Please help with routing setup after WG site-to-site connection

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi everyone,
Please help me configure routing from the LAN to the guest WireGuard zone.

I have been a long-time OpenVPN user (using OpenVPN for site-to-site and edge OpenVPN for routing of all traffic). Recently, I tried switching to WireGuard (partially), but unfortunately I got stuck with the basics.

Screenshot_4
Screenshot_41088×322 20.8 KB

Could someone guide me on how to configure routing from the RouterA LAN (192.168.1.0/24) to the RouterB Guest_WG (10.2.22.1/32)?

  • goal: I need access to the Guest_WG (B), where I will create a new peer (edge WireGuard peer for routing all traffic to another devices located in router A lan zone).
  • note: I don't want move WG or OpenVPN to other firewall zones, please. I would like to keep WG in Guest FW zone.

Thank you.

2

My current Test Setup:
Firewall zones configuration on RouterA and RouterB:

Screenshot_6-fw_zones
Screenshot_6-fw_zones1275×303 21 KB

RouterA firewall:

  • LAN (192.168.1.0/24) -> assigned to LAN firewall zone.
  • Guest_WG A (10.1.22.1/32) -> assigned to GUEST firewall zone

RouterB firewall:

  • LAN (192.168.2.0/24) -> assigned to LAN firewall zone.
  • Guest_WG B (10.2.22.1/32) -> assigned to GUEST firewall zone

Router A routing table:

wan		        0.0.0.0/0	192.168.xxx.1	0	main	
GUEST_wg	10.1.22.1	-		80	main	
(tun00)		10.1.254.0/24	-		0	main	
GUEST_wg	10.2.22.1	-		80	main	
lan		192.168.1.0/24	-		0	main	
(tun00)		192.168.2.0/24	10.1.254.2	0	main	
GUEST		192.168.22.0/24	-		0	main	
wan		192.168.xxx.0/24	-	0	main

Router B routing table:

wan		0.0.0.0/0	192.168.xxx.1	0	main	
GUEST_wg	10.1.22.1	-		80	main	
(tun00)		10.1.254.0/24	-		0	main	
GUEST_wg	10.2.22.1	-		80	main	
wan		xxx.xxx.xxx.xxx	192.168.xxx.1	0	main	
(tun00)		192.168.1.0/24	10.1.254.1	0	main	
lan		192.168.2.0/24	-		0	main	
GUEST		192.168.21.0/24	-		0	main	
wan		192.168.xxx.0/24	-	0	main
Router A WG setup: 
config interface 'GUEST_wg'
	option proto 'wireguard'
	option private_key '<private-key>'
	option listen_port '<port>'
	list addresses '10.1.22.1/32'
	option metric '80'

config wireguard_GUEST_wg
	option description 'site-to-site_wg'
	option public_key '<public-key>'
	option private_key '<private-key>'
	option preshared_key '<preshared-key>'
	option route_allowed_ips '1'
	list allowed_ips '10.2.22.1/32'
Router B WG setup: 
config interface 'GUEST_wg'
	option proto 'wireguard'
	option private_key '<private-key>'
	option listen_port '<port>'
	list addresses '10.2.22.1/32'
	option metric '80'

config wireguard_GUEST_wg
	option description 'site-to-site_wg'
	option public_key '<public-key>'
	option preshared_key '<preshared-key>'
	option route_allowed_ips '1'
	option endpoint_host '<endpoint-host>'
	option endpoint_port '<port>'
	option persistent_keepalive '25'
	option private_key '<private-key>'
	list allowed_ips '192.168.1.0/24'
	list allowed_ips '10.1.22.1/32'

Wireguard connection works fine, I see successful handshake on both routers.

Any suggestion of how to configure routing from the RouterA LAN (192.168.1.0/24) devices to the RouterB Guest_WG (10.2.22.1/32) would be greatly appreciated!

3

It looks like you do not have the right allowed ips in your peer configs.

Router A should have the allowed ips set as the router b subnet and vice versa.

From router a:

Change allows ips to 192.168.2.0/24

It appears that router b already has the router a subnet in its allowed ips.

If that doesn’t solve your issue, we may want to adjust the addresses on your wg interface. But let’s see the complete configuration files from each side:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
4

Thank you, @psherman, for your answer. Much appreciated!

Changed, but it doesn't solve the issue: devices on the RouterA LAN (192.168.1.0/24) still cannot ping the RouterB Guest_WG (10.2.22.1/32).

