Reverse WireGuard tunnel

Installing and Using OpenWrt
7
  1. ISP with private IP which is accessible inside of country (100mbs domestic - 10mbs outside) (10.15x.xx.xx) and public IP (193.xx.xx.xx) - not accessible
  2. ISP with private IP which is not accessible (100mbs domestic - 30mbs outside) (100.9x.xx.xx) CGNAT and public IP (185.xx.xx.xx) - not accessible

I can access to the private IP (10.15x.xx.xx) of the 1-st home from the all ISP that we have in our country. Therefore I need something as reverse, setting up wireguard server in 1st home where can have access to all domestic incoming traffic and when connected to each other 1st home with 2nd home route all traffic from 1st home through the 2nd home internet where my speedlimit to the outside 30mbs.

8

Ok, I see now, thanks.

9

Have:
home 1 router with openwrt - ISP with private IP which is accessible inside of country (100mbs domestic - 10mbs outside) (10.15x.xx.xx) and public IP (193.xx.xx.xx) - not accessible
home 2 router with keenetic os - ISP with private IP which is not accessible (100mbs domestic - 30mbs outside) (100.9x.xx.xx) CGNAT and public IP (185.xx.xx.xx) - not accessible

Have setted up wireguard server on home 1 openwrt, home 2 connected successfully, can use ISP from home 1.

Need to do vice versa to use ISP connection from home 2. (Home 1 need to use ISP from home 2)

I can access to the private IP (10.15x.xx.xx) of the 1-st home from the all ISP that we have in our country. Therefore I need something as reverse, setting up wireguard server in 1st home where can have access to all domestic incoming traffic and when connected to each other 1st home with 2nd home route all traffic from 1st home through the 2nd home internet where my speedlimit to the outside 30mbs, but problem that I can't settle wireguard server on 2nd home because not accessible from 1st home.

10

Not both at the same time though, right? That could get complicated. I assume that you want users of 2's LAN to reach the Internet directly through ISP 2.
This would mostly be reversing the situation so that 0.0.0.0/0 is a routed allowed_ip in 1, thus all of 1's Internet use goes through the tunnel.
A potential problem is that since 1 is the responder (its wireguard is listening for connections from anywhere), it may not automatically configure a "hole punch" route so that encrypted packets from 1->2 go via regular wan not VPN. You don't know what 2's NATd 10.x.x.x IP will be, but you could just punch out all 10.0.0.0/8 to go regular WAN, since inside country connections are faster anyway.

  • change 2's allowed_ips to be only the tunnel IP of 1 and 1's LAN.
  • change 1's allowed_ips to 0.0.0.0/0 Note this inherently includes 2's LAN, which must be different subnet than 1's LAN.
  • Install a static route on 1: target 10.0.0.0/8 interface wan, gateway the regular ISP gateway
1 Like
11

I tried to add 0.0.0.0/0 in allowed ip in wireguard server of 1st home, the internet fully disabled and connection via wireguard also disabled because of lost connection.

For example:
User of 1st home - windows pc (192.168.1.123) need to use ISP of 2nd home. When user of windows pc from home 1 browse internet sites and downloading something it have to use internet from 2nd home’s ISP

12

Configure the VPN server:

  • Disable PBR app to avoid conflicts with built-in PBR.
  • Enable masquerading on the VPN firewall zone.
  • Enable the VPN interface and routing for allowed IPs.
  • Assign the VPN interface to a separate routing table.
  • Create a policy to route LAN clients to the VPN.
uci set pbr.config.enabled="0"
uci commit pbr
/etc/init.d/pbr disable
/etc/init.d/pbr stop
uci set firewall.@zone[2].masq="1"
uci set firewall.@zone[2].masq6="1"
uci set firewall.@zone[2].mtu_fix="1"
uci commit firewall
service firewall restart
uci -q delete network.wg.auto
uci set network.@wireguard_wg[0].route_allowed_ips="1"
uci -q delete network.@wireguard_wg[0].allowed_ips
uci add_list network.@wireguard_wg[0].allowed_ips="0.0.0.0/0"
uci add_list network.@wireguard_wg[0].allowed_ips="::/0"
for IPV in 4 6
do
uci set network.lan.ip${IPV}table="1"
uci set network.wg.ip${IPV}table="2"
uci -q delete network.lan_wg${IPV%4}
uci set network.lan_wg${IPV%4}="rule${IPV%4}"
uci set network.lan_wg${IPV%4}.in="lan"
uci set network.lan_wg${IPV%4}.lookup="2"
uci set network.lan_wg${IPV%4}.priority="30000"
done
uci commit network
service network restart
2 Likes
13

As I said, you also need to add a route so that the Wireguard process will send its encrypted packets over the regular ISP to house 2. Without this, attempts to reach house 2 is considered the same as the Internet-- it goes into the tunnel and is lost.

