And it's a homerun !
First of all, thanks to everyone for analyzing the data you've been asking, the configuration is probably a bit more complex than usual.
What happened:
- I discovered that one piece of info was missing from my context: incoming connections arriving from the WAN interface were on a port distinct to 51555 (intent was to use one port to enter the ISP router, then NAT to another port, then land on a last port on the VPN interface - whether it is useful, certainly not but that was setup that way).
- At one point - and I didn't catch we were doing a mistake, that's the problem when working late at night - we removed the port forwarding rule that moved packets from incoming port to the VPN port.
- And then all other adjustments made everything work together.
What I have learned in the process is that the VPN interface is not related to any physical interface but somehow a rule is implicitly created on the WAN interface to move packets to "Accept packets" which then transfers to the VPN interface.
In the end, very little work is required to make such a config work. Some notes below:
Objectives:
- allow roaming devices to connect to your home network
- home network sits behind the ISP router and an OpenWRT router behind which are several subnets with the target devices
Strategy:
- create a WireGuard VPN tunnel between the roaming client and the OpenWRT router
- the OpenWRT router is considered to be operating correctly with the WAN interface connecting to the ISP router, the LAN interface connecting to the subnet we want to access to.
- The OpenWRT router provides DNS service (AdGuard Home in my case, but could be anything).
In details:
- The client will connect to the ISP router using a static address or a DDNS hostname.
- The client connects on a first port thereafter named ISPPORT.
- The ISP router will be configured with a NAT from ISPPORT to VPNPORT for UDP protocol with a target device being the OpenWRT router.
- Now OpenWRT shall be configured with a Wireguard VPN interface:
config interface 'VPN'
option proto 'wireguard'
option private_key '$wgserver.key
option listen_port 'VPNPORT'
list dns 'DNS_IPADDR'
list addresses '10.20.10.1/24'
config wireguard_VPN
option description 'MyPeer'
option public_key 'PEERKEY.PUB'
option private_key 'PEERKEY.PRIV'
option preshared_key 'PEERKEY.PSK'
option persistent_keepalive '25'
option route_allowed_ips '1'
list allowed_ips '10.20.10.2'
config zone
option name 'VPN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'VPN'
- Allow forwarding to LAN subnet:
config forwarding
option src 'VPN'
option dest 'lan'
- Allow packets to VPNPORT incoming from WAN interface:
config rule 'wg'
option name 'Allow-Wireguard'
option src 'wan'
option dest_port 'VPNPORT'
option proto 'udp'
option target 'ACCEPT'
And last but not least, configure the client, here Android Wireguard client, not sure if they differ, hopefully not:
- IP: 10.20.10.2/32
- PORT: ISPPORT
- DNS: <empty>
- Fill in Pub key/Preshared key
- TCP keep alive 25
- Allowed IP addresses: LANSUBNET, 10.20.10.0/24
- Endpoint: ISPADDR:ISPPORT or YOURDDNSNAME:ISPPORT
In my case, LANSUBNET is 192.168.7.0/24.
Again, I'd like to thank egc, mk24, and psherman for their great support ! I joined this forum with hopes to make this config working, it took just over 24h ... I'm impressed by your capability of reading through configs that easily.