Help with getting access to home network using openvpn via wireguard

Looking for some help with getting access to home network that is using Openwrt running OpenVPN to a paid VPN from Wireguard on my android phone.

e.g.

Phone running Wireguard > OpenWRT running OpenVPN to WAN

I have installed Wireguard on openwrt and phone using this guide https://www.reddit.com/r/openwrt/comments/bahhua/openwrt_wireguard_vpn_server_tutorial/ and I can connect to my home router externally only when the my openvpn connection on the router is disconnected.

I am a v basic user and looking to know what additional settings I have to change to allow wireguard to connect to my openvpn router while its running a private vpn to the internet/and while not running vpn please. Any help would be appreciated. Thanks in advance.

Roland.

1 Like
2 Likes

Thanks for the quick reply, I'm a basic user so need a little help with what to put where if possible please? I have installed the suggested packages but am a bit clueless what to change to get what I need working.

Service Gateways

wan/pppoe-wan/195.166.130.255
OpenVPN/tun0/10.8.0.32 ✓
wg0/10.14.0.1

What would I need to put in the following fields?

Name Local addresses / devices Local ports Remote addresses / domains Remote ports Interface

Roland.

Disable gateway redirection in the OVPN client:

Then create the following policies preserving the order:

  • Ignore traffic which destination matches LAN or WG subnets.
  • Route everything from LAN or WG subnets to OVPN.
2 Likes

Hi vgaetera,

Thanks I have added correct setting to openvpn client.

I think I am a more basic user than you think, and don't understand how to create the policies you recommend and what to put in them.. I can provide all details if you can help please?

My home LAN uses range 192.168.20.175-199
My WG subnet I assume is 10.14.0.1?

I am not very good with networking so unsure what to put in each field for the policy? Sorry If im being a bit thick.

Roland.

opkg update
opkg install vpn-policy-routing
uci set vpn-policy-routing.config.enabled="1"
uci set vpn-policy-routing.config.webui_show_ignore_target="1"
uci -q delete vpn-policy-routing.config.dest_ipset
while uci -q delete vpn-policy-routing.@policy[0]; do :; done
uci add vpn-policy-routing policy
uci set vpn-policy-routing.@policy[-1].interface="ignore"
uci set vpn-policy-routing.@policy[-1].dest_addr="192.168.20.0/24 10.14.0.0/24"
uci add vpn-policy-routing policy
uci set vpn-policy-routing.@policy[-1].interface="ignore"
uci set vpn-policy-routing.@policy[-1].src_addr="192.168.20.123"
uci add vpn-policy-routing policy
uci set vpn-policy-routing.@policy[-1].interface="OpenVPN"
uci set vpn-policy-routing.@policy[-1].src_addr="192.168.20.0/24 10.14.0.0/24"
uci commit vpn-policy-routing
/etc/init.d/vpn-policy-routing restart

https://openwrt.org/docs/guide-quick-start/sshadministration

7 Likes

Hi vgaetera,

Thanks very much for the suggestions and quick replies, much appreciated.

I have added all your settings with no errors reported. I now can connect via Wireguard on phone to my router when the VPN is activated, but when I check my IP address on both LAN and Phone they are showing my ISP WAN address not the VPN? Do I need to do anything more? Or What could I have done wrong for this to happen?

Roland.

Hi vgaetera,

I think I have worked out why its now not working, I was also running VPN Bypass, and have now disabled it and VPN and WAN Policy-Based Routing now is working correctly.. just need to work out how can do what VPN Bypass was doing using VPN and WAN Policy-Based Routing it seems.. All I now need to do is work out how to exclude certain LAN IP addresses to bypass the VPN?

Thanks!!

Roland.

1 Like

I added an example policy to bypass the VPN for a custom source IP.

2 Likes

Wow, you are star :clap:. Thanks very Much.

I have one minor issue to resolve which is when the vpn is not connected my internal network cant connect to the internet, is there a way around this as my internal dns then ceases to function and I still want my dns traffic to go through the VPN once it is connected. What happens is that if i reboot the router for a prelonged period of time the VPN won't come back up as the internal DNS server is trying to get the address of the VPN but cant because there is no internet until VPN is up.. ad infinitum.

Thanks again :slight_smile:

Roland.

1 Like

You can use the split DNS approach:

1 Like

Thanks :+1: , that would be an option, and I sort of get where your coming from with the suggestion but I currently use PiHole as my current solution and that provides all my DNS/DHCP needs at present and dont really want to change anything with that for now if I can help it.

I may have to go with your suggestion if cant find way around though, as if VPN goes down for some time I think my internet will be down until I intervene and disable VPN / VPN routing until the PiHole is able to resolve addresses via internet again to get VPN address and then re-enable everthing.. but that would be unhelpful if I was accessing remotely :laughing:

Thanks again for everything.

Edit: I think I was being a bit stupid, as well as not explaining myself properly as such and the functionality I was after was to just disable strict enforcement option in VPN routing :joy:

Roland.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.