This can be done without adding a second routing table, as we know that house 2 after being NATd by ISP 2 has a 10.0.0.0 IP and you don't want to tunnel those anyway. This can be checked (without the 0 route in place yet) by running wg show at house 1 and observing the peer IP.

1 Like
14

Could you please help in which configs need to do that changes:

Home 1 - Openwrt

network 
@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fxxxxxxxxx8'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'

config device
option name 'wan'
option macaddr '5xxxxxxxxx'

config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr '10.1xxxxxxx'
option netmask '255.255.255.128'
option gateway '10.xxxxxxxxx'
list dns '1xxxxxxx2'
list dns '2xxxxxxxxx.2'

config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'

config interface 'wg'
option proto 'wireguard'
option auto '0'
option private_key 'mGxxxxxxxxx8='
option listen_port '51820'
list addresses '[192.168.10.1/24](http://192.168.10.1/24)'

config wireguard_wg
option description 'AZ-io'
option public_key 'zxxxxxxxxxkk='
option private_key '8OxxxxxxxxxEM='
list allowed_ips '[192.168.10.4/32](http://192.168.10.4/32)'
option route_allowed_ips '1'
option persistent_keepalive '25
firewall 
@OpenWrt:~# cat /etc/config/firewall

config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config rule
option name 'HTTP'
list proto 'tcp'
option dest_port '80'
option target 'ACCEPT'
option src 'wan'

config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'

config zone
option name 'wg'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg'

config forwarding
option src 'wg'
option dest 'lan'

config forwarding
option src 'wg'
option dest 'wan'

config rule
option name 'Wg'
list proto 'udp'
option src 'wan'
option dest_port '51820'
option target 'ACCEPT'

config rule
option name 'SCP'
list proto 'tcp'
option src 'wan'
option target 'ACCEPT'
option dest_port '22'
configs luci in images
Interfaces

image
image867×676 40.1 KB

WG

image
image1352×843 64.9 KB

image
image807×667 29.8 KB

image
image799×797 23.1 KB

Firewall

image
image861×824 35.5 KB

image
image805×664 32.1 KB

image
image799×660 32.2 KB

image
image804×660 31.9 KB

Client config

---interface---

  • name: home
  • private key: ***
  • public key: ***
  • ip address: 192.168.9.3/24
    ---peer---
  • public key: ***
  • preshared key: ***
  • ip-address of the server: ***.ddns.net:51820
  • allowed ip address: 0.0.0.0/0, ::/0

