I want to setup two routers in remote locations to talk with each 3 interfaces, lan, family and iot via two wireguard interfaces to each other.
Goals are
to be able to reach the lan-interfaces of the other router from each router and clients in lan-zones of both routers via wg0
to be able to reach family-clients of both routers from clients in family-zones via wg1
to be able to reach iot-clients of both routers from clients in family- and lan-zones of both routers via wg1. I thought it would be no good idea to connect the iot interfaces directly, but accessing them only via forwarding rules (and thus minize security breaches).
Firewall setup: For both routers I have the same following zones + forwardings defined
###################### WAN-config
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan6'
list network 'wan'
###################### LAN-config
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg0'
config forwarding
option src 'lan'
option dest 'iot'
config forwarding
option src 'lan'
option dest 'wan'
###################### FAMILY-config
config zone
option name 'family'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list device 'br-family'
list network 'family'
list network 'wg1'
config forwarding
option src 'family'
option dest 'iot'
config forwarding
option src 'family'
option dest 'wan'
###################### IOT-config
config zone
option name 'iot'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list device 'br-iot'
list network 'iot'
config forwarding
option src 'iot'
option dest 'wan'
##################### wireguard rules
config rule
option name 'wireguard wg0 input'
option src '*'
option dest_port '27'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'wireguard wg1 input'
option src '*'
option dest_port '28'
option proto 'udp'
option target 'ACCEPT'
The tunnel on wg0 works: I can reach the lan- + iot-interfaces of the other router from both routers.
The tunnel for wg1 gets established, so part of this config is correct as well.
But when I try to use the wg1-tunnel and move the rows list allowed_ips '192.168.41.0/24'/list allowed_ips '192.168.42.0/24' from wg0 to wg1, I cannot reach iot-clients of the other router from family-clients (and also no more from lan-clients, see second question below). So something with this setup is borked, but I seem to be unable to spot the issue.
Could someone help to correct the setup the second tunnel (wg1)?
Plus second question: Is it somehow possible to set a static route that enables from both interfaces lan AND family on router#1 to reach iot on router#2 and vice versa?
Could something like
I'm fairly positive you don't need to use multiple WireGuard connections. It is possible to route multiple subnets in a single WireGuard tunnel. If both sides are set up with identical subnets with the WireGuard interface in its own firewall zone, you should be able to just forward between the WireGuard zone and the respective subnet zones on either side.
This kind of setup is often referred to as a site-to-site setup.
This will work with just one tunnel between the two sites.
I would delete wg1 and keep wg0
Just add the missing subnet 192.168.31.0/24 on router 2 and 192.168.32.0/24 on router 1 to the allowed IPs that should give you routing to all subnets of the other side.
The restriction of access is done with the firewall for this you have to setup a separate zone for your wg0 interface with the same settings as the lan zone (also covered in my notes).
With forwarding rules you allow access to the different interfaces
Note that the local lan clients might have their own local firewall which will not allow access from other subnets so you often have to tweak that local firewall or use the workaround as described n my notes
the last row should read list server '/lan5/192.168.5.1', right?
And with my setup I would have to list each subnet's server (like 192.168.31.1/41.1/41.1 (for router#2))?
Second question how do I actually now setup the following routing with at the same time making sure that family clients cannot access lan resources on the other router? (this is not answered by the document or maybe I missed it)
You should not need to set up any special routing. The Wireguard interfaces create routes themselves once "route allowed IPs" is set, covering all the subnets you "allow" to go to the other end. The rest is handled by the firewall on either side, forwarding between the WireGuard firewall zone and the ones the respective subnets are in. It also handles which subnets can forward between each other, just like on a local machine.
As already noted by @takimata the routing should already in place if you have set the Allowed IPs and enabled Route Allowed IPs.
You can check with from command line:
ip route show
If you do this on router1 you would see that there are routes for the subnets of the other side (which you have placed in the allowed IPs) to route via the WG interface.
A route is just a route but along this routes are doors (=firewall) those are closed by default so you have to open up the doors (=firewall) to let traffic pass.
These doors are one way so you can have traffic go out but not go in (return traffic is always allowed)
An example (see also WireGuard Server Setup Guide)
You have a client on router1-lan trying to connect to router2-lan
The route is already there so if your router1-lan client (e.g. 192.168.31.X) tries to route e.g.to 192.168.32.X) traffic will be directed to the WG interface. But to allow this by the firewall on router1 you have to create a forward rule (remember my advice to place the wg0 interface on its own firewall zone lets call that wgserver)
router1 /etc/config/firewall:
config forwarding
# to give your LAN client access to WG clients needed for site-to-site setup
option src 'lan'
option dest 'wgserver'
Now traffic will pass to the WG interface, WireGuard has its own cryptokey routing which I will not discuss here but with the destination address and the right wg public key traffic is allowed)
From the WG interface on router 2 traffic must then pass to the router2-lan so you again need a forwarding rule but now from wgserver zone **to ** lan zone:
router2 /etc/config/firewall:
config forwarding
# to give WG clients access to your LAN clients
# if you want more fine grained control remove this and make a traffic rule see below
option src 'wgserver'
option dest 'lan'
Now clients from router1-lan can connect to clients on router2-lan but not the other way around.
If you want that then also make the reverse rules (reversing src and dest) and you have bidirectional traffic possible.
For IoT you might want only one way traffic so you only make the rules in one direction
If you cannot get it going and need help please post configs again from both router1 and router2:
cat /etc/config/network
cat /etc/config/firewall
ip route show
But this is not what I wanted to achieve.
I need segregation between lan and family with at the same time allowing the local family subnet to access the full remote family subnet.
edit: Maybe it is anyways better to no be able to reach iot from lan.
So what I really want to get up an running is
As said you make a traffic rule something like this (instead of the general forward rule from family to wg0) this should restrict access to only the family subnet
(actually the source subnet is probably redundant but you can use that to restrict access form only certain family clients if you wish)
config rule
option src 'family'
option dest 'wg0'
option name 'familytofamily'
list proto 'all'
list src_ip '192.168.31.0/24'
list dest_ip '192.168.32.0/24'
option target 'ACCEPT'
Got it. Thanks, that solves the topic! (I actually needed 3 of those rules - family 1->family2, family2->family1 and family1->iot2 (and vice versa on the second router))