RouterA:

ubus call system board 
{
        "kernel": "5.15.167",
        "hostname": "Router",
        "system": "ARMv8 Processor rev 4",
        "model": "ASUS TUF-AX4200",
        "board_name": "asus,tuf-ax4200",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}
cat /etc/config/network 
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan.99'
        option proto 'static'
        option igmp_snooping '1'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'

config device
        option name 'eth1'

config interface 'wan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '192.168.100.100'
        option netmask '255.255.255.0'
        option gateway '192.168.100.1'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'no'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'lan1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '8'
        list ports 'lan1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'lan1:t'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config interface 'GUEST'
        option device 'br-lan.8'
        option proto 'static'
        option ipaddr '192.168.22.1'
        option netmask '255.255.255.0'
        option delegate '0'

config interface 'IOTV'
        option proto 'static'
        option device 'br-lan.3'
        option ipaddr '172.16.98.1'
        option netmask '255.255.255.0'

config interface 'GUEST_wg'
        option proto 'wireguard'
        option private_key '<private-key>'
        option listen_port '<port>'
        option metric '80'
        list addresses '10.1.22.1/32'

config wireguard_GUEST_wg
        option description 'site-to-site_wg-TEST'
        option public_key '<public-key>'
        option private_key '<private-key>'
        option preshared_key '<preshared-key>'
        option route_allowed_ips '1'
        list allowed_ips '10.2.22.1/32'
        list allowed_ips '192.168.2.0/24'
cat /etc/config/firewall 
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list device 'tun00'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config zone
        option name 'GUEST'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'GUEST'
        list network 'GUEST_wg'

config zone
        option name 'IOTV'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IOTV'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'IOTV'

config forwarding
        option src 'GUEST'
        option dest 'wan'

config forwarding
        option src 'IOTV'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow VPN'
        option src 'wan'
        option dest_port 'xxxx-xxxx'
        option target 'ACCEPT'

config rule
        option name 'Allow Guest DHCPv6'
        option family 'ipv6'
        option proto 'udp'
        option src 'GUEST'
        option src_port '546'
        option dest_port '547'
        option target 'ACCEPT'

config rule
        option name 'Allow Guest DHCP'
        option family 'ipv4'
        option proto 'udp'
        option src 'GUEST'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Allow Guest DNS'
        option src 'GUEST'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow IPv6 Guest'
        option family 'ipv6'
        option proto 'icmp'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'port-unreachable'
        list icmp_type 'protocol-unreachable'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        option src 'GUEST'
        option target 'ACCEPT'
        option limit '1000/sec'
        option limit_burst '100'

config rule
        option name 'Allow IOTV DHCPv6'
        option family 'ipv6'
        option proto 'udp'
        option src 'IOTV'
        option src_port '546'
        option dest_port '547'
        option target 'ACCEPT'

config rule
        option name 'Allow IOT DHCP'
        option family 'ipv4'
        option proto 'udp'
        option src 'IOTV'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Allow IOTV DNS'
        option src 'IOTV'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow IPv6 IOTV'
        option family 'ipv6'
        option proto 'icmp'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'port-unreachable'
        list icmp_type 'protocol-unreachable'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        option src 'IOTV'
        option target 'ACCEPT'
        option limit '1000/sec'
        option limit_burst '100'

config rule
        option name 'upstream router access-ON'
        option family 'ipv4'
        option proto 'tcp'
        option src 'lan'
        option dest 'wan'
        option dest_port '80 22'
        option target 'ACCEPT'
        list dest_ip '192.168.100.1'
        list dest_ip '192.168.100.200'
ip route 
root@OpenWrt:~# ip route
default via 192.168.100.1 dev eth1
10.1.22.1 dev GUEST_wg scope link  metric 80
10.1.254.0/24 dev tun00 scope link  src 10.1.254.1
10.2.22.1 dev GUEST_wg scope link  metric 80
172.16.98.0/24 dev br-lan.3 scope link  src 172.16.98.1
192.168.1.0/24 dev br-lan.99 scope link  src 192.168.1.1
192.168.2.0/24 via 10.1.254.2 dev tun00
192.168.2.0/24 dev GUEST_wg scope link  metric 80
192.168.22.0/24 dev br-lan.8 scope link  src 192.168.22.1
192.168.100.0/24 dev eth1 scope link  src 192.168.100.100

