I assume this is a common user-case. I want to be able to ping devices behind my cottage router running OpenWRT that uses 5G modem to access Internet and thus does not have public IP.
I already use WireGuard server on my home router (which works flawlessly) but I presume that similar setup is not possible in cottage due to CGNAT? What are my options?
Let cottage router (CGNAT) connect to home router (public IP) via WireGuard client installed in cottage and tunnel back to cottage via home network?
Use some sort of forwarding setup (which?) so I can connect to cottage independently?
I am reopening this topic as I opted for solution above. I have couple of practical questions:
"Home" Router A, public IP, WireGuard Server, 192.168.0.x internal IP range
"Cottage" Router B, CG-NAT, WireGuard Client, 192.168.1. x internal IP range
With default WireGuard setup, router B will get IP 10.0.5.3 in WireGuard and I will be able to ping it from router A.
How do I configure WrieGuard and routing so that both router A and B surf as usual (trough their own gateways) and only thing that is allowed is that I can ping 192.168.1.x adresses from home network 192.168.0.1 and not the other way around?
Basically, how do I bind together those two routers with a tunnel so I can peer into my surveilance cam in the cottage from home w/o risk of somebody being able to ping my home network from cottage?
What you are referring to is usually called a site-to-site setup
See my notes , the WireGuard Server setup guide has a paragraph about setting up a site-to-site setup
You better download the guide as github only shows the first 5 pages:
If that is not enough to get you going then for both sides connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
Thank you very much, that was very helpful!
One brief question: do I need two instances of WireGuard server on my router in order to create site-to-site tunel and keep my current device-to-site functionality working or can I just create additional "site-to-site" profile in existing instance?
Yes you need only one WireGuard server on your home.
For your Home WG server the Cottage is just another peer but with the subnet of the cottage also added to the Allowed IPs. You should have enabled Route Allowed IPs so that there is a route from the server to your cottage.
The Cottage is initially just setup as a WG client so connecting to your home.
If that works you then you setup the WG firewall zone in the cottage as if it is a server e.g. allowing traffic.
As Allowed IPs you use the whole WG subnet (to allow other peers of the home server so that if you connect from your phone on the internet to your home server you can also connect to your cottage) and the subnet of you home to allow other home clients to connect
Yes it does. I have same system at home and can access it from remote. Basically, as long as I can ping 192.168.1.x in cottage from 192.168.0.x home network, Surveilance will work.
I just want to be able to look at the IP camera in cottage (w/o looping it around some 3:rd party server) and flip some software enabled power switches. For example, start the heat pump w/o chinese app.
Agree. Tailscale probably works but loops the traffic (or handshake?) trough their server. It will (or already does) cost money and is making the functionality dependent on 3:rd party proprietary software which I try to avoid as much as possible.
Tailscale uses DERP Servers when needed.
Tailscale is free for the first 100 Tailscale Clients.
Tailscale uses Wireguard and adds a number of features not available in Vanilla Wireguard.
A bit unorthodox solution: you connect to Yggdrasil network which gives you static IPv6 address and prefix. Then you can use it directly as connection already encrypted (your software MUST support IPv6) or setup VPN connection of your choice.
I now have two routers: router A (public IP, WG server) and router B (CG-NAT, WG client). I have sucessfully installed WG client on router B and imported config file for the tunnel. As far as I can see, connection is alive and interface "Wireguard" on B is connected to A.
Router A has 192.168.0.x LAN. Public IP WAN.
Router B has 192.168.1.x LAN. CG-NAT WAN.
Router B WG client is now connected to Router A WG server and has "internal" IP 10.0.5.5 in router A.
Now the next question is:
How do I configure the tunnel/firewall in A and B so I can ping 192.168.1.x addresses on router B LAN from 192.168.0.x addresses on router A LAN (but not the other way around)?
I still want for clients on 192.168.1.x (router B, WG client) to surf from their local gateway (not tunneling). Basically, I only want to be ale to peer into 192.168.1.1 network from 192.168.0.x network via WG tunnel.
On router A
for the Allowed IPs of the peer of router B add the subnet of router B: 192.168.1.0/24
On router B
for the Allowed IPs of the peer of router A add the subnet of router A:
192.168.0.0/24
Make sure to enable Route Allowed IPs
To check please show the output of both routers, connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show
