Firewall for Wireguard using a NAT, and OpenWRT as secondary router

Hi, all

I'm having trouble configuring a VPN using Wireguard on my router. So first, what do I have?

My ISP gives me a crappy router (let's call it Gateway) with very little room for hacking, so I have a second one, where I have OpenWRT (let's call it Router). Router is connected to Gateway using a LAN port, so Gateway is 192.168.1.1 and Router is 192.168.1.2

Wireguard is installed and working on Router, and accessible from WAN using the NAT in Gateway. I can connect from outside using my phone. The Wireguard network is currently 192.168.42.0/24

So now, what do I want? I have servers on other devices (192.168.1.X) and I want them to be accessible through the VPN.

The solution I think is more practical is to use a NAT in Router so that packages coming from the Wireguard network are rewritten as coming from Router.

I've managed to do this setup in a Debian VM using nftables (copying and messing with a config I found online, I'm not experienced with networks), so I know it is doable. But I don't know how to replicate it in OpenWRT. I've tried tinkering around the firewall settings but I don't fully understand what I'm doing.

Can anybody help me? I can provide more info if necessary.

Thanks in advance and thanks for your work on OpenWRT.

Ensure the VPN network is in it's own firewall zone. Turn on masquerading on that zone.

I had already set it like that, but thanks for confirming that was correct. I've kept messing with the firewall and finally got it to work. I had to add a traffic rule to allow packets to go from the vpn zone to the lan zone, and a NAT rule from any zone to the lan zone.

In my previous attempts I tried to restrict the NAT to work only from vpn to lan, but that didn't work (I'm not even sure if it is possible to set in the GUI), and as I don't use wan in this router it doesn't really matter.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.