Routes for connected wireguard client. Site to Site

Hey folks. I have an not so powerful Openwrt router which I would like to use when I travel. I have a raspberry-pi like device (nanopi r5c) with docker on it. On this said device, I can run wireguard server in client mode (WG1) to connect to my home wireguard server (WG0). Establishing a site to site VPN.

My question is what config I have to do on my Openwrt router so that it can route traffic of different subnets (in my homelab) to the local wireguard server running in client mode (WG1).
It's essentially a site to site VPN, but with second site being on a local server and not on Openwrt itself.

With the little knowledge that I have, I don't think port forwarding will be necessary. I just have to create routes (not sure where in openwrt) so some subnets can transfer to WG1 which in turn transfers it to WG0.

Do you recommend some other way to achieve this?

The routing is done by routing the Alowed IP's in the WG interface, provided you enabled "Route Allowed IPs"

So on the "Server" side WG0 (I use quotes as technically WG is a symmetric protocol) not only add the WG address of WG1 but also WG1 routers subnet.

On the "Client" side WG1 you have to do some more work as you also have to open up the firewall and disable Masquerading on the WG interface.
The most simplest solution is to add the WG interface to the LAN zone (provided you do not Masquerade on the LAN zone, otherwise create a separate zone for the WG interface)

In the Allowed IP's on the Client side WG0 add the WG subnet and all other local subnets of the Server side so that those are routed via the the WG tunnel.
Of course using 0.0.0.0/0 will also work :slight_smile:

I hope I covered everything but otherwise some of the more knowledgeables will chime in.

1 Like

In addition to setting "Route Allowed IPs" on the Wireguard config - routes can also be set:

  • via the web GUI, you'd browse to Network > Static Routes
  • via the command line in /etc/config/network - see: