How to setup chained wireguard

Installing and Using OpenWrt
1

I want to access my home network from the outside but we only have DS-Lite so I got myself a free VM from Oracle and installed wireguard on it. I did not install wireguard on the server because there are other devices in my home that I want to access as well (IP cameras etc.) that do not support wireguard.

My devices:

  • Phone (Android)
  • Router (OpenWrt 19.07)
  • VM (Ubuntu 20.04) which should serve as a "proxy", the router and phone connect to and talk over
  • Server (Voidlinux)
  • Devices (IP cameras, etc.)

What works:

  • Traffic Router -> VM
  • Traffic VM -> Router
  • Traffic VM -> Homeserver (10.100.0.2/16)

First my configuration for Router:
/etc/config/firewall

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'

/etc/config/network

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.100.0.1'

config interface 'vpn'
	option proto 'wireguard'
	option private_key '...'
	list addresses '10.52.0.1'

config wireguard_vpn
	option public_key '<PUBLIC KEY VM>'
	option description 'proxy'
	option persistent_keepalive '25'
	option endpoint_port '80' # most likely never blocked
	option route_allowed_ips '1'
	option endpoint_host '<DOMAIN>'
	list allowed_ips '10.52.0.2/32'

Config on proxy VM
/etc/sysctl.conf

net.ipv4.ip_forward=1

/etc/wireguard/wg0.conf

[Interface]
Address = 10.52.0.2/24
DNS = 10.52.0.1 # resolve host names in home network
ListenPort = 80
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PrivateKey = ...

[Peer] # Phone
AllowedIPs = 10.52.0.3/32
PublicKey = <PUBLIC KEY PHONE>

[Peer] # Router
AllowedIPs = 10.52.0.1/32, 10.100.0.0/16
PublicKey = <PUBLIC KEY ROUTER>

Config phone

address = 10.52.0.3/32
dns server = 10.52.0.1

peer
public key = <PUBLIC KEY VM>
keepalive = 25
endpoint = <DOMAIN>:80
allowed ips = 10.52.0.2/24, 10.100.0.0/16

I think I need some iptables magic but I must confess that I never used it before and tutorials online are quite confusing.

Also I think I might have some weird thing going on with my bitmasks for the clients. Do I need a /24 for Allowed IPs? I am a bit confused as there are articles showing both ways out there.

Any help would be very much appreciated, many thanks!

2

What exactly is the issue you're trying to solve because it's not entirely clear. Assuming you want your phone to be able to access the local network connected to the OpenWrt router then you need to edit

config wireguard_vpn
	option public_key '<PUBLIC KEY VM>'
	option description 'proxy'
	option persistent_keepalive '25'
	option endpoint_port '80' # most likely never blocked
	option route_allowed_ips '1'
	option endpoint_host '<DOMAIN>'
	list allowed_ips '10.52.0.2/32'

and add 10.52.0.3/32 to the allowed IPs.

1 Like
3

DS-Lite usually comes in combination with IPv6 connectivity, if so that might be by far the easier setup to get started (using only IPv6 to connect to your wireguard VPN server at home).

--
Disclaimer: I'm more or less in the same boat, cgNAT + semi-static /56 IPv6 prefix and IPv6 coverage from my mobile ISP as well, this works rather well (the IPv6 prefix only need to be (semi-)static if you want to offer IPv6 connectivity to the outside as well, for merely getting back home dynamic IPv6 addresses and DDNS works as well).

1 Like
4

I want my phone and home network to communicate via the VM and Router. Since I have no public IP at home but that VM has I can connect to it which I can not directly to my home router.

  1. Phone --> VM (wg)
  2. VM --> Router (wg)
  3. Router --> Server
5

That was my first thought as well. But Germany is shit when it comes to digital infrastructure and there is still no IPv6 in mobile networks. They talk about this for 5 years already but no progress was made whatsoever.

6

T-Mobile has IPv6 (single, dynamic /64) available for at least 5 years now. It's not enabled by default, but you just need to edit the APN settings to enable it.

1 Like
7

I heard about this as well but thought that was just the usual marketing blabla.

I might give them a hard look when my current contract runs out. But as for now I am stuck with o2 and no IPv6 connectivity for at least 14 more months :frowning: