Pi as a Wireguard Server/ LAN gateway - How to configure OpenWrt Router?

nrps1 · August 4, 2020, 4:48pm

Ok, having abandoned my previous tactic, I'm now on a more efficient one I'm hoping.

I've got a Pi up and running within my LAN as a Wireguard server connecting to Torguard VPN, and initial tests worked for connectivity before I started fiddling...

Then messing with my OpenWrt router in order to make the Pi a default gateway, it's all gone Pete Tong...

Currently, I can SSH Pi internally, but it has no internet connectivity (interfaces are UP).

Torguard:

Router and LAN/WiFi all working fine but not passing through Pi clearly.

Must need to fiddle with rules/zones but not found the right combo yet.

LAN = 192.168.0.1
Pi (intended gateway) = 192.168.0.117

These are the zones - messed about plenty but latest iteration:

So, to confirm, I want to have everything connected to Router > Pi (gw) > Wireguard > Router > WAN > Torguard > Out into the great yonder

I must be so close, with clear misunderstandings, so would really appreciate the final config steps please.

nrps1 · August 4, 2020, 9:29pm

I'm at the point where I literally will pay someone to help me get this sorted btw!! Going grey....

vgaetera · August 5, 2020, 9:33am

It seems you are confused.

You need a VPN server if you want to access your LAN services remotely.
You need a VPN client if you want to hide your LAN traffic from the ISP.
You need VPN-PBR if you are using a VPN server and client simultaneously or want to utilize split tunneling.

nrps1 · August 5, 2020, 10:04am

It wouldn't surprise me, I'm seeing sounds right about now!

So, latest development, removed the Pi gateway from interfaces, played with some traffic routing, added the Pi ip as the gatway for lan, and we're in business to a degree. I've forced my PC to use the Pi as the default gw and now everything is routing correctly, but just that PC. Is there a way to force everything through the VPN without having to edit the gw on every device?

Also, set up a profile of the Pi for my Android, but it's not getting through annoyingly, more fiddling!

vgaetera · August 5, 2020, 10:57am

Certainly, there is, as the WireGuard client how-to utilizes this mode by default, so it's best to compare your settings:

uci show network; uci show firewall

nrps1 · August 5, 2020, 11:11am

Although, the VPN is on the Pi not the OpenWrt router right, Pi is running Raspbian + PiVPN (wireguard), so the above, would that be as applicable?

krazeh · August 5, 2020, 11:15am

Is it feasible for you to put OpenWRT on the Pi and use it directly as your router?

nrps1 · August 5, 2020, 11:39am

Hmm, not really, would prefer as is tbh. Put OpenWrt on router to have that as the VPN, but realised I'd not be getting my 100mbit connection through it so decided to keep the router as is and Pi4 to do the grunt work - setting that up as PiVPN was a delight, so simple (spent a long week trying to sort all this so a bit worn out now!)

vgaetera · August 5, 2020, 11:57am

Probably in this case it would be optimal to configure the default gateway based on the client MAC address:

Global LAN options: DHCP options
Custom clients: Client classifying and individual options

nrps1 · August 5, 2020, 1:56pm

Right, I tried this and it seemingly killed the whole network which was rather frustrating! More reading up is necessary I feel...

If you recall, I removed the VPN interfaces and simply have WAN/LAN now.

vgaetera · August 5, 2020, 2:01pm

Make sure the host 192.168.0.117 uses a static IP address with default gateway 192.168.0.1.

nrps1 · August 5, 2020, 2:30pm

Yes believe so

Jake · August 7, 2020, 11:33am

If your devices are configured to use DHCP they should get the configured gateway from the interface settings. It is not updated instantly, only after the current lease expired, might that be the reason? You can see the remaining lease time per client on the status / overview page.

As far as I understand your use case, you don't need a additional zone for the Pi, just keep it in the same interface as the other devices, with lan zone. Then set the port fowarding From wan, To lan and leave IP and port as is.

nrps1 · August 7, 2020, 12:47pm

Oh actually, that's a good point, see didn't realise that! Lease time perhaps, most are set to 12hrs though, so is there a command for example I can run to force everything quickly?

With regards to the pi as an interface/zone - i guessed and removed that and things are much better for sure. Problem is, I'm trying to access the Pi WG server via external Android and cant get a handshake, tried fiddling with port forwarding, traffic rules and various combinations - no handshake grrr

I then realised that lots of the sites I frequent aren't working with Torguard, so having everything routing through that is unnecessary perhaps - so I'd like to just push certain things through. Some of which I cannot change the gw on, so I need to work out rules for them all, daunting as I can't even get SSH/Wireguard through the firewall

I'm in IT and not a complete moron, but there's no doubt about it, Linux/OpenWrt is far more advanced than a normal router gui eh!

vgaetera · August 7, 2020, 12:52pm

If you want to do it from the router, then:

Restart Wi-Fi for wireless clients.
Power-off the router for wired clients.

nrps1 · August 7, 2020, 1:07pm

Simple, sure I did this in various ways but worth another shot when I don't disconnect two home workers!