Home 2 - Keenetic

Summary

`

"interface": {
"0": {
"id": "FastEthernet0/0",
"index": 0,
"interface-name": "0",
"label": "0",
"type": "Port",
"traits": [
"EthernetPort",
"SwitchPort",
"MtkSwitchPort"
],
"role": [
{
"for": "FastEthernet0/Vlan2",
"role": "inet"
}
],
"link": "up",
"speed": "100",
"duplex": "full",
"auto-negotiation": "on",
"flow-control": "off",
"eee": "off",
"last-change": "189686.574027",
"last-overflow": "0",
"cable-diagnostics": false,
"public": true,
"link-group": {
"supported": false
},
"summary": {
"layer": {
"conf": "running",
"link": "running"
}
}
},
"1": {
"id": "FastEthernet0/1",
"index": 1,
"interface-name": "1",
"label": "1",
"type": "Port",
"traits": [
"EthernetPort",
"SwitchPort",
"MtkSwitchPort"
],
"link": "down",
"last-change": "189708.644310",
"last-overflow": "0",
"cable-diagnostics": false,
"public": false,
"link-group": {
"supported": false
},
"summary": {
"layer": {
"conf": "running",
"link": "pending"
}
}
},
"2": {
"id": "FastEthernet0/2",
"index": 2,
"interface-name": "2",
"label": "2",
"type": "Port",
"traits": [
"EthernetPort",
"SwitchPort",
"MtkSwitchPort"
],
"link": "down",
"last-change": "189708.646735",
"last-overflow": "0",
"cable-diagnostics": false,
"public": false,
"link-group": {
"supported": false
},
"summary": {
"layer": {
"conf": "running",
"link": "pending"
}
}
},
"3": {
"id": "FastEthernet0/3",
"index": 3,
"interface-name": "3",
"label": "3",
"type": "Port",
"traits": [
"EthernetPort",
"SwitchPort",
"MtkSwitchPort"
],
"link": "down",
"last-change": "189708.644900",
"last-overflow": "0",
"cable-diagnostics": false,
"public": false,
"link-group": {
"supported": false
},
"summary": {
"layer": {
"conf": "running",
"link": "pending"
}
}
},
"4": {
"id": "FastEthernet0/4",
"index": 4,
"interface-name": "4",
"label": "4",
"type": "Port",
"traits": [
"EthernetPort",
"SwitchPort",
"MtkSwitchPort"
],
"link": "down",
"last-change": "189708.643099",
"last-overflow": "0",
"cable-diagnostics": false,
"public": false,
"link-group": {
"supported": false
},
"summary": {
"layer": {
"conf": "running",
"link": "pending"
}
}
},
"FastEthernet0": {
"id": "FastEthernet0",
"index": 0,
"interface-name": "FastEthernet0",
"type": "FastEthernet",
"description": "",
"traits": [
"Mac",
"Switch",
"EthernetPort",
"MtkSwitch",
"MtkFastEthernet"
],
"link": "up",
"connected": "yes",
"state": "up",
"mtu": 1500,
"tx-queue-length": 1000,
"port": {
"0": {
"id": "FastEthernet0/0",
"index": 0,
"interface-name": "0",
"label": "0",
"type": "Port",
"traits": [
"EthernetPort",
"SwitchPort",
"MtkSwitchPort"
],
"role": [
{
"for": "FastEthernet0/Vlan2",
"role": "inet"
}
],
"link": "up",
"speed": "100",
"duplex": "full",
"auto-negotiation": "on",
"flow-control": "off",
"eee": "off",
"last-change": "189686.571393",
"last-overflow": "0",
"cable-diagnostics": false,
"public": true,
"link-group": {
"supported": false
}
},
"1": {
"id": "FastEthernet0/1",
"index": 1,
"interface-name": "1",
"label": "1",
"type": "Port",
"traits": [
"EthernetPort",
"SwitchPort",
"MtkSwitchPort"
],
"link": "down",
"last-change": "189708.641321",
"last-overflow": "0",
"cable-diagnostics": false,
"public": false,
"link-group": {
"supported": false
}
},
"2": {
"id": "FastEthernet0/2",
"index": 2,
"interface-name": "2",
"label": "2",
"type": "Port",
"traits": [
"EthernetPort",
"SwitchPort",
"MtkSwitchPort"
],
"link": "down",
"last-change": "189708.639596",
"last-overflow": "0",
"cable-diagnostics": false,
"public": false,
"link-group": {
"supported": false
}
},
"3": {
"id": "FastEthernet0/3",
"index": 3,
"interface-name": "3",
"label": "3",
"type": "Port",
"traits": [
"EthernetPort",
"SwitchPort",
"MtkSwitchPort"
],
"link": "down",
"last-change": "189708.637650",
"last-overflow": "0",