RouterB:

ubus call system board 
root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Xiaomi Mi Router AX3000T",
        "board_name": "xiaomi,mi-router-ax3000t",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}
cat /etc/config/network 
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan.198'
        option proto 'static'
        option igmp_snooping '1'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

config device
        option name 'wan'

config interface 'wan'
        option device 'wan'
        option proto 'static'
        option ipaddr '192.168.100.200'
        option netmask '255.255.255.0'
        option gateway '192.168.100.1'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option peerdns '0'
        option reqaddress 'none'
        option reqprefix 'no'

config bridge-vlan
        option device 'br-lan'
        option vlan '8'

config bridge-vlan
        option device 'br-lan'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'
        option vlan '198'

config interface 'GUEST'
        option device 'br-lan.8'
        option proto 'static'
        option ipaddr '192.168.21.1'
        option netmask '255.255.255.0'

config interface 'GUEST_wg'
        option proto 'wireguard'
        option private_key '<private-key>'
        option listen_port '<port>'
        list addresses '10.2.22.1/32'
        option metric '80'

config wireguard_GUEST_wg
        option description 'site-to-site_wg'
        option public_key '<public-key>'
        option preshared_key '<preshared-key>'
        option route_allowed_ips '1'
        option endpoint_host '<host_ip>'
        option endpoint_port '<port>'
        option persistent_keepalive '25'
        option private_key '<private-key>'
        list allowed_ips '10.1.22.1/32'
        list allowed_ips '192.168.1.0/24'

config wireguard_GUEST_wg
        option description 'server-traffic_wg-Phone'
        option public_key '<public-key>'
        option private_key '<private-key>'
        option route_allowed_ips '1'
        list allowed_ips '10.2.22.2/32'
        option disabled '1'
cat /etc/config/firewall 
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'tun00'
        list network 'lan'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config zone
        option name 'GUEST'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'GUEST'
        list network 'GUEST_wg'

config forwarding
        option src 'GUEST'
        option dest 'wan'

config rule
        option name 'Allow VPN'
        option src 'wan'
        option dest_port 'xxxx-xxxx'
        option target 'ACCEPT'

config rule
        option name 'Allow Guest DHCP'
        option family 'ipv4'
        option proto 'udp'
        option src 'GUEST'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Allow Guest DNS'
        option src 'GUEST'
        option dest_port '53'
        option target 'ACCEPT'
ip route 
root@OpenWrt:~# ip route
default via 192.168.100.1 dev wan
10.1.22.1 dev GUEST_wg scope link  metric 80
10.1.254.0/24 dev tun00 scope link  src 10.1.254.2
10.2.22.1 dev GUEST_wg scope link  metric 80
<myExternal_ip> via 192.168.100.1 dev wan
192.168.1.0/24 via 10.1.254.1 dev tun00
192.168.1.0/24 dev GUEST_wg scope link  metric 80
192.168.2.0/24 dev br-lan.198 scope link  src 192.168.2.1
192.168.21.0/24 dev br-lan.8 scope link  src 192.168.21.1
192.168.100.0/24 dev wan scope link  src 192.168.100.200

Again, Wireguard connection works fine, I see successful handshake on both routers.

RuterA-handshake
RuterA-handshake1207×257 17 KB

note: I need to keep the current OpenVPN config (tun00), which I use to access the RouterB Luci interface (192.168.2.1) from RouterA LAN devices (192.168.1.0/24).Also, I don't want to move WG or OpenVPN to other firewall zones, please: I need to keep WG in the Guest FW zone and OpenVPN in the LAN FW zone.

So, please, any advice how to configure routing between networks:

  • from the devices in RouterA LAN (192.168.1.0/24) to the RouterB Guest_WG (10.2.22.1/32)?
example: Windows ping from 192.168.1.8 to 10.2.22.1 
C:\Users>tracert 192.168.2.1
Tracing route to 192.168.2.1 over a maximum of 30 hops
  1    <1 ms     1 ms     1 ms  192.168.1.1
  2    19 ms    18 ms    19 ms  192.168.2.1
Trace complete.

C:\Users>tracert 10.2.22.1
Tracing route to 10.2.22.1 over a maximum of 30 hops
  1     1 ms     1 ms     1 ms  192.168.1.1
  2  192.168.1.1  reports: Destination protocol unreachable.
Trace complete.

