I have a Linksys 3200ACM running as a Wireguard router with Hide.me and OpenWRT, which uses a kill switch in case the Wireguard connection ceases. Now I'd like to be able to directly connect to my home network, preferably also via a Wireguard tunnel from anywhere with my Android smartphone. I already tried to set up an old Raspberry Pi 2 with Alpine OS and set up a Wireguard server. Since I use a VPN that sometimes changes IP, I set up a DuckDNS domain that regularly updates my current IP from that Raspberry Pi with cron. Now I realized that most ports are closed on the VPN IP, but I could find 2 open ports for connection attempts. I allowed port forwarding for that port in Openwrt. Now I tried to connect from the Wireguard app, but it fails at the handshake continuously.
Any idea how I could make that work? If you have a simpler solution with direct connection through the router, that would also be fine.
First set things up while the WireGuard client is disabled on the router and normal routing via the WAN is restored.
The problem is that the WG server traffic comes in via the WAN but also has to return via the WAN and default route is via the WG client.
So you have to route return traffic from the WG server via the WAN by using Policy Based Routing.
there are several ways to setup PBR, if you need help with that report back, but first get things working while the WireGuard client on the router is disabled and normal WAN routing restored.
I have a similar setup woth a Rasberry PI acting solely as my wireguard server. As I remember, without researching the specifics, when I installed wireguard, toward the later part of the installation it probed the ports to determine if it had access to the lan network. As stated by egc, once you have it working on your internal lan, then it's a matter of opening the right ports and routing on the wan.
Alternatively you could install Tailscale on the RPi 2 to give you Remote Access to your Network. No open ports required on the Router and you don't need to touch the Wireguard Client on Linksys 3200ACM.
Yes, I have been thinking about this too. I plugged the RPi to my ISP router for a trial and it didn't work there either. So, I'm going to set up everything again until it works over here before I try anything on my VPN router.
Can I use the Wireguard tunnel with VPN IP to make it work, or do you suggest I funnel the traffic around the Wireguard network to my ISP with policy-based routing?
I think your VPN provider supports port forwarding so you can do it via your VPN provider but if you have a public IP address from your ISP I would go the direct way.
I have this running with WireGuard Client and WireGuard server on the router.
You do need PBR, the PBR app actually takes care of this automatically, and routing the WG server port out via the WAN.
Of course this only works if you are running the WireGuard server and the WireGuard client on the router.
If you want to setup a WireGuard server on your RPi then you have to do this manually but we can assist you with that.
I have some notes about setting up a WireGuard server and WireGuard client see:
Maybe those are helpful.
If you are interested make sure to download it as Github only shows the first 5 pages.
The WireGuard Server setup guide has a paragraph about setting up a server on a BridgeAP which might be useful if you use your RPi that way.
My setup has a pihole and pivpn wireguard client separate from the router. So the port forwarding for the wireguard port just has to go to the fixed ip address of the pihole. I'm using DDNS too, with the client on the pihole.
That sounds interesting! Pi-hole for your own DNS server + WireGuard access from outside? Do you think RPi2 is powerful enough for that or do I need an RPi 4 or 5? How did you set that up? Do you have instructions?
I'm using a 3B for it - it does not load it much.
I've used a pi zero-w for the wireguard and pivpn client successfully, but I did not test it for very long. It seemed to work fine. I stopped using it because the ethernet cable via mini usb hub and adapter was messy and a fragile connection.
1 Install PI operating system. I'm using Bookworm. I installed it headless, which I can give instructions for if you want (but it is all on the web).
1a Give it a static ip address.
2 I cannot remember the order I installed them in. From the dates on the repositories I installed pi-hole first.
3 To install pi- hole,
git clone https://github.com/pi-hole/pi-hole
then run the installer script, under 'unattended install'
4 To install pivpn,
git clone https://github.com/pivpn/pivpn
the installer script is called auto_install/install.sh
Choose the wireguard client on first install (you can have openvpn too).
pivpn is not being maintained, but it still installs OK. I use it because I am familiar with it.
5 Generate the certificates as needed from pivpn command
6 In your router set up port forwarding (note the port to be used when you install, to your pi).
7 I also installed a dynamic dns client on the pi, in my case this was something I forked from bulletmark/dyndns.
git clone https://github.com/shelleycat485/dyndns
(my change was avoiding passwords in log files, it's on the test branch)
You need to put a dyndns.toml file in ~/.config and edit that for your provider. The files you need to copy around are documented.
PS A Wireguard comparison DB says that a pi zero is going to be adequate. The pi-hole is a very low load.
I already made your suggestions work on my ISP router network using Dietpi. Now I tried to make it work in the network on my VPN router network, but the handshake fails. I set up a port that is told to be open in portchecker. And as I described before, I have set up DuckDNS to substitute the IP in case I change countries. Any suggestions on how I could make it run directly through the network using my VPN? The only other option I see is using my ISP router to access the Raspberry Pi and then maybe use a USB Ethernet adapter to connect the Raspberry Pi to the VPN router. But I have concerns about doing so, because on one hand, I'm not sure if this connection won't maybe leak traffic the wrong way. On the other hand, I'm using a program that I don't want to use my ISP IP. Currently, my phone uses a VPN continuously, but if I connect with WireGuard, it will use my ISP IP. Am I wrong here?
To recap (and correct me if I am wrong):
You have a WireGuard client running on your internet facing router with all traffic routed via the WireGuard client tunnel
Now you want to have access to your home from outside.
So you want to setup a WireGuard server.
Traffic from outside has to reach your router this can be routed via your WAN but then you have to use PBR to route return traffic from the WireGuard server out via the WAN. Easy way is to install the WireGuard server on the router, and simply install the PBR package which will take care of this automatically.
You can of course install the WireGuard server on another router/client in your LAN in which case you have to port forward and setup PBR on your main router to route the WireGuard servers traffic (source port) out via the WAN.
Alternative solution:
I think your VPN provider hide.me does allow port forwarding via your VPN but you have to check this.
If this is the case then you can use the VPN's IP address/port to connect from outside and do not need PBR as return traffic also can/should use the VPN.
But as said easiest solution is to install the WireGuard server on the router and install PBR.
But what is the fun in easy
I would use something like tcpdump as the next step to see why the handshakes are not working. If nothing else try to get logging onto the packets going in to see where they are getting lost, and as said above, how they are going out.
You can always use something like netcat to send traffic and receive traffic on a chosen port; you may have to change your router build to get a netcat that can listen.
I choose to use separate machines just because the debugging is easier. If necessary wireshark is a good tool too.
If you are determined to get it working on your router, how about setting up an intermediate step with port forwarding to another machine with the wireshark server. It gives you monitoring points for debugging. When you have that working with the correct firewall rules to allow traffic through your router then change them to the correct source addresses.
I tried capturing packets on my laptop, but the file is empty, I guess. I set up the WireGuard client and tried to catch the handshake packets after starting the VPN. I guess that's out of my league. I think the router option is good enough if that works.
I have an ISP router that is stock and just supplies my OpenWRT router with internet in order to plug the WireGuard connection in there. My OpenWRT router is set up with the Hide.me WireGuard client.
Let me recap what you suggested with the router-only option: in addition to the WireGuard client, I'm going to install the WireGuard server on OpenWRT and use the PBR app to only allow access from my ISP router towards the WireGuard server.
If that is correct, wouldn't I be identified with my ISP IP being connected to the WireGuard server with my phone, or will I adopt the IP of the VPN router?
If i will only be identified by the VPN-router ip, pls give me instructions how i can install it on my router!
