Configure WireGuard Client with Double NAT

I have an ISP router (router A, subnet 192.168.1.0/24) with static IP. I also have another router (router B, subnet 192.168.2.0/24) connected to router A (lan to wan).

What I want to do is to set up my router B as a WireGuard client connected to a remote WireGuard server so that the devices connected to router B could only access the Internet via WireGuard tunnel.

I followed the official tutorial to set up the WireGuard client on my router B but was not able to make it working (RX: 0 B). I tried setting "Route Allowed IPs" in WireGuard Peers settings to 1, removing listen port from WireGuard config and other things mentioned on the forum without success.

The problem is obviously with my OpenWRT setup because the tunnel works if i set it up using dd-wrt. I also tried to delete WireGuard setup completely on my router B and checked if I can connect to my router B with other devices and use WireGuard on these devices. It works.

Below are my config files.

cat /etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd8:xxxx:xxxx::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option broadcast '1'
        option delegate '0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        option listen_port '51820'
        list addresses '10.0.0.10/32'
        list dns '10.0.0.1'

config wireguard_wg0
        option description 'client'
        option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '21'
        option endpoint_host '68.xxx.xxx.xx'
        option endpoint_port '51820'

cat /etc/config/firewall:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg0'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'vpn'

You have to enable "Route allowed IPs" in the wireguard peer section.

Reboot afterwards

As I mentioned, I did try that without success.

Now I've done it again, in network config there is now a line "option route_allowed_ips '1'" under wireguard config, and after reboot the Internet on router B is not working whatsoever.

are you using ipv6?

No I don't.

let's see the latest configuration as well as the results of

wg show

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd8:0eac:79ed::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option broadcast '1'
        option delegate '0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        option listen_port '51820'
        list addresses '10.0.0.10/32'
        list dns '10.0.0.1'

config wireguard_wg0
        option description 'client'
        option public_key 'KsflDqx2hzte7sz0VsIb0rLj309BLJOW9Pxxxxxxxxx='
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '21'
        option endpoint_host '68.xxx.xxx.xx'
        option endpoint_port '51820'
        option route_allowed_ips '1'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg0'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'lan'
        option dest 'wan'

wg show

interface: wg0
  public key: 5Rz/m7dYIXpGGHlUz1thf1Yi4Y8oOCCvxsxxxxxxxxx=
  private key: (hidden)
  listening port: 51820

peer: KsflDqx2hzte7sz0VsIb0rLj309BLJOW9Pxxxxxxxxx=
  endpoint: 68.xxx.xxx.xx:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 10.41 KiB sent
  persistent keepalive: every 21 seconds

Remove this line:

You are not getting a handshake.... after you make the change, restart your router and try again.

If things don't work, report back with

date
wg show

After removing the line "option listen_port '51820'" and rebooting:

date
Fri May 10 22:36:45 UTC 2024

wg show

interface: wg0
  public key: 5Rz/m7dYIXpGGHlUz1thf1Yi4Y8oOCCvxxxxxxxxxxx=
  private key: (hidden)
  listening port: 37099

peer: KsflDqx2hzte7sz0VsIb0rLj309BLJOW9Pxxxxxxxxx=
  endpoint: 68.xxx.xxx.xx:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 1.16 KiB sent
  persistent keepalive: every 21 seconds

time looks fine.

Check your keys and interface address the values provided by the VPN operator.

Thank you for your time. Somehow I dragged and dropped wrong configuration file.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.