/etc/config/network
config interface 'wg0'
option proto 'wireguard'
option private_key '*'
option listen_port '51871'
list addresses '10.0.0.1/24'
list addresses 'fdc9:281f:04d7:9ee9::1/64'
config wireguard_wg0
option description 'Peer_A'
option public_key '*'
list allowed_ips '10.0.0.2/32'
list allowed_ips '10.10.10.0/24'
list allowed_ips 'fdc9:281f:04d7:9ee9::2/128'
config wireguard_wg0
option description 'Peer_B'
option public_key '*'
option endpoint_host '*.*.*.*'
option endpoint_port '51871'
list allowed_ips '10.0.0.3/32'
list allowed_ips 'fdc9:281f:04d7:9ee9::3/128'
option route_allowed_ips '1'
config wireguard_wg0
option description 'Peer_C'
option public_key '*'
list allowed_ips '10.0.0.4/32'
list allowed_ips 'fdc9:281f:04d7:9ee9::4/128'
option endpoint_host '*.*.*.*'
option endpoint_port '51871'
option route_allowed_ips '1'
config wireguard_wg0
option description 'Peer_D'
option public_key '*'
list allowed_ips '10.0.0.5/32'
list allowed_ips 'fdc9:281f:04d7:9ee9::5/128'
option route_allowed_ips '1'
/etc/config/firewall
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg0'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51871'
option proto 'udp'
option target 'ACCEPT'
config nat
option name 'WG0'
list proto 'udp'
option src 'lan'
option target 'MASQUERADE'
option device 'br-lan'
option dest_ip '10.0.0.0/24'
ip route
default via *.*.*.* dev pppoe-wan proto static
10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.1
10.0.0.3 dev wg0 proto static scope link
10.0.0.4 dev wg0 proto static scope link
10.0.0.5 dev wg0 proto static scope link
10.10.10.0/24 dev br-lan proto kernel scope link src 10.10.10.1
*.*.*.* via *.*.*.* dev pppoe-wan proto static
*.*.*.* via *.*.*.* dev pppoe-wan proto static
*.*.*.* dev pppoe-wan proto kernel scope link src *.*.*.*
Essentially, while I can successfully ping 10.0.0.3 from the router, my computer located within br-lan is unable to do so.
I attempted to add 10.10.10.0/24 to the allowed_ips for peer c, but it seems to cause network outages due to route_allowed_ips. Disabling route_allowed_ips doesn't appear to help me achieve the desired outcome.
Would manual configuration of a static routing table be necessary?
My PC's IP is 10.10.10.10,The subnet of all peers is 24.
I want to connect the endpoint_host of multiple peers.
It's basically a LAN device that I can access in a non-LAN environment.
It seems that address translation must be done, and I ran some tests and it worked well.
br-lan ip : 10.10.10.0/24
wg peer ip : 10.0.0.0/24
It seems that my expression is a bit incorrect, it is Site to Point rather than Site to Site.
Basically, my other peers are servers, not routers, so I don't need extra NAT. Only the Peer in my own home is the router, so I made NAT to facilitate other peers to access the LAN device in my own home, but I also hope that I can access other peers in my home LAN.
If the WG peers are just simple clients like like a phone or laptop you only need the WG peer address e.g. 10.0.0.4/32
If the WG client is a router and you want to connect to the clients of that router from the server side then you can disable NAT on that WG client and add the subnet of that client as allowed IPs.
Note that all subnets need to be unique!.
In these case you can also set the endpoint and endpoint port to the other site but necessary it is not as the other side will start the tunnel and keeps it open with PersistenKeepalive. So for simplicity do not set an endpoint.
The above is often referred as a site-to-site setup.
In all case you need to enable route allowed IPs
About your WG peers they will all have access to all your local LAN clients as the WG interface is in the LAN zone, but the WG peers have their own WG address which is outside the local LAN (and it should be) and most of your LAN clients will have their own firewall which will block traffic not originating from its own local subnet so will block traffic from the WG peers.
To deal with this you can either tweak the firewall of the LAN clients or choose the easy way out and that is enabling MASQUERADING on the LAN zone.
I disabled the route_allowed_ips option for all peers and opted to manually create a static route. I discovered that when I intended to allow the peer to access 10.10.10.0/24, route_allowed_ips was disrupting my network.
config nat
option name 'WG0'
list proto 'udp'
option src 'lan'
option target 'MASQUERADE'
option device 'br-lan'
option dest_ip '10.0.0.0/24'
Of course it disrupts your network as that is the subnet of your own lan.
There is no need to set any static routes as the routes are set by enabling Route Allowed IPs.
But you have to set the right subnets as I tried to explain to you a few times but apparently I miserably failed
So last attempt, in the Allowed IPs of the peer section you place the address of the WG interface, like you are doing, and if the other side is a router or VPS etc., with a fixed IP address and subnet you place this subnet in the Allowed IPs.
I noticed the presence of the 10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.1 routing table. It seems that this routing table is automatically created by OpenWrt after setting up the wg interface, and it appears to be effective. It seems that I no longer require additional routing tables.
Next I want to try to make my soft router work in Docker.
