Route internet traffic through LAN machine

My goal is having remote clients connect to the internet through a PC behind an OpenWrt router. This PC is connected via a Mullvad tunnel.

Currently im attempting to use Zerotier, having followed the Wiki and the Git project. It seems to be working as intended. I am able to SSH into the machines on the LAN from the internet.

However, this doesnt accomplish my main goal of using one of the machines as an exit node, like people would use a VPS.

The ZT console "Managed Routes" setting has had

192.168.1.0/24
via 172.27.172.1

added.

Zerotier describe the setup procedure here. Unfortunately I know nothing of Linux really, less even of routing and iptables.

Do i understand correctly that this NAT cannot be done by the router but has to be a separate machine?

Or is there a better way to do what I need, without the overlay network?

TYIA!

Why not setup a WireGuard server on the OpenWRT router and let your remote clients connect to it?

4 Likes

Im a noob possibly, but that the setup in your link leads all traffic to go through the VPN? I only want certain remote clients to do that, not everything behind the router...

I just presumed that an overlay network like Zerotier could do it out of the box, as Tailscale apparently does (cant use Tailscale as its not available in my country).

I am not sure what you want to achieve.

A remote clients is usually defined as a client which is remote e.g. you not being at home with your phone on cellular and then you want to connect to your home via the internet.

Perhaps you want some of your local LAN clients to connect via the VPN (Mullvad) but other local lan clients via the WAN?

If so setup the VPN on your OpenWRT router and use Policy Based routing

1 Like

All the machines inside the LAN already use the Mullvad app to access the internet.

I want to be able to use their tunneled connection from outside the LAN.

Say im on my phone and i want to browse with the IP of my home server, which is connected to the internet via Mullvads tunnel.

Why not just configure mullvad on your phone?

1 Like

Ah yes. Most ISPs where i live block the big VPN services. My home ISP does not and probably will not any time soon.

So the apps dont work. But my use case also involves my second home, where the ISP does block access.

If it matters i do have a public IPv4 address at Home 1 too.

Since you have a public ip, setup a wireguard vpn (inbound) and the use PBR to route your remote traffic though the mullvad vpn.

3 Likes

By inbound do you mean server or client setup? Like here:

https://r.obin.ch/blog/2022/08/05/set-up-wireguard-on-openwrt/

Server / road-warrior.

Follow this guide (don’t follow other guides from the internet as it often ends up causing issues).

2 Likes

Thanks for the pointer. Ive edited and run the script, however, i get this:

root@OpenWrt:/www# sh ./wg_roadwarrior.sh
: not foundrrior.sh: line 4:
: not foundrrior.sh: line 7:
: not foundrrior.sh: line 11:
: not foundrrior.sh: line 15:
: not foundrrior.sh: line 19:
: not foundrrior.sh: line 22:
: not foundrrior.sh: line 25:
: not foundrrior.sh: line 28:
: not foundrrior.sh: line 30:
: not foundrrior.sh: line 34:
: not foundrrior.sh: line 41:
: not foundrrior.sh: line 44:
: not foundrrior.sh: line 49:
: not foundrrior.sh: line 53:
: not foundrrior.sh: line 57:
: not foundrrior.sh: line 61:
: not foundrrior.sh: line 62: clear
======================================
|     Automated WireGuard Script     |
|     road-warrior server setup      |
======================================
: not foundrrior.sh: line 69:
: not foundrrior.sh: line 71: {
./wg_roadwarrior.sh: line 280: syntax error: unexpected end of file (expecting "done")

Why? What did you want to do that was different than the original script?

Without knowing the details of what you changed, it’s impossible to know how to help fix it. However, you are apparently missing a “done” statement.

Er... i guess i wanted to fit it to the firewall zone that i had started to make. Also the guide does say " * Download the script

  • Edit the configuration values at the top (or write a wrapper script to set environment variables and call this script)".

In any case, ive run the script without modifications. Same output afterwards.

Rebooted router and no interfaces were created. Wireguard status is empty.

Try the automated version of the WireGuard server how-to:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#automated

1 Like

I did see that originally but im not sure what to do with it exactly. Is it a script? I see it mentions the script from the top of the guide...

Open an SSH session to the router and copy-paste the entire block of code to the terminal.

1 Like

It did this:

root@OpenWrt:~# URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/wireguard/server"
root@OpenWrt:~# cat << EOF > wireguard-server.sh
> $(wget -U "" -O - "${URL}?codeblock=0")
> $(wget -U "" -O - "${URL}?codeblock=1")
> $(wget -U "" -O - "${URL}?codeblock=2")
> $(wget -U "" -O - "${URL}?codeblock=3")
> $(wget -U "" -O - "${URL}/../extras?codeblock=15")
> EOF
Downloading 'https://openwrt.org/_export/code/docs/guide-user/services/vpn/wireguard/server?codeblock=0'
Connecting to 139.59.209.225:443
Writing to stdout

Download completed (168 bytes)
Downloading 'https://openwrt.org/_export/code/docs/guide-user/services/vpn/wireguard/server?codeblock=1'
Connecting to 139.59.209.225:443
Writing to stdout

Download completed (313 bytes)
Downloading 'https://openwrt.org/_export/code/docs/guide-user/services/vpn/wireguard/server?codeblock=2'
Connecting to 139.59.209.225:443
Writing to stdout

Download completed (469 bytes)
Downloading 'https://openwrt.org/_export/code/docs/guide-user/services/vpn/wireguard/server?codeblock=3'
Connecting to 139.59.209.225:443
Writing to stdout

Download completed (720 bytes)
Downloading 'https://openwrt.org/_export/code/docs/guide-user/services/vpn/wireguard/server/../extras?codeblock=15'
Connecting to 139.59.209.225:443
Writing to stdout

Download completed (2028 bytes)

After rebooting the router WG status is emoty, nothing seems to have changed...

Ok thank you ive figured it out, was being a noob. So ive run the script that creates. Restarted and voila i have a new interface and traffic rule for the wireguard port.

It also shows me 3 preconfigured clients. I need these to connect through the internet connection of one of the machines behind the router...

What do i need next? "Disable gateway redirection" or "Split gateway"? Or is that server config the same as the roadwarrior one suggested by psherman?

Yes, it should achieve basically the same result.
Perhaps the script itself is not so flexible, but much simpler.

Transfer and import the generated *.conf files to your clients.
Then try connecting the VPN from outside, e.g. using a mobile ISP.

1 Like

I dont see any .conf files anywhere in the filesystem. Using WinSCP...

Thanks for your help by the way, much appreciated.