How to set up second router (VPN server) running OpenWrt connected to ISP router

I would like to be able to connect to my home network when I am travelling. Unfortunately, my ISP router does not allow setting up a simple wireguard VPN on it so my only option at this point is to use a second router running openwrt. The ISP router (primary router) needs to be used because it gives functionality to TV boxes etc..I know I will have to port forward from the primary router to the secondary router (openwrt router).

The two routers will be connected this way: Primary router (LAN port) <--> Secondary router (WAN port) via an ethernet cable. If possible, I would like all the firewall functionality to be handled by the primary router as the secondary router is not going to have anything connected to it as it's only purpose is to work as a wireguard server. Or is it easier to have the firewall be handled by the secondary router when I am connected to it via wireguard?

The openwrt router is running 23.05.2. The primary router gateway is 192.168.1.1. I would assume the openwrt needs to be outside the subnet of the primary router, e.g. 192.168.2.1, right? I will be using DDNS on the secondary router to keep track of the ISP IP changes.

I have tried searching how to properly setup the openwrt to achieve my needed functionality but I keep getting confused since I am very new to openwrt.
Are there any instructions that can explain the steps to properly setup the openwrt router the way I needed?

Any help and advice on the best way to setup the openwrt router would be greatly appreciated.

This is really quite simple to accomplish, as long as your primary router allows you to setup port forwarding. and assuming that your primary router's wan has a proper public IP address. Please verify these two things before going any further.

Ideally, if the primary router also exposes the ability to add static routes, you can setup a route for your WG network rather than using masquerading on the OpenWrt device. But this is not a hard requirement.

After verifying the port forwarding and public IP on the primary router, you'll be setting up your OpenWrt router as a 'server' in the "road warrior context." Start from the default config and setup WG. From there, we can take your configs and make a few minor tweaks to get it to work exactly as you've described.

https://openwrt.org/docs/guide-user/services/vpn/wireguard/start

All this looks correct.

The primary router does have a public IP address and does allow port forwarding.

I am not sure what you mean by add static routes...do you mean static lease? Sorry i am extremely new Also, the same goes for masquerading.

No, a static route is instructions about how to route networks that a router doesn't have a direct connection to...

So for example, if your OpenWrt router has an address (via the wan) 192.168.1.5, and behind it (the lan) 192.168.2.0/24, your upstream router has no idea about that 192.168.2.0/24 network. A static route allows us to tell the primary router where to send the data that is destined for the 2.0/24 network. They look like this:

192.168.2.0/24 via 192.168.1.5

This says send traffic for the 2.0/24 network via its gateway which has an address 192.168.1.5 and that device will take care of the rest.

Great explanation! I now understand what you meant.

Unfortunately, I am not sure the primary router allows static route. Also, the less configuration on the primary router i do the better because if i mess up its functionality i will never hear the emd of it from my wife. Is there another way without static routes? I was hoping port forwarding from the main router would be enough.

Yes, we'll use masquerading. It's trivially easy.

Ok thank you. I'll give it a try this weekend when i have time. Will be back if i cant get it to work.

@psherman do you know if the instructions you have listed above have an option for LUCI? I know very little about using the CLI.

Okay here is where I am. I have connected the router this way (primary LAN to secondary router WAN). I have forwarded a port from the primary router to the secondary router (used port 443 UDP). When on my laptop, connected via wifi and Ethernet cable connected to secondary router, I can connect to both routers but their IP address (192.168.1.1 and 192.168.2.1).

I installed wireguard and created peers. But when I try to connect to the home network from my android phone (wifi is off) it does not work.

I have attached picture of my current setup. Are you able to help me to see where I messed up?

FireWall Zones2871×897 117 KB

Firewall-PortFoward2877×978 143 KB

Interfaces3025×1858 365 KB

Interface-WireguardVPN2185×1951 241 KB

Interface-WireguardVPN-Firewall2781×696 96.6 KB

Interface-WireguardVPN-Peers2668×975 145 KB

I can already see one potential issue, but let's see the text configs and I can gather more context:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

"kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer C7 v5",
        "board_name": "tplink,archer-c7-v5",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6a:XXXX:XXXX:/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr '98:XX:XX:XX:XX:XX'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'WireGuardHome'
        option proto 'wireguard'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXX'
        list addresses '192.168.3.1/24'
        option listen_port '51820'

config wireguard_WireGuardHome
        option description 'HomeCanada'
        option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXX'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
        option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
        list allowed_ips '192.168.3.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

root@OpenWrt:~# 

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'WireGuardHome'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'WireGuardHome'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '192.168.3.1'
        option dest_port '51820'

root@OpenWrt:~# 

I believe I was able to redact all private information. Please let me now if I missed any.

Remove this rule

Replace with a simple traffic rule:

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

The port forward on the primary router should be forwarding port 51820 to the WAN address of the OpenWRT router (192.168.1.5 ?)

After making the changes reboot the router and try again, test from outside your network e.g. with your phone on cellular, the endpoint address should be the public WAN ip address of your ISP router (does it actually has a public WAN ip address?)

If that does not work enable wifi on your phone connect to the ISP router and use the WAN ip address of the OpenWRT router (192.168.1.5?) as endpoint.

How do i remove this as recommend? In the cli? Is there a way to do it in LUCI?

Same thing, is there a way to do it in LUCI?
I ask because i am really not good at the cli.

Remove the rule you created in Luci, add in the Firewall a Traffic Rule like this:

afbeelding1325×718 42 KB

Assuming you use windows install winSCP and you can easily view your files and edit those

Save and Apply and reboot the router and try again

Just changing the port forwarding from the primary router from 443 to 51820 fixed the issue. When on my android phone running on cellular connection I am able to see Rx Tx data working and I am to login to luci. I believe that means it is working, right?

There shouldn't be any issues with current configuration, right? Or do you think I will run into problems because of double NAT? Asking for anyone in the future who might find this thread and for myself as well

I didn't change the rules as recommended because I was in the middle of changing the port forwarding as recommended prior to seeing your explanation on the about changing the rules on LUCI. Should I still change the rule?

Yes better change it as it can be problematic in the future.

Double NAT is really not a problem, so no worries

I will go ahead and create that rule as recommended. However, i do not see where to remove that rule you listed should be removed ( I have not created any rules as far as i know sonce i started this morning).

This rule is listed so must have been created.

You should find it in Luci under Firewall > Port Forwards

All done. As you can see I very new to openwrt. I am considering switching to it from ddwrt since i am having some issues after years of running successfully on my router. I just see that there is a much large learning curve.

I asked about the double nat because when doing research for what i was trying to do, everywhere it said that double nat would be an issue and that i wouldn't be able to connect to the primary router and vice versa but currently i am lol. Did i just get lucky?

Double NAT itself is not a big issue.

You can always connect from downstream to upstream so from OpenWRT router you can connect to ISP router but only by IP address as there is no network discovery between subnets.

From upstream to downstream you need two things, open up the firewall of the OpenWRT router and set a static route either on the ISP router (the recommended way) or if that is not possible on the individual clients.

But if you are happy the way it works now then just be done with it and drink a beer (it is beer time in my home country (Netherlands))

OpenWRT is very versatile but indeed it has a learning curve.