OpenWRT as Wireguard-Server Internet from Client

Hello,

i want my OpenWRT as Wireguard-Server which using Internet from Client A also Client B or C should gain Internet from Client A is it possible?

So you want everybody have internet via A?

If so why not make that the WG server?

If otherwise please make a diagram of the config you want

2 Likes

WG Bild

Client A, B, C are different mobile Internet so no Open Ports

Internet of WG-Server can Open Ports for Connection from A,B,C but its necessary to have Internet from Client A

Is client A a router running OpenWRT?

Nope its just a Computer, which has internet from a Mobile Router, WG Server is the Open WRT Server is behind a Router which can Open Ports. Client C, B are Smartphones it's more or less routing all Traffic through Client A

Client A got Own Internet Connection, Client B and Cgot own Internet Connection, WG-Server got own Internet Connection, which is the only one who can open Ports.

Basically you setup a site-to-site setup between your WG server and client A:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/site-to-site

But on the WG server you use 0.0.0.0/0 as allowed IPs meaning you create a default route via client A (make sure you enable "Route Allowed IPs").

If that works you create a second WG interface on your WG server which acts a WG-server for clients B and C.
You use PBR to route the listen port of this second server via the WAN

1 Like

Yes you need A to be alone on a dedicated separate interface (a point to point link) for this to work. Clients B and C can be multiple peers on the same interface as a usual server configuration. The reason for this is that when there are multiple peers, the peer allowed_ips must be non-overlapping. A 0.0.0.0 allowed IP overlaps every IP address, so it can be the only peer on the interface.

Also you'll need some source based (or policy based) routing within the server so that the server's kernel doesn't default to reaching the Internet through A, as that will make it impossible to maintain the encrypted links to B and C which must go through the server's local ISP. In other words use of A as the default route must be conditioned on the source address being something associated with B or C.