OpenWRT as Wireguard gateway

matplat · April 28, 2025, 1:36am

Hi everyone, I'm totally new to OpenWRT and VPN topic in general, so some clarifiications later may be needed.

Let's start with the idea:
As probably many people before and after me, I'd like to have a personal VPN to my home network. I'd like to be able to connect and be visible outside as from my home network. It's especially for the case of my work laptop, which I'm not able to configure in any way (because of some internal safety politics etc. So I'd like to have a router serving for this purpose.
If I'd have to put it on a diagram, it would look like this:

Laptop (or mobile) <-> OpenWRT router <-> VPN server at home <-> Internet

What I already have:

I have configured a Wireguard Server using Raspberry Pi and PiVPN. I also have a DDNS using duckdns.org so I'm able to connect to it using just a dns name, not an IP address.
Wireguard is working fine with clients directly connected, like phone with Wireguard app.
I configured OpenWRT on Tp-Link AX23 to have Wireguard client and as the stats say, that works. However, any device that is connected to it is not visible as Wireguard peer, so the public IP is different than that from my home network.

I tried checking before with my phone configured as Wireguard client and hotspot on/ As the phone itself was redirected and visible as "from home", any device connected to it's network was not. That's where OpenWRT idea came from.

Questions are:

Is it even possible with Wireguard setup to have a router working as "gateway" for Wireguard connection? In the scenario that any client connected to the router is also a peer, but without any configuration?
Can OpenWRT automatically configure clients itself, without anything changing on the connected device, to be visible as Wireguard peer? What I want is just connect the device to router WiFi or LAN and already be "inside" VPN connection.
If so, how?
If not, is it possible with different vpn, e.g. OpenVPN?

Should you need any conf files please let me know.

egc · April 28, 2025, 6:17am

What you describe is the standard way WireGuard works.
Anything connected to a router which is setup as a WireGuard client will be routed via the WireGuard server on the other end, if setup properly

How to setup an OpenWRT router as WireGuard client see: WireGuard Client Setup guide

For the record, here are the instructions how to setup a server: WireGuard Server Setup guide

Note your work laptop might have its own VPN in that case traffic from this work laptop connected to your WireGuard client router will go through the the WireGuard server but will terminate at is own VPN endpoint, however it will go through your home WireGuard server.

matplat · April 29, 2025, 12:14am

Hi egc,
thank for the materials. Your tutorial is almost 1:1 with what I've done so far. After few changes I believe I have almost the same configuration as you've listed in the docs. Just for clarity, let me put here what I have (I tried to hide all sensitive data and leave onnly necessary to make sure those are the same values where there should be):

Client config from Raspberry

[Interface]
PrivateKey = 8GWI<hidden>WLFU=
Address = 10.246.111.5/24,fd11:5ee:bad:c0de::af6:6f05/64
DNS = 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = UDTi<hidden>HZxx8=
PresharedKey = XGMR<hidden>2SRbE=
Endpoint = m<hidden>u.duckdns.org:51820
AllowedIPs = 0.0.0.0/0, ::0/0

/etc/config/network (part about he WG interfaces and the WiFi the router is sharing)

config interface 'Flejki'
        option proto 'dhcp'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '8GWI<hidden>WLFU='
        list addresses '10.246.111.5/24'
        list addresses 'fd11:5ee:bad:c0de::af6:6f05/64'
        option metric '10'
        list dns '8.8.4.4'
        list dns '8.8.8.8'

config wireguard_wg0
        option description 'Dom'
        option public_key 'UDTi3<hidden>HZxx8='
        option preshared_key 'XGMR<hidden>2SRbE='
        option endpoint_host 'm<hidden>u.duckdns.org'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'
        list allowed_ips '::/1'
        list allowed_ips '8000::/1'

/etc/config/firewall (I chose Alternative method because I've already had a configured firewall zone)

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg0'
        option masq6 '1'

config forwarding
        option src 'lan'
        option dest 'vpn'

for the record, output of wg show command to indicate that the connection is working

interface: wg0
  public key: a9xmg<hidden>msWE=
  private key: (hidden)
  listening port: 40248

peer: UDTi3<hidden>HZxx8=
  preshared key: (hidden)
  endpoint: 87.<hidden>.84:51820  # but the IP address is the same as the domain
  allowed ips: 0.0.0.0/0, ::/0, ::/1, 8000::/1
  latest handshake: 1 minute, 33 seconds ago
  transfer: 828 B received, 2.93 KiB sent
  persistent keepalive: every 25 seconds

From what I see here, everything should be fine. However after saving the configuration after those little changes and rebooting, I completely lost connection to internet. Previously I had connection (well, with the "wrong" public IP, but it was), right now it's missing.

To be honest, while configuring it via GUI it was more or less understandable for me, but when I started comparing the detailed configs listed above it gets much more complicated.

Can I ask for a little more help with checking what could go wrong here? If you (or any other good soul willing to help) would need any GUI screenshots, please let me know.

egc · April 29, 2025, 5:20am

It can help if you show your configs, lease connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip -6 route show
wg show

Note you cannot reliably test this router from inside your network where the WireGuard server is located

matplat · April 30, 2025, 6:38am

So I wanted to paste all the configs you asked for, but for some reason unknown to me at the moment my router had some hard time and I needed to reset it. However, thanks to that I had to go through all your instructions once again. And this time, magically, everything worked smoothly.
I had my router running, connected to wireguarda server, and all clients were easily visible at the same IP as my home router. That's exactly what I wanted.

Thanks again for sharing this amazing tutorial you've prepared. I just wish it was also listed in OpenWRT guides for Wireguard setup.

egc · April 30, 2025, 7:33am

Great to hear you solved it.

I am still working on it but when it is finished I will see if I can have it added to the wiki

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

system · May 10, 2025, 7:33am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.