"cable-diagnostics": false,
"public": false,
"link-group": {
"supported": false
}
},
"4": {
"id": "FastEthernet0/4",
"index": 4,
"interface-name": "4",
"label": "4",
"type": "Port",
"traits": [
"EthernetPort",
"SwitchPort",
"MtkSwitchPort"
],
"link": "down",
"last-change": "189708.635805",
"last-overflow": "0",
"cable-diagnostics": false,
"public": false,
"link-group": {
"supported": false
}
}
},
"summary": {
"layer": {
"conf": "running",
"link": "running"
}
}
},
"FastEthernet0/Vlan1": {
"id": "FastEthernet0/Vlan1",
"index": 1,
"interface-name": "FastEthernet0/Vlan1",
"type": "Vlan",
"description": "Home VLAN",
"traits": [
"Mac",
"Ethernet",
"Ip",
"Ip6",
"Supplicant",
"EthernetIp",
"Vlan"
],
"link": "down",
"connected": "no",
"state": "up",
"mtu": 1500,
"tx-queue-length": 0,
"group": "Bridge0",
"usedby": [
"Bridge0"
],
"ipv6": {},
"mac": "5xxxxxxxxxxa",
"auth-type": "none",
"summary": {
"layer": {
"conf": "running",
"link": "pending",
"ctrl": "pending"
}
}
},
"FastEthernet0/Vlan2": {
"id": "FastEthernet0/Vlan2",
"index": 2,
"interface-name": "ISP",
"type": "Vlan",
"description": "Подключение Ethernet",
"traits": [
"Mac",
"Ethernet",
"Ip",
"Ip6",
"Supplicant",
"EthernetIp",
"Vlan"
],
"link": "up",
"connected": "yes",
"state": "up",
"mtu": 1500,
"tx-queue-length": 0,
"global": false,
"security-level": "public",
"usedby": [
"PPPoE0",
"ZeroTier0"
],
"ipv6": {},
"mac": "5xxxxxxxxxx6b",
"auth-type": "none",
"summary": {
"layer": {
"conf": "running",
"link": "running",
"ipv4": "disabled",
"ipv6": "disabled",
"ctrl": "running"
}
}
},
"FastEthernet0/Vlan3": {
"id": "FastEthernet0/Vlan3",
"index": 3,
"interface-name": "FastEthernet0/Vlan3",
"type": "Vlan",
"description": "Guest VLAN",
"traits": [
"Mac",
"Ethernet",
"Ip",
"Ip6",
"Supplicant",
"EthernetIp",
"Vlan"
],
"link": "down",
"connected": "no",
"state": "up",
"mtu": 1500,
"tx-queue-length": 0,
"group": "Bridge1",
"usedby": [
"Bridge1"
],
"ipv6": {},
"mac": "5xxxxxxxxxx9",
"auth-type": "none",
"summary": {
"layer": {
"conf": "running",
"link": "pending",
"ctrl": "pending"
}
}
},
"WifiMaster0": {
"id": "WifiMaster0",
"index": 0,
"interface-name": "WifiMaster0",
"type": "WifiMaster",
"description": "",
"traits": [
"WifiRadio",
"WifiMaster",
"MtkWifiMaster"
],
"link": "up",
"connected": "yes",
"state": "up",
"mtu": 1500,
"tx-queue-length": 1000,
"hwstate": "on",
"bitrate": 300000000,
"channel": 1,
"bandwidth": "20",
"busy-channels": [
1,
2,
3
],
"temperature": 60,
"summary": {
"layer": {
"conf": "running",
"link": "running"
}
}
},
"WifiMaster0/AccessPoint0": {
"id": "WifiMaster0/AccessPoint0",
"index": 0,
"interface-name": "AccessPoint",
"type": "AccessPoint",
"description": "Wi-Fi access point",
"traits": [
"Wireless",
"Mac",
"Ethernet",
"Ip",
"Ip6",
"Supplicant",
"EthernetIp",
"Wifi",
"AccessPoint",
"MtkAccessPoint"
],
"link": "up",
"connected": "yes",
"state": "up",
"mtu": 1500,
"tx-queue-length": 1000,
"group": "Bridge0",
"usedby": [
"Bridge0"
],
"ipv6": {},
"mac": "5xxxxxxxxxxa",
"auth-type": "none",
"ssid": "Xixxxxxxxxxx9",
"encryption": "wpa2",
"summary": {
"layer": {
"conf": "running",
"link": "running",
"ctrl": "running"
}
}
},
"WifiMaster0/AccessPoint1": {
"id": "WifiMaster0/AccessPoint1",
"index": 1,
"interface-name": "GuestWiFi",
"type": "AccessPoint",
"description": "Guest access point",
"traits": [
"Wireless",
"Mac",
"Ethernet",
"Ip",
"Ip6",
"Supplicant",
"EthernetIp",
"Wifi",
"AccessPoint",
"MtkAccessPoint"
],
"link": "down",
"connected": "no",
"state": "down",
"mtu": 1500,
"tx-queue-length": 1000,
"group": "Bridge1",
"usedby": [
"Bridge1"
],
"ipv6": {},
"mac": "52xxxxxxxxxxa",
"auth-type": "none",
"encryption": "",
"summary": {
"layer": {
"conf": "disabled",
"link": "disabled",
"ctrl": "disabled"
}
}
},
