Ok here is the situation, very simply. I have an ISP router, then, there is Openwrt router connected as an Access point.
So, can I make so that openwrt router's wifi clients, will be connecting to a wireguard VPN, then to an offshore VPS? Those who connect to the ISP router's wifi clients, will not go through wireguard.
I've done it on where openwrt router was the main router, but not this. Is it possible though?
Yes, it is possible.
The easy solution is to make the access point a routed AP and not dumbAP. Then after you configure the VPN, all the traffic will go through the VPN.
Ok, with the help of chatgpt and openwrt wiki, i ll try this then
Do not use any AI for this! It will make a mess of your config.
Use the OpenWrt wiki and/or ask us (humans) questions.
Just to be clear, AI is not authoritative, and usually makes things worse. It will probably cost you time/energy to fix the mistakes of AI, and may even result in security issues. Then you'll end up resetting everything to start over... lol.
Seriously, don't use AI. But if you insist on doing so anyway, do not post anything that AI recommends here. We do not want that here because it is often misleading or incorrect, and will cause confusion with other readers.
Ok I think you're right then. So I am starting off with this wiki here: https://openwrt.org/docs/guide-user/network/wifi/routedap
So I'll try to see if I can do it myself. I am a network guru by now.
So I did what was told here. So now what do I do from here?
This is what I normally do:
My other solution would be to use something like MWAN 3 to do some policy based routing but it is normally harder and is more complicated
That doesn't help me in any way it's too vague. At least point me to something like a wiki.
At this point, you just need to setup the VPN. Have you done this in the past (jn general) or do you need help with that?
Yes i setup the vpn. But then, the traffic doesn't go through to the VPN when i connect to the openwrt router via wifi. Thats what i want.
Ok... let's review the config of the OpenWrt device.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Before that, I need to setup like 10 Openwrt devices like this, probably 10 different people. What if the main router's IP is something like 192.168.0.1 or 192.168.50.1? Wouldn't this client thing fail then? For that, I think routed AP makes more sense, isn't it?
I would suggest that you complete one config from end-to-end so that you fully understand the 'recipe' for the APs.
You need to guarantee that the upstream, downstream, and wireguard subnets are all different. To do this without a priory knowledge of the upstream network can be tricky, but you have 3 major ranges to work with
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Since you can make your downstream network anything with those ranges, you can choose one that is somewhat unlikely to be in use at the target locations... it's not fool proof, but if you choose something like 10.241.23.0/24, you'd probably be unlikely to have an overlap issue.
Ok I think this makes more sense. I configured it as a routed AP, with something like 192.168.69.1. So, ISP router's lan port >Openwrt WAN port. WAN is set to DHCP. So, I set the wireguard up too. But how to make data go through that wireguard now?
Make sure that WG has allowed IPs of 0.0.0.0/0 and option route_allowed_ips '1', as well as the requisite firewall setup (WG in its own zone or in the wan zone, masquerading enabled; lan > WG or wan forwarding allowed).
Post the config and I can review.
Ok done, it works. Even after reboot it works. But the thing is, for the service I want, DNS must not leak. I got a leaky DNS. The current ISP will still use their own DNS, even if I change it. So, how to go to wireguard's DNS server instead? Is this possible? Since it goes to the ISP's DNS first, it leaks. I do DNS leak test, and it leaks.
set the desired DNS in the dnsmasq config.
Ok I did that, also deleted the wan6 interface. I know my ISP doesn't use it, but having that maybe leaks it. It seems to not leak anything no more. Will do more tests.