Make Travel Router Send All Traffic to Home Wire Guard Server

Random · March 24, 2021, 11:42pm

I bought a little wireless router to use as a travel router. My home network has a raspberry pi behind my main OpenWRT router, and the pi is running Pi-VPN as a wire guard server. I have a few client profiles made for various devices and they are all able to connect to it just fine when I'm away from home. I was hoping to accomplish the following:

setup a client profile on the raspberry pi for my travel router (this is done).
setup the travelmate package on my travel router (this is done).
install luci-proto-wireguard and luci-app-wireguard on my travel router (this is done).
configure my travel router to use the .conf file made in step 1 to to funnel all its traffic through my raspberry pi at home (here is where I need help).

Can step 4 be done, and if so how?

vgaetera · March 25, 2021, 7:56am

WireGuard on OpenWrt doesn't use .conf files.
Instead, it should be configured as a network interface:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/client

t3hn00b · March 25, 2021, 8:20am

This should be in the /etc/config/network on the host (server) router:

config interface 'wireguard'
	option proto 'wireguard'
	option private_key '********'
	option listen_port '12251'
	list addresses '192.168.20.1/24'

config wireguard_wireguard
	option description 'roadrunner'
	option public_key '*****'
	list allowed_ips '0.0.0.0/0'

This is the relevant part of the /etc/config/firewall

config zone
	option name 'wguard'
	option network 'wireguard'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'

config forwarding
	option src 'wguard'
	option dest 'lan'

config forwarding
	option src 'wguard'
	option dest 'wan'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option proto 'udp'
	option target 'ACCEPT'
	option dest_port '12251'

config forwarding
	option src 'lan'
	option dest 'wguard'

And this should be in the /etc/config/network on the road runner (client or your travel router)

config interface 'wguard'
	option proto 'wireguard'
	list addresses '192.168.20.2/32'
	option private_key '*****'

config wireguard_wguard
	option public_key '***public Key***'
	option endpoint_host '**router host/ip**'
	list allowed_ips '0.0.0.0/0'
	option endpoint_port '12251'
	option route_allowed_ips '1'

Additionally you have to configure the firewall on the road runner to forward all the traffic:

config zone
	option network 'wguard'
	option forward 'REJECT'
	option name 'wguard'
	option output 'ACCEPT'
	option input 'REJECT'
	option masq '1'

config forwarding
	option dest 'wguard'
	option src 'lan'

I don't have the router on hand and that's from one of the backups i have but should be a good starting point for you

trendy · March 25, 2021, 10:23am

Although it can work like this, it is better if you keep the allowed IPs only to the actual IPs you expect to see from that peer.
Also on the server you need to assign the wireguard interface into a new zone and configure forwardings, or add it to the lan zone for simplicity.

t3hn00b · March 25, 2021, 12:17pm

I've update the answer above with the zone and forwarding but as I have no access to both of the peers that's just from some backups I have around

Random · March 26, 2021, 4:39pm

May be a bit before I can get to this, but you've given me an excellent start. I'll try to configure things mimicking your setup and report back. Thank you so much!

Random · March 27, 2021, 7:40pm

Thank you so much @t3hn00b ! I was able to get it all working. I had to make a few edits which I will include below in case this post is useful for others. Also, if you have the time you can review to let me know if anything looks amiss.

Before starting I change the LAN address of my travel router to 192.168.6.1 because I read somewhere that if the LAN address of the travel router is the same as the LAN address of the network it is rebroadcasting things can break. I don't know if that is true, but I did it.
I didn't need to do anything on my home openwrt router because I have a port forward setup to the raspberry pi running Pi-VPN and everything is configured just fine by default.
The Pi-VPN .conf file I made for the travel router provides the following information:

[Interface]
PrivateKey = A
Address = B
DNS = C

[Peer]
PublicKey = D
PresharedKey = E
Endpoint = F
AllowedIPs = 0.0.0.0/0, ::0/0

From your skeleton I edited /etc/config/network on the travel router as such where A, B, D, E, and F are pulled from (2). C wasn't needed, and I used the default port of 51820 provided by the Pi-VPN setup process.

config interface 'wguard'
	option proto 'wireguard'
	option private_key 'A'
	option listen_port '51820'
	list addresses 'B'

config wireguard_wguard
	option public_key 'D'
	option endpoint_host 'F'
	list allowed_ips '0.0.0.0/0'
	option endpoint_port '51820'
	option route_allowed_ips '1'
	option preshared_key 'E'
	option description 'travelrouter'

I copy and pasted exactly what you offered for /etc/config/firewall in the travel router.
The Travelmate package made this so easy because it allows you to edit those files directly in the ADVANCED>EDIT FIREWALL CONFIGURATION and EDIT NETWORK CONFIGURATION tabs instead of having to ssh in and vim them both. So shoutout to @dibdot for having the forethought for that. As someone who is pretty inexperienced but trying to learn, it made my life a lot easier to trial and error things that way.

Thanks again, and please let me know if anything looks incorrect!

system · April 6, 2021, 7:40pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.