OpenWrt as wireguard client

Hi Forum,

I have an instance of a wiregurad-server running on my OpenWRT. Works fine.
Next idea is to add another interface as wg-client for building a site-to-site VPN to another wg-server.

Is there a way to do so ? In LUCI I - guess - only can configure a server-interface

Thanks for your help

Wireguard is peer to peer, there is no server-client distinction. You add the other wireguard router as a peer and vice versa.

See OpenWrt & Wireguard Site-to-Site for an example.

1 Like

thanks a lot. I will have a look on it !

So, I tried to configure the StS VPN. Works on the FW itself. But, If I try to reach a host in the connected LAN it doesn't work. Packages are routed to the LAN-Interface of the FW but are not sent the wg-Interface...

Can you copy the output of the following commands from both routers and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses, wireguard keys and any public IP addresses you may have

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

Here is the output. wg0 is the "dial-in" wg-interface
wg1 is the StS wg-interface

You don't need a second wireguard interface, just add a new peer to the interface you already had set up. I also need to see the output of those commands from the other site.

Can you also detail the setup between each LAN and the internet, I.e. what routers are involved and how they are connected.

Here is the setup:

The OpenWrt (wicht is my test device) Router with the two wg-Interfaces. LAN-Address 172.17.1.102
goes to another OpenWrt Router: 172.17.1.1, then to my Internetrouter (192.168.50.1)
On the other site there is a Router and a Raspi with wg-server running (usual client connections are working fine on that device)

I set static routs a) on the LAN-WAN OpenWrt and also on the Internetrouter.

A tcp-dump on wg1 shows me that connections from my LAN are routed to wg1, but there is no response from the other side

e.g.:
11:11:55.956313 IP (tos 0x0, ttl 62, id 48062, offset 0, flags [DF], proto TCP (6), length 60)
172.17.1.138.46994 > 192.168.100.4.80: Flags [S], cksum 0x0fd7 (correct), seq 3826401743, win 64240, options [mss 1460,sackOK,TS val 1702242229 ecr 0,nop,wscale 7], length 0

What's the config on the other end? Is the tunnel connected/exchanging any data at all?

Have you set up two peers on the wg1 interface?

Yes, they are exchanging data. From the console on the wrt-router i can ping devices on the other end

on wg1 only one peer is set up - the one to the wg-server on the other end

grafik

Just the Raspi running WG or other devices? What's the config on that end?

Then you shouldn't have

config wireguard_wg1
	list allowed_ips '192.168.100.0/24'
	option public_key 'xxx'

in your config, delete it and just keep the longer 'config wireguard_wg1' stanza.

On the other site there is the raspi and a view devices (e.g. a webserver).
what config would you like to have a look at ? The wg-server config ?

I deleted the it and just kept the longer one. Restarted the interface, same situation

Which of them can you currently ping?

Yes.

I don't think, it is possible, because UDP is not trackable. However @trendy is not agree.

Sorry, I might have missed something but what is your point?

from the console on the Wrt i can ping any machine on the other side. But none of them from my lan. Only from the Wrt-Router.

Here is the wg0.config from the Pi - Client 4 is the peer that I'm using for the StS VPN:

wg0.conf

[Interface]
Address = 10.9.0.1/24
PrivateKey = xxxM=
ListenPort = 51820

PostUp = sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(sed -n 3p /run/dietpi/.network).forwarding=1
PostUp = sysctl net.ipv6.conf.$(sed -n 3p /run/dietpi/.network).accept_ra=2
PostUp = sysctl net.ipv6.conf.%i.forwarding=1 net.ipv6.conf.$(sed -n 3p /run/dietpi/.network).forwarding=1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o $(sed -n 3p /run/dietpi/.network) -j MASQUERADE
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $(sed -n 3p /run/dietpi/.network) -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $(sed -n 3p /run/dietpi/.network) -j MASQUERADE
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $(sed -n 3p /run/dietpi/.network) -j MASQUERADE

# Client 1
[Peer]
PublicKey = xxxo=
AllowedIPs = 10.9.0.2/32

# Client 2
[Peer]
PublicKey = xxx=
AllowedIPs = 10.9.0.3/32

# Client 3
[Peer]
PublicKey = xxx/Xo=
AllowedIPs = 10.9.0.4/32

# Client 4
[Peer]
PublicKey = xxxzXFk=
AllowedIPs = 10.9.0.5/32

Don't bother, @ulmwind just enjoys to twist what I say to prove his own theories.

You need to add your LAN subnet to the AllowedIPs. At the moment the only traffic that's allowed in or out at the Raspi end is traffic directly from the OpenWRT router.

you are right. I guess that is the missing pice in the puzzle.
Do you know how to separate them correctly in cht wg0.conf ?
Like this ?
AllowedIPs = 10.9.0.5/32, 172.17.1.0/24

I think that's correct.