Hi, I had some experience with OpenWRT on Linksys Routers a decade ago, but it's proved pretty much useless trying the modern task of connecting two identical Routers (Fritzbox 7412) via WireGuard. I was inspired by a few articles on german c't magazin about flashing the 7412 to OpenWRT and WireGuard. Unfortunately they didn't cover the exact scenario I have in mind, which is to create a site-to-site (or LAN-to-LAN) VPN network using two dedicated Fritzbox 7412 routers (which on each site sit behind a primary Fritzbox handling the Internet connection, VOIP and stuff).
I got as far as flashing OpenWRT and installing Wireguard on the 7412, I could even connect to one site using Wireguards Windows Client.
But that was never the goal. What I like to achive is connecting the two networks transparently with Wireguard, so each time I adress an IP from the other network it connects over Wireguard and just works as if on my local network
Which is essentially like my two main Fritzboxes (7590 and 7490) do it now, after setting up their in-built IPSec VPN (very easy to do in the Router GUI). The only "problem" is, the native Fritzbox VPN variant is really slow, so I'm trying to resolve that with two dedicated 7412 building a Wireguard network.
Can anyone lend me a hand how to do the wireguard config on both 7412 routers running OpenWRT (and possibly any static routes to set on the main routers)?
Assuming your two networks are 192.168.0.0/24 and 192.168.1.0/24.
On OpenWRT router in 192.168.0.0/24 subnet.
config interface 'vpn'
option proto 'wireguard'
option private_key '###'
option listen_port '51820'
config wireguard_vpn
option public_key '###'
option preshared_key '###'
option description 'Site B'
list allowed_ips '192.168.1.0/24'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_host 'IP or hostname for other site'
option endpoint_port '51820'
On router in 192.168.1.0/24 subnet.
config interface 'vpn'
option proto 'wireguard'
option private_key '###'
option listen_port '51820'
config wireguard_vpn
option public_key '###'
option preshared_key '###'
option description 'Site A'
list allowed_ips '192.168.0.0/24'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_host 'IP or hostname for other site'
option endpoint_port '51820'
Add appropriate keys to the relevant configs. On main routers add port forwards and static routes. So in 192.168.0.0/24 you need to add a static routes on the main router for 192.168.1.0/24 with your OpenWRT router as the gateway, and vice versa in the other site.
On the OpenWRT routers add the VPN interfaces to the lan zone in the firewall.
Hey, thanks for the speedy reply! I'll report back. Currently I got both 7412's at home, I'll configure them accordingly and try it all out next week when I get to the 2nd site again.
I already got an idea what might have been wrong with my attempts, I assumed (and was led to by the c't articles) that a dedicated WireGuard network different from the two main networks was required, i.e. in the 10.0.0.0 range or something. But I guess that only makes sense for "road warrior" scenarios. The above looks much simpler and more plausible for my usage case.
Nope, it's not like OpenVPN in that respect and doesn't require an underlying network of it's own. You can set it up with one if you like but it's not needed even in 'road warrior' situations.
So, reporting back as promised, I'm glad to report it works like a charm! Thanks very much krazeh!
The only thing I did add was the local IP's of the 7412's on each network with 'list adresses'. They're receiving the always same adress from the main routers DHCP.
config interface 'vpn'
option proto 'wireguard'
option private_key '#################################'
option listen_port '51820'
list addresses '192.168.xxx.xxx'