"WifiMaster0/AccessPoint2": {
"id": "WifiMaster0/AccessPoint2",
"index": 2,
"interface-name": "WifiMaster0/AccessPoint2",
"type": "AccessPoint",
"description": "",
"traits": [
"Wireless",
"Mac",
"Ethernet",
"Ip",
"Ip6",
"Supplicant",
"EthernetIp",
"Wifi",
"AccessPoint",
"MtkAccessPoint"
],
"link": "down",
"connected": "no",
"state": "down",
"mtu": 1500,
"tx-queue-length": 1000,
"global": false,
"security-level": "private",
"ipv6": {},
"mac": "5xxxxxxxxxxa",
"auth-type": "none",
"encryption": "",
"summary": {
"layer": {
"conf": "disabled",
"link": "disabled",
"ipv4": "disabled",
"ipv6": "disabled",
"ctrl": "disabled"
}
}
},
"WifiMaster0/AccessPoint3": {
"id": "WifiMaster0/AccessPoint3",
"index": 3,
"interface-name": "WifiMaster0/AccessPoint3",
"type": "AccessPoint",
"description": "",
"traits": [
"Wireless",
"Mac",
"Ethernet",
"Ip",
"Ip6",
"Supplicant",
"EthernetIp",
"Wifi",
"AccessPoint",
"MtkAccessPoint"
],
"link": "down",
"connected": "no",
"state": "down",
"mtu": 1500,
"tx-queue-length": 1000,
"global": false,
"security-level": "private",
"ipv6": {},
"mac": "5xxxxxxxxxxa",
"auth-type": "none",
"encryption": "",
"summary": {
"layer": {
"conf": "disabled",
"link": "disabled",
"ipv4": "disabled",
"ipv6": "disabled",
"ctrl": "disabled"
}
}
},
"WifiMaster0/AccessPoint4": {
"id": "WifiMaster0/AccessPoint4",
"index": 4,
"interface-name": "WifiMaster0/AccessPoint4",
"type": "AccessPoint",
"description": "",
"traits": [
"Wireless",
"Mac",
"Ethernet",
"Ip",
"Ip6",
"Supplicant",
"EthernetIp",
"Wifi",
"AccessPoint",
"MtkAccessPoint"
],
"link": "down",
"connected": "no",
"state": "down",
"mtu": 1500,
"tx-queue-length": 1000,
"global": false,
"security-level": "private",
"ipv6": {},
"mac": "52xxxxxxxxxxa",
"auth-type": "none",
"encryption": "",
"summary": {
"layer": {
"conf": "disabled",
"link": "disabled",
"ipv4": "disabled",
"ipv6": "disabled",
"ctrl": "disabled"
}
}
},
"WifiMaster0/AccessPoint5": {
"id": "WifiMaster0/AccessPoint5",
"index": 5,
"interface-name": "WifiMaster0/AccessPoint5",
"type": "AccessPoint",
"description": "",
"traits": [
"Wireless",
"Mac",
"Ethernet",
"Ip",
"Ip6",
"Supplicant",
"EthernetIp",
"Wifi",
"AccessPoint",
"MtkAccessPoint"
],
"link": "down",
"connected": "no",
"state": "down",
"mtu": 1500,
"tx-queue-length": 1000,
"global": false,
"security-level": "private",
"ipv6": {},
"mac": "52xxxxxxxxxxa",
"auth-type": "none",
"encryption": "",
"summary": {
"layer": {
"conf": "disabled",
"link": "disabled",
"ipv4": "disabled",
"ipv6": "disabled",
"ctrl": "disabled"
}
}
},
"WifiMaster0/AccessPoint6": {
"id": "WifiMaster0/AccessPoint6",
"index": 6,
"interface-name": "WifiMaster0/AccessPoint6",
"type": "AccessPoint",
"description": "",
"traits": [
"Wireless",
"Mac",
"Ethernet",
"Ip",
"Ip6",
"Supplicant",
"EthernetIp",
"Wifi",
"AccessPoint",
"MtkAccessPoint"
],
"link": "down",
"connected": "no",
"state": "down",
"mtu": 1500,
"tx-queue-length": 1000,
"global": false,
"security-level": "private",
"ipv6": {},
"mac": "5xxxxxxxxxxa",
"auth-type": "none",
"encryption": "",
"summary": {
"layer": {
"conf": "disabled",
"link": "disabled",
"ipv4": "disabled",
"ipv6": "disabled",
"ctrl": "disabled"
}
}
},
"WifiMaster0/WifiStation0": {
"ap": "00:00:00:00:00:00",
"id": "WifiMaster0/WifiStation0",
"index": 0,
"interface-name": "WifiMaster0/WifiStation0",
"type": "WifiStation",
"description": "",
"traits": [
"Wireless",
"Mac",
"Ethernet",
"Ip",
"Ip6",
"Supplicant",
"EthernetIp",
"Wifi",
"WifiStation",
"MtkWifiStation"
],
"link": "down",
"connected": "no",
"state": "down",
"mtu": 1500,
"tx-queue-length": 1000,
"global": false,
"security-level": "public",
"ipv6": {},
"mac": "5xxxxxxxxxx",
"auth-type": "none",
"encryption": "",
"summary": {
"layer": {
"conf": "disabled",
"link": "disabled",
