Dumb AP + Wireguard

Installing and Using OpenWrt
1

I've got an ac1200 that I want to set up as a wireless access point with a VPN. It's connected to my main router using a lan port. I can see that data is exchanged over the Wireguard interface, and I can connect to the Wifi connection from the laptop, but I think that I don't get an IP address. The error says:

Your Mac successfully joined the Wi-Fi network, but cannot reach the internet.
If this is your Wi-Fi network, try restarting the modem and router, or contact your ISP.

Config files to follow..

6

There is a lot wrong here. If I had USD 0.05 for every list dns or option gateway that a newbie thinks is going to solve the problem...

The best way to do this is to build a lan-wan router first then follow the numerous directions for making a simple "whole house" VPN client out of that. It does not matter that the wan will not be directly connected to the ISP. Everything on the wan side including your home network will be viewed as part of the Internet to the second router / VPN server.

You can make a wan bridge and place an AP into it to have "dumb AP" functionality. Users of that AP will be part of the home network and not subject to OpenWrt's firewall or VPN.

7

Thanks for your reply mk24.

I've made an attempt at the wan-lan setup, using a combination of this reddit post and this openwrt/wireguard howto from surfshark. The status is now that I can connect to the wlan if I have a static route (target 0.0.0.0/0, gateway 192.168.0.1). The wireguard connection is sending / receiving packets, but I can't work out how to send traffic via the vpn. I have tried:

  • Adding the routes that are at the bottom of the config file below (they are now disabled, they weren't then)
  • Changing the firewall settings as suggested in the howto

but neither of those steps works.

How do I send the traffic via the VPN?

# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd73:0f69:c8bc::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.50.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

config route
	option interface 'wan'
	option target '0.0.0.0/0'
	option gateway '192.168.0.1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'deleted'
	list addresses '10.14.0.2/16'
	list dns '162.252.172.57'
	list dns '149.154.159.92'

config wireguard_wg0
	option description 'Imported peer configuration'
	option public_key 'deleted'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'uk-gla.prod.surfshark.com'
	option endpoint_port '51820'

config route
	option interface 'lan'
	option target '10.14.0.2/16'
	option gateway '192.168.0.1'
	option disabled '1'

config route
	option interface 'wg0'
	option target '0.0.0.0/0'
	option gateway '10.14.0.2'
	option disabled '1'

config route
	option interface 'wan'
	option target '0.0.0.0/0'
	option gateway '10.14.0.2'
	option disabled '1'
8

Is your router connected with its WAN port to your main router?
Please show the output of:
ifstatus wan

If you disable WireGuard you should have internet access without any additional routing

9

I have got it working. I watched this guy's video: https://www.youtube.com/watch?v=04q41GEPvKA and went through everything that he went through. I think the change that made it work was adding the custom DNS server from the Wireguard config file to the WAN connection.

Thanks to everyone who read this and especially those who took the time to reply.