I've got a somewhat similar setup. Some caveats though:
- Device running OpenWRT is not the default gateway for my LAN devices; it mostly acts just as a layer 2 switch.
- Device running OpenWRT acts as a DHCP server for the LAN devices (via dnsmasq of course)
- Device running OpenWRT has no WAN interface, because it is mostly just a layer 2 switch
Here's the simplified setup:
Internet ==> 10.0.0.1/24 [GW] ==> 10.0.0.2/24 [WRT]
- 10.0.0.1/24 - ISP provided gateway, default gateway for most of the LAN devices; also the only WiFi access point. Let's call it [GW]
- 10.0.0.2/24 - OpenWRT device. Connected to 10.0.0.1 [GW] via ethernet, also has some devices connected to it via ethernet. Gives out DHCP in 10.0.0.0/24 space. Let's call it [WRT]
Let's say normally DHCP will be given out in range of 10.0.0.100 -- 10.0.0.250. However some devices have static leases configured, all in the range of 10.0.0.48/29 (10.0.0.49 to 10.0.0.54).
[WRT] is a 'peer' of WireGuard server somewhere on the web, let's call that server [WG].
I want all traffic from any LAN device with an IP within 10.0.0.48/29 to be routed to Wireguard server.
My configuration
/etc/config/network
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.0.0.2'
option gateway '10.0.0.1'
option delegate '0'
option device 'br-lan'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
option sendredirects '0'
option ipv6 '0'
option rpfilter 'loose'
config interface 'wg0'
option proto 'wireguard'
option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
list addresses '192.168.100.3'
option peerdns '0'
list dns '1.1.1.1'
option delegate '0'
config wireguard_wg0
option description 'wg_server'
option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
list allowed_ips '0.0.0.0/0'
option endpoint_host '198.51.100.50'
option endpoint_port '60000'
option persistent_keepalive '21'
config route
option interface 'wg0'
option target '192.168.100.0/24'
config route
option interface 'wg0'
option target '0.0.0.0/0'
option table '105'
option gateway '192.168.100.3'
config rule
option in 'lan'
option src '10.0.0.48/29'
option lookup '105'
/etc/config/dhcp
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option force '1'
list dhcp_option '3,10.0.0.1'
list dhcp_option '121,192.168.100.0/24,10.0.0.2'
list dhcp_option '6,1.1.1.1,1.0.0.1'
list ra_flags 'none'
config tag 'tag1'
option dhcp_option '6,1.1.1.2,9.9.9.9'
option dhcp_option '3,10.0.0.2'
config host
option name 'some_device_1'
option mac 'xx:xx:xx:xx:xx:xx'
option ip '10.0.0.49'
option tag 'tag1'
config host
option name 'some_device_2'
option mac 'xx:xx:xx:xx:xx:xx'
option ip '10.0.0.50'
option tag 'tag1'
/etc/config/firewall
config zone
option name 'wg0'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
list network 'wg0'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config forwarding
option src 'lan'
option dest 'wg0'
config nat
option name 'WG'
option target 'MASQUERADE'
option src_ip '10.0.0.48/29'
option src '*'
list proto 'all'
option device 'wg0'
So the relevant parts are:
in /etc/config/dhcp
list dhcp_option '3,10.0.0.1'
- says to advertise default gateway of 10.0.0.1 to DHCP clients
list dhcp_option '121,192.168.100.0/24,10.0.0.2'
- advertise a static route to DHCP clients; wireguard LAN subnet 192.168.100.0/24 is reached via 10.0.0.2 [WRT]. This is so my LAN devices have a way to reach WireGuard peers in 192.168.100.0/24
The section below create special tag for some devices and advertises default gateway of 10.0.0.2 to them [WRT]. Then some devices have the static lease configured and tagged to apply the custom default gateway rule.
config tag 'tag1'
option dhcp_option '6,1.1.1.2,9.9.9.9'
option dhcp_option '3,10.0.0.2'
config host
option name 'some_device_1'
option mac 'xx:xx:xx:xx:xx:xx'
option ip '10.0.0.49'
option tag 'tag1'
So now I know which devices need to route via WireGuard to reach the internet (only those with an IP within 10.0.0.48/29). All these devices have the [WRT] setup as the default gateway now by means of dnsmasq.
in /etc/config/network
I created route and called it table 105 basically saying "send all traffic to 192.168.100.3 via wg0 interface"
config route
option interface 'wg0'
option target '0.0.0.0/0'
option table '105'
option gateway '192.168.100.3'
I then created a rule, saying "any traffic originating from LAN with a source IP of 10.0.0.48/29 - lookup table 105"
config rule
option in 'lan'
option src '10.0.0.48/29'
option lookup '105'
in /etc/config/firewall
I NAT any LAN from 10.0.0.48/29, rewriting the source IP to router's wg0 interface IP (192.168.100.3). For my purposes, NAT'ing is not a problem, I dont really need devices from wireguard subnet reaching my LAN.
config nat
option name 'WG'
option target 'MASQUERADE'
option src_ip '10.0.0.48/29'
option src '*'
list proto 'all'
option device 'wg0'
Final Summary
So in brief: most of the LAN devices get advertised gefault gateway of 10.0.0.1 - which is my ISP provided gateway; thus completely bypassing my OpenWRT box for anything layer 3. These devices do get advertised a route, so they can reach just the wireguard LAN.
However some devices are configured to have static leases in 10.0.0.48/29 range, these get advertised 10.0.0.2 as their gateway - which is my OpenWRT box.
OpenWRT box has a rule to route any traffic from 10.0.0.48/29 devices via wireguard interface. This traffic is NAT'ed, rewriting the source IP to the IP of the wg0 interface on the WRT box.
Sorry for a lengthy post, but I really hope it helps or at least gives you some ideas.