Router + AP = two wireguard connections?

Hi guys,

I would like to know if we can connect two wireguard tunnel on the same network :

Modem + Router1 + Router2/AP

At the moment, Router1 runs Wireguard perfectly to one location.

I want to create a second wireguard connection on Router2/AP to a different location.

It looks like it is trying to connect but no "handshake" happens.

Thanks :sunglasses:

It can be done, but it might be worth explaining the goal. Maybe it would be better to establish bothe wg tunnels on the main router.

I assume your devices are wired like this:

[Internet] <--ISP--> [Modem] <--WAN--> [Router1] <--LAN--> [Router2]

You probably need to enable a firewall rule in Router1 to allow incoming Wireguard packets to reach Router2, or set PersistentKeepAlive to something like 25 seconds on Router2's Wireguard interface. Of course the configuration of the other end matters as well, so it would help us if you explained the network topology of both ends in more detail.

1 Like

Exactly! Both wired and keepalive is 25.
I have to look for the firewall rules you just told me.

The keepalive on Router2 should cause the firewall on Router1 to accept the incoming packets for Router2. So I would actually check the other end and make sure that's configured correctly. Is the peer endpoint another OpenWrt router or some other machine? Is it on the same LAN as Router2, or does the tunnel traverse on the Internet? Is the peer directly connected to the Internet or is it behind a router/firewall? Is this a point-to-point tunnel or are you connecting to an entire site?

Both routers are flashed
The network is exactly as you described on your first post.
Modem is close to Router1 connected to wireguard tunnel (all traffic I guess)
Then Router2 is just an access point to the other side of the house and internet comes from Router1 (wired). I just want both on two different locations.

So you want a point-to-point tunnel between Router1 and Router2? Because I thought Router2's peer is somewhere else on the Internet.

Basically we need a map of both endpoints so we're on the same page. Something like this?

|--- Other location ----|            |---- My location ---|
[Other Peer]--[Router 3]--[Internet]--[Router 1]--[Router2]
      ^-------------- Wireguard Tunnel ---------------^

Or this?

|-------- My location ---------|
[Router 1]-----LAN-----[Router2]
    ^-- Wireguard Tunnel --^

Or something else entirely?

Let me explain
Its like when you use vpn on your router and then you also use it on smartphone
I can tunnel router to LA but on phone I can tunnel to NY and turned it off back to Router's vpn.
So it looks like Modem --> Router --> Phone

In my case, Router1 tunnel is close to my house and Router2 can be activated to another country for streaming if needed. Instead of switching location of all my devices connected to Router1, I just on/off tunnel on Router2

So what I'm reading is that:

  • Router2's peer is a VPN provider
  • The tunnel between Router2 and the provider might run inside another tunnel, which in this case is the tunnel connecting Router1 to somewhere in LA.

If you're running a tunnel inside another tunnel, you might have MTU issues. The default Wireguard MTU assumes you're not nesting tunnels. The default accounts for:

  • Wireguard header: 32 bytes
  • UDP header: 8 bytes
  • IPv6 header: 40 bytes

With a typical network MTU of 1500 bytes, this works out to 1420 bytes. A nested tunnel has two layers of the above headers, so try setting the MTU on both Wireguard ends to something like 1340 bytes or lower.