Hi, I'm helping my uncle setting up his home network, one thing that he needs in particular is to be able to access it from outside using a VPN (for Wake on Lan in particular in case he needs to access to files on his computer that's normally turned off etc).
At my home I used to run a Wireguard node directly on my OWRT router and it worked very well (now my ISP gave me a new one that does it natively, but it's still on my router), unfortunately his ISP gave him a piece of trash VDSL2 modem that has pretty much no features at all (I'm actually surprised it allows port forwarding) so that can't be done.
My idea was to use a low cost super low power router like the GL.iNet GL-MT300N-V2 and forward all the VPN traffic from the modem to it... sounded good on paper and it was supposed to be a 5 minute thing, however it has been a nightmare to make it work as part of the LAN, in fact I gave up using the original software which somehow kept saying the device had no access to the internet.
I've then replaced the software with stock OpenWRT and it seem to be working, however I wanted to be sure that the firewall is configured safely as I bridged Wireguard to the LAN.
This is a simplified map of the network just to be clear.
Here is the rest of the configuration. I didn't create a firewall zone for the Wireguard interface, I just added the WGI interface directly to the LAN zone.
Edit: Does the modem have a public IP address on its WAN
I can help if we see your configs, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
wg show
The MT300 (192.168.1.8) will be connected to his modem-router (192.168.1.1) via LAN, I'll point my Wireguard traffic from outside to the WAN IP of the modem on a specific port and then forward it to the 192.168.1.8:51820 port of the MT300.
The modem should have a public IP, however I'm pretty sure it's not static so I'll also have to setup DDNS, but that's not a big issue.
I have instructions to setup a WireGuard server but this is for a normal gateway router see:
You need the "WireGuard Server setup guide" make sure you download the guide as Github only shows the first 5 pages
You can setup the interface according to the guide and also setup a separate firewall zone for the WireGuard Interface ( 2b. Alternative setup).
You need a Forward rule from lan to wireguard zone and from wireguard zone to lan zone.
No need for a traffic rule for the listen port.
If you can set a static route on the modem your make a static route for the WireGuard subnet with gateway 192.168.1.8.
If that is not possible then enable Masquerading on the LAN zone
