I've set up my home network with three OpenWrt-Routers: one that connects to the Internet and provides a normal wifi access point. Connected to this router are two additional routers who each tunnel their whole traffic through wireguard - and each of them has their own wifi network:
Now what I'd like to set up is a home network, where I can communicate freely between those three routers and the clients at home.
But I really have no clue how to manage it. I've tried to use PBR for this, but I'm simply overstrained by it - I don't really get how to use it.
What do I need to make this happen?
Are all of these routers running OpenWrt?
Yes, all of them are running OpenWrt
Ok... how are they connected? Is the connection from router 1 to routers 2 and 3 connection from LAN > WAN, or LAN > LAN?
I set them up like this:
Internet >WAN Router 1 LAN>WAN Router 2/3
Ok... so what you have on routers 2 and 3 is double NAT... although it is irrelevant because of the VPN tunnel.
What you can do is add routes on router 1 and update the firewalls on routers 2 and 3 to allow traffic to flow.
If router 1 is 192.168.1.1
and then router 2 is 192.168.1.2 (WAN), 192.168.2.1/24 (LAN)
and finally router3 is 192.168.1.3 (WAN), 192.168.3.1/24 (LAN)
router 1 would need static routes as follows:
network 192.168.2.0/24 via 192.168.1.2
network 192.168.3.0/24 via 192.168.1.3
(optionally, you can put static routes in routers 2 and 3 to point to the other router)
Then you would turn off masquerading on routers 2 and 3 for the WAN zone. Then add zone forwarding rules from WAN > LAN for those routers, too.
Now, the wireguard tunnels allowed IPs may need to be updated to exclude (the two upstream networks), so !192.168.0.0/16 would do the trick here, or you may want to do VPN PBR.
Ah, great, thanks.
But how do I exclude 192.168.0.0/16 from the allowed_IPs in Wireguard?
I believe you can put the "!" symbol (logical not) in the allowed IPs field:
So, your allowed IPs would have two entries (assuming you're sending all traffic except for the 192.168.0.0/16 range):
Or in the network file, you'd see this...
list allowed_ips '!192.168.0.0/16'
list allowed_ips '0.0.0.0/0'
Sadly, this doesn't work in wireguard.
I can't add it via luci and adding it via terminal just stops the interface
Just tried it myself, and it does indeed cause the entire interface to fail. Bummer. So you could list all of the ranges that exclude it (a much longer list), or just use PBR.
This should work with conventional routing.
The wireguard allowed IP list controls incoming packets. So since you're using wireguard for the whole Internet, set it to 0.0.0.0/0.
Do not set wireguard route allowed IPs. Install all routes directly:
On routers 2 and 3 you need:
- Router to router 1 lan (inherent when setting up the WAN interface)
- Route to the other sub router's lan via gateway of that router's IP on the router 1 lan.
- Route to the wireguard peer's public IP via gateway of router 1.
- Route to the wireguard tunnel IPs.
- Default route to the rest of the Internet -- gateway is the server's IP in the wireguard tunnel.