C:\Users>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=19ms TTL=63

C:\Users>ping 10.2.22.1
Pinging 10.2.22.1 with 32 bytes of data:
Reply from 192.168.1.1: Destination port unreachable.
5

It seems that you're pinging router addresses, not actual hosts behind the routers.

Since the Wireguard interfaces are assigned to the guest firewall zone on both sides, the zone rules are in play...

Note that the input rule is set to REJECT. That means that pings will be rejected if you ping to any address that the router itself holds.

Likewise, the guest firewall zone does not allow intra-zone forwarding (i.e. to the guest network), nor are zone forwards allowed from the guest zone to any other zone (except for the wan), nor any individual networks. This means that you will also not be able to ping devices behind the router either.

This is probably okay, but we do need to ensure that there aren't problems with the routing table as a function of this... so you may need to adjust the OpenVPN config to essentially allow only access to the routers themselves and avoid any additional routing. We'll deal with that later, if necessary.

Why is this?

  • You're trying to create a site-to-site VPN pre your description. But your WG interfaces are confusingly named with "guest" and then assigned to a guest firewall zone.
    • Is the wireguard tunnel related to actual guest usage? A site-to-site usually doesn't involve guest networks.
  • The firewall configuration currently entirely neuters the idea of a site-to-site (although you have achieved a router-to-router connection).
  • Your original premise was to allow routing from router A to router B.
    • Can you be specific about:
      • which network(s) on router A should be able to reach what network(s) on Router B?
      • And what about from router B to router A?
      • We should be able to deduce networks that should not be allowed to connect to each other from the two sites, but if there is any ambiguity or special notes, please detail those.
      • Are there other restrictions (or allowances) that you want to place on the Wireguard setup?
      • Why do you want the wireguard networks assigned to the guest zone?
        • It can (and should) exist in its own zone so you can control the routing permissions of that site-to-site individually.
7

I'm going to attempt to summarize what I think your ultimate goal is -- this will serve to make sure that I understood the description you provided...

  • You want to route traffic from the guest network at site A through the tunnel and out the wan at site B, thus making that traffic appear to originate from Site B.

Is that correct?

1 Like
8

Yes, totally correct!

9

Ok... we're going to need to define some other things regarding access permissions, but that can wait until everything is working.

  • The wireguard network on both sides should be in its own firewall zone. For now, that zone should have all three zone rules set to accept and masquerading disabled.
  • Router A will have a forwarding rule from the guest zone > wireguard zone.
  • You will need policy based routing on router A so that you can specify that the traffic from the router A guest network should egress through the Wireguard tunnel.
  • Router B will need a static route to allow proper return traffic to the guest network on router A.

With all that in mind, do you need help implementing these things, or does this provide sufficient clarity for how this will work?

10

Sorry, I see now issue in my incorrect answer.
My fault. Sorry.

Correct answer:
I want to route traffic from the LAN network at site A through the tunnel and out the wan at site B, thus making that traffic appear to originate from Site B.

11

Ok... that's more or less the same, just that you'll have lan > wg forwarding on router A, and a static route on router B that points to router A's lan.

1 Like
12

So I need:

  1. Create a new separate firewall zone for WireGuard, assign the WireGuard interface to this new firewall zone, and set it to accept with masquerading disabled. I need to do it on both routerA and routerB.
  2. Create a new lan > wg forwarding rule on router A.
  3. Create static route on router B that points to router A's lan.

I think I can easily configure all of these.

But do I still need this?:

It could be blocker for me since I never faced with policy based routing before.
Could you please assist me with it, considering the my current configuration I provided previously?

13

Yes, the steps there are correct. Its possible that there will be other tweaks necessary, but those are the primary things.

Yes(ish), you do. It will be required unless you want to manually create your routing tables. PBR is effectively an easier to use front-end to the process.

Ironically, I have never used PBR myself so I can't help with details of the config. But I believe that it is actually fairly easy to use, and it is well documented.

https://openwrt.org/docs/guide-user/network/routing/pbr

14

Many thanks for the help and guidance!

I’ll be back in 1-2 days after configuring and testing it, and I’ll share the results. Now I have a clear vision of what needs to be done.
Thank you!

15

You're welcome.

Once things are working in general, you can refine the allowances/restrictions of the traffic flows. Don't worry about the details there, though, until you know that the genera lan traffic is flowing through the tunnel.

1 Like
17

Thank you for your suggestions, it resolved the issue!

18

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.