"ipv4": "disabled",
"ipv6": "disabled",
"ctrl": "disabled"
}
}
},
"Bridge0": {
"id": "Bridge0",
"index": 0,
"interface-name": "Home",
"type": "Bridge",
"description": "Home network",
"traits": [
"Mac",
"Ethernet",
"Ip",
"Ip6",
"Supplicant",
"EthernetIp",
"Bridge"
],
"link": "up",
"connected": "yes",
"state": "up",
"mtu": 1500,
"tx-queue-length": 0,
"address": "192.168.1.1",
"mask": "255.255.255.0",
"uptime": 189693,
"global": false,
"security-level": "private",
"ipv6": {},
"mac": "5xxxxxxxxxx",
"auth-type": "none",
"bridge": {
"interface": [
{
"link": false,
"inherited": "yes",
"interface": "FastEthernet0/Vlan1"
},
{
"link": true,
"interface": "WifiMaster0/AccessPoint0"
}
]
},
"summary": {
"layer": {
"conf": "running",
"link": "running",
"ipv4": "running",
"ipv6": "disabled",
"ctrl": "running"
}
}
},
"Bridge1": {
"id": "Bridge1",
"index": 1,
"interface-name": "Guest",
"type": "Bridge",
"description": "Guest network",
"traits": [
"Mac",
"Ethernet",
"Ip",
"Ip6",
"Supplicant",
"EthernetIp",
"Bridge"
],
"link": "down",
"connected": "no",
"state": "down",
"mtu": 1500,
"tx-queue-length": 0,
"global": false,
"security-level": "protected",
"ipv6": {},
"mac": "5xxxxxxxxxx9",
"auth-type": "none",
"bridge": {
"interface": [
{
"link": false,
"inherited": "yes",
"interface": "FastEthernet0/Vlan3"
},
{
"link": false,
"interface": "WifiMaster0/AccessPoint1"
}
]
},
"summary": {
"layer": {
"conf": "disabled",
"link": "disabled",
"ipv4": "disabled",
"ipv6": "disabled",
"ctrl": "disabled"
}
}
},
"PPPoE0": {
"id": "PPPoE0",
"index": 0,
"interface-name": "PPPoE0",
"type": "PPPoE",
"description": "Подключение Ethernet",
"traits": [
"Ip",
"Ip6",
"Supplicant",
"Peer",
"Ppp",
"Pppoe"
],
"link": "up",
"connected": "yes",
"state": "up",
"role": [
"inet"
],
"mtu": 1492,
"tx-queue-length": 1000,
"address": "100.7xxxxxxxxxx",
"mask": "255.255.255.255",
"global": true,
"defaultgw": true,
"priority": 63486,
"security-level": "public",
"usedby": [
"ZeroTier0"
],
"ipv6": {
"defaultgw": false
},
"auth-type": "none",
"uptime": 85812,
"remote": "100.7xxxxxxx",
"fail": "no",
"via": "FastEthernet0/Vlan2",
"last-change": "85811.665679",
"session-id": 2595,
"ac-mac": "44xxxxxxxxxx",
"summary": {
"layer": {
"conf": "running",
"link": "running",
"ipv4": "running",
"ipv6": "disabled",
"ctrl": "running"
}
}
},
"Wireguard1": {
"id": "Wireguard1",
"index": 1,
"interface-name": "Wireguard1",
"type": "Wireguard",
"description": "Wireguard1",
"traits": [
"Ip",
"Ip6",
"Wireguard"
],
"link": "down",
"connected": "no",
"state": "down",
"mtu": 1324,
"tx-queue-length": 50,
"global": false,
"security-level": "public",
"ipv6": {},
"wireguard": {
"public-key": "xxxxxxxxxx=",
"listen-port": 48951,
"status": "down",
"peer": [
{
"public-key": "xxxxxxxxxx0=",
"local": "0.0.0.0",
"local-port": 48951,
"via": "",
"remote": "10.1xxxxxxxx4",
"remote-port": 51820,
"rxbytes": 0,
"txbytes": 0,
"last-handshake": 16xxx87,
"online": false
}
]
},
"summary": {
"layer": {
"conf": "disabled",
"link": "disabled",
"ipv4": "disabled",
"ipv6": "disabled",
"ctrl": "disabled"
}
}
},
"ZeroTier0": {
"id": "ZeroTier0",
"index": 0,
"interface-name": "ZeroTier0",
"type": "ZeroTier",
"description": "ZeroTier0",
"traits": [
"Mac",
"Ethernet",
"Ip",
"Ip6",
"Supplicant",
"EthernetIp",
"ZeroTier"
],
"link": "down",
"connected": "no",
"state": "down",
"role": [
"inet"
],
"mtu": 1500,
"tx-queue-length": 0,
"global": false,
"security-level": "public",
"ipv6": {},
"mac": "dxxxxxxxxxx0",
"auth-type": "none",
"zerotier": {
"via": "",
"local-id": "5xxxxxxxxxx5",
"network-id": "6xxxxxxxxxx1",
"network-name": "",
"status": "DOWN"
},
"summary": {
"layer": {
"conf": "disabled",
"link": "disabled",
"ipv4": "disabled",
"ipv6": "disabled",
"ctrl": "disabled"
}
}
}
`
15

