet. So setting up wireguard server on openWrt works fine for other clients like android, but not windows.
Of course, if all you want is a safe way to access the Internet, then its not a problem. Its only a problem for people who want LAN access.
I did happily find a work around to the bug in wireguard for windows that will allow access to the server side (openWRT) LAN. In wireguard for windows, edit the wireguard configuration that goes to the remote OpenWRT and change the
"Allowed IP's" line to the following:
Allowed IP's: 0.0.0.0/0, 192.168.1.0/24
The allowed IP's is normally only "0.0.0.0/32" which is supposed to allow a connection to all IPs. And that's the way it works for Android clients, but for windows, it doesn't do anything. So you have to explicitly add the local LAN IP ranges that you want to access. In this case that is the "192.168.1.x" range, but you can add additional ranges or expand that one to a "/16" or something similar,
There is also sometimes an IPv6 range supplied, but I don't need IPv6 on my local LAN so I just deleted that.
I hope this helps other people trying to get Wireguard for Windows working.
The 0.0.0.0/0 doesn't work by itself. Earlier I mistyped it as /32. That was an error. I can confirm that the /0 doesn't work with wireguard for windows, however it works just fine for Android wireguard.
If you want to access the lan under openwrt using Windows 10 via wireguard, you will need to include the correct subnet because it will not work with the 0.0.0.0/0 one alone.
There are quite a few posts asking for help regarding this all over the internet, and none of them had a solution. As far as I know, wireguard does not have a forum to help people. I can't even see where I could report the bug.
It would be nice if they had just a little bit of documentation regarding that, but they don't. There is not even a readme that goes with the installation.