Recently, after gaining excellent support here on this forum, I was able to make wireguard work with my home gateway. It came handy, during my travel, as I wanted to use whatsapp while some countries in the world block its usage.
For about a week that worked fine and then I made a small change (added one additional peer) and my gateway stopped serving internet (no vpn for me and no internet at home) with me overseas and my wife disappointed:
Alexa down
Streaming down
Lighting (Tuya) lost its routine
Thermostat with broken screen could no longer be adjusted using wifi app.
I just deleted the wireguard interface and the entry in the firewall for ingress 51820 and my gateway now works. I must have made some very stupid mistake.
I have many unused Openwrt devices (some with 802.11n) and I could use these, on my lan as switch devices, for serving just one function (like one for wireguard, and anther for Adhome etc.). This way, at least my hope, is if I mess up the wireguard device my entire home network wont come down. Sort of like atomic services.
Is this possible in the openwrt firmware or just my fantasy.
It is not a problem to add additional peers, but we would need to see the specific config you had that caused problems... hopefully you still have it.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
I am 99% sure that I have the sysupgrade file from firware selector and also the backup archive. On a clear day (no one using internet), I will reproduce this. And fewer devices is my ultimate goal.
My question is, can we have a dedicated machine (say a Netgear R6100) which will eth0 / all ports bound to bridge, firewall disabled deleted and then have this a vpn server?
On the primary gateway, I will port forward 51820/udp to 192.168.1.100(the r6100 switch).
Can this give me same functionality? And, when R6100 is switched off, my gateway will keep functioning (minus wg).
I would try first and then ask but I am trying to avoid risk. If it worked fine for a few weeks, then I will move it gateway and change firewall 51820/udp to 192.168.1.1
You can have a dedicated device for your vlan if you so desire. You will probably want to keep the firewall installed and running, but it depends on the details of what you are trying to achieve.
The vpn can’t be bridged as it is a routed protocol, but you can set it up in a number of different scenarios, depending on if this is an inbound/server type setup or an outbound/client.
I used to run wireguard server on raspberry PI. All I had to do in openwrt router was to do port-forwarding to rpi (if I recall). It shouldn't be hard but openwrt makes it easy to run wireguard on the router itself!
Yeah, best to do that. Have one box setup for everything you need. Backup that config / image somewhere reachable.
And don't play around with the config while you are far away from the router.
If your router hardware is resourceful enough, then it doesn't really make sense to have those services on another hardware, just adding more hazzle to configuration management.
I, for example, put all my configuration in a Github repository and build my sysupgrade image from that. Then I always have a stable backup in case I break something with an updated image or by manually changing things.
An important thing about Wireguard with multiple peers on one interface is that the allowed_ips of the peers must all be unique addresses or blocks with no overlap.
Appendage VPN servers are common but usually done to offload the encryption task to a device with more CPU power than the main router.
I made a script for that, so it always picks the next free IP when adding a new client.
It also prints the QR code on the console, so you can just scan it with your device. I didn't know that was possible, so I really like this feature.
I distinctly remember that I had assigned a unique IP address to each peer which does on both gateway wireguard config. In the allowed IP, I was just using 0.0.0.0/0 even though I was aware that this blanket allow is not a good practice.
I am reasonably sure, I did something stupid and one of that was tinkering with primary gateway when I am halfway across the world and I was enjoying using whatsapp on a whim. Strangely, I did this mischief one day before I was headed to India where all the Google apps and whatsapp etc are freely usable (hence my dependence on vpn was not critical anymore)!!
I will try and reproduce this. I want to install home assistant and would like to use that while I am on the road. I suspect, now that I have succeeded in IP pass-through and ddns update. I could just create a DMZ server and then use apache to point to webroot based on the name.
Thank you all. I love and value your selfless help to an old and retired man.
Allowed ip on the client side can be 0.0.0.0 for every client. Indeed it has to be that if you want clients to use the Internet through the tunnel, since the returning traffic could come from anywhere on the Internet.
It is on the server side where you have to be careful. Road warrior clients only source traffic from their one /32 tunnel IP. Clients which are routers and you want direct access to/from their LAN also need the client's LAN as an allowed IP at the server. This means that the clients which are routers need distinct non-overlapping lan networks.
I have a spare identical box which I can place in the private IP address space in the LAN. It would have a lan 192.168.112.1/24 and a wan of 192.168.111.200/32. Then I could use to simulate my VPN going from a 192.168.111.1/24 subnet through the wan 192.168.111.200/32 to access device like a nas box on 192.168.112.10/32.
To speed this up, can I just restore one TP-Link 1900 ONHUB archive to another TP-Link 1900 ONHUB? After restore I will change the LAN IP etc. Or will it cause challenges?
Way cool! I want to do this manually because I will enjoy learning. I am a hobbyist and not much depends its success unless it breaks what isn't broke!
I'd have to better understand what you are trying to test and why/how you will be using the spare box. Testing while connected to your main lan will typically work, but may not be representative of a connection from outside with respect to remotely accessing your network devices at home. However, a traceroute should reveal the path via the wg tunnel.
I'm not sure I understand what you are proposing here... but don't restore a backup from one device to another. That can cause issues in certain circumstances due to hardware specific info (such as MAC addresses) that is contained in the config files.
