Dual Wireguard servers

Installing and Using OpenWrt Network and Wireless Configuration
1

I have two Wireguard Server working in my lab setup, as tested with my Android phone over LTE network. Both connected to ISP directly.

  1. OpenWRT WG peers
  2. OpenWRT LAN/Wifi users
  3. Fedora WG peers
  4. Fedora VMs

Can 1,2,3,4 all talk with each other?
How many wg Interfaces I should enable in OpenWRT & Fedora (OpenWRT and Fedora also peer with each other)

Once IPv4 is working fine, then I want add IPv6 on top, as my ISP also provide me IPv6-PD via DHCP (which is changing very frequency - which I want to assign them to the Fedora VMs)

2

Yes, if you have proper routing and firewall is allowing traffic.

I would have one interface for the remote users and one for the tunnel between the two servers.

3

Thanks for your suggestions.

I will switch my setup into 2 wg interfaces per server first.

Then trying to learn how the routings can be done.

4

Static routes should work fine for you if you don't create loops.

2 Likes
5

Switched to Dual WG interfaces per server now.

  1. Two servers can peer with each other, over wg1
  2. Both servers' wg0 interface can accept mobile client connections.

IP Assignment:
wg1 wg1 LAN/Wifi
Openwrt: .255.254/24 .111.1/24 .1.0/24
Fedora: .255.253/24 .222.1/24 n/a

@Fedora, can ping

  • .111.1 (via the wg0 tunnel)
  • .1.0 subnet clients
    @Openwrt, can ping
  • 192.168.222.1 (via the wg0 tunnel)

Now, when mobile wg client is connected to Openwrt wg0, with IP .111.9/24

@Openwrt can ping .111.9
@Fedora cannot ping

When mobile wg client is connect to Fedora wg0, with IP .222.9/24

@Openwrt cannot ping .222.9
@Fedora can ping .222.9

How can I manually adjust the routing tables to allow remote WG server to ping local peers?

6

Make sure that all subnets are allowed in all wireguard tunnels. Also make sure that either you have checked wireguard to route the subnets or there are routes on both servers.
If it still doesn't work post here the uci export network ; uci export firewall; ip -4 addr; ip -4 ru; ip -4 ro from OpenWrt and the same from Fedora.

2 Likes
7

In my test setup, when using only two default firewall zones: wan & lan at OpenWRT and external/home at Fedora, peers of OpenWRT and Fedora can ping with each other.

  • Just that in both peers, the Allowed IP is only 0.0.0.0/0. When I add extra subnets there, ping stops working.

Now, I am trying to move wg0 interface to a separate firewall zone from lan, by creating a new zone wguard, and moving wg1 to a new zone core.

However, after the creation of these two new zones, Wifi client and LAN clients are cannot got DHCP offers from OpenWRT.

Now I at OpenWRT, I removed wg0, wg0, core and wguard. DHCP offers are working again.

And I will next redo wg0 / wg1 with dedicated firewall zones one by one.