Keep in mind that static routes require predictable gateway, which can be problematic to achieve in general, while a PBR-based setup will still work even if you change the ISP, or the ISP changes its topology.

3 Likes
16

So could you please tell for PBR setup what have to do? In you comments setting as I understand PBR is disabled:

uci set pbr.config.enabled="0"

17

There's more than one PBR implementation, but running them simultaneously may result in unexpected behavior due to conflicting policies.
Assuming your setup doesn't require domain-based routing, it would be best to utilize built-in PBR with netifd using custom routing tables and rules as explained above.

2 Likes
18

Do you want or need VPN lan-lan access between the houses?

If you are only using house 2 as an internet connection, then you could NAT everything out of house 1 into the VPN tunnel, which will simplify configuration of house 2. Placing the wg interface in the wan zone will accomplish that, and it will also firewall out any attempts for anyone in house 2 to access house 1, which you may want for security.

I don't see anything useful in what you posted from house 2. The main thing about house 2 is that its LAN ought to be a different 192.168.X.0/24 subnet than house 1, though that is not necessary if you NAT out of house 1.

3 Likes
19

It's reasonable to consider the VPN client as a black box since we have no reliable and reproducible way to troubleshoot it, thus keep masquerading enabled, at least until we get a working setup.
Also make sure to allow the relevant transit traffic forwarding in the VPN client firewall.

3 Likes
20

Thank you :grinning: it's working now. Thanks to all.
All client's of home 1 and home 2 and from another network (outside-cellular) which is connected to server wg have a network between all users of the network.
Last question:)
If need for example not for the whole users of home 1 but only for one of user of home 1 - windows pc to use internet from home 2, what I should do?

1 Like
21

You need to do Policy Based Routing and you have 3 options:

  1. mwan3 package
  2. pbr package
  3. a set of rules/routes for each internet connection.

I think for your usecase option #3 is the most simple.

3 Likes
22

Customize the existing rule like this:

uci set network.lan_wg.src="192.168.1.123/32"
uci commit network
service network restart
2 Likes
23

It mean's if user of home 1 for example windows pc has a "192.168.1.123" so only this user will use internet from home 2 ? If so if I want later to add some user from home 1 to also like this, can I also add like this:


uci set network.lan_wg.src="192.168.1.xxx/32"
uci commit network
service network restart

(where xxx ip of user)

What if user for example of iOS/android with cellular network, can successfully connect to wg server and if add in allowed ip's 0.0.0.0/0 in can use internet from house 1, what I have to do for that situation to use internet from house 2?

24

Yes.

The syntax of IP rules allows to specify only one source/destination CIDR per rule, so adding more clients generally requires to add more rules, which you can also do using the web interface:

  • LuCI > Network > Routing > IPv4/IPv6 Rules

Create a rule matching the IP of that mobile VPN client.

1 Like
25

It's work. Thanks a lot.

1 Like
26

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.