Routing All Internet Traffic from House2 Laptop via House1's Internet Connection (WireGuard Setup)

Problem Statement:

I have two houses (House1 and House2) connected via a WireGuard VPN setup, with routers acting as intermediaries. I need to configure the network so that all internet-bound traffic from a laptop in House2 routes through House1's internet connection (specifically RouterA's public IP).

Current Network Setup:

• House1:
  • RouterA is connected to the ISP and provides internet access.
  • LAN_A (connected to RouterA) contains local devices that can be accessed from the House2 laptop.
  • RouterB is connected to RouterA and runs the WireGuard client, connecting to the WireGuard server in House2.
  • RouterB provides access to LAN_B (connected to RouterB) and allows the House2 laptop to access both LAN_A and LAN_B.
• House2:
  • Brume2 acts as the WireGuard server.
  • The House2 laptop connects to Brume2 through the WireGuard client and can access LAN_A (RouterA’s LAN) and LAN_B (RouterB’s LAN).

Goal:

I want to route all internet-bound traffic from the House2 laptop through House1’s internet connection (via RouterA) so that the laptop's internet traffic appears as though it is coming from House1's public IP (i.e., RouterA’s public IP).

Currently, the House2 laptop can access both LAN_A and LAN_B, but its internet traffic is not routed through House1. I need to adjust the configuration so that all traffic from the House2 laptop uses RouterA's public IP for internet access while maintaining access to LAN_A and LAN_B.

Network Diagram:

                              +-------------------+
                              |   Laptop in House2 |
                              |   (WireGuard Client)|
                              +----------+--------+
                                         |
                                         | WireGuard Tunnel (House2 to House1)
                                         |
                    +--------------------+--------------------+
                    |                                        |
         +----------v----------+                      +------v-------+
         |   Brume2 (House2)   |                      |   RouterB    |
         | (WireGuard Server)   |                      | (WireGuard   |
         |                      |<-------------------->|   Client)    |
         +----------+-----------+                      | (Connected to |
                    |                                  |   RouterA)   |
                    |                                  +--------+------+
         +----------v-----------+                               |
         | LAN_B (RouterB's LAN)|                               |
         | (Devices in House1)  |                               |
         +----------------------+                               |
                    |                                          |
            +-------v--------+                        +--------v---------+
            |   RouterA      |                        |  Internet (House1)|
            | (Connected to  |                        | (House1's ISP)    |
            |    ISP)        |                        +-------------------+
            +--------+-------+
                     |
                     | Access to LAN_A (Devices in House1)
            +--------v--------+
            | LAN_A (RouterA's|
            | Local Network)  |
            | (Devices in     |
            | House1)         |
            +-----------------+

Summary:

• RouterA provides both internet access and LAN_A (local network in House1).
• RouterB is running the WireGuard client and is connected to RouterA, providing access to both LAN_A and LAN_B (local network in House2).
• The House2 laptop can access both LAN_A and LAN_B through the WireGuard VPN.
• The objective is to route all internet traffic from the House2 laptop through House1’s internet connection, making it appear as if the internet traffic is coming from House1's public IP.

What I tested so far:-

If set a static route in Brume2 for IPV4 to as follows
target:192.168.33.0/24 gateway 10.0.12.52 (wireguard client IP house1)
target: 192.168.44.0/24 gateway 10.0.12.52 (wireguard client IP house1)

If I do the above in brume2 which is running wireguard server in house2 I am able to reach both LAN-A and LAN-B as in diagram

If I set the route on the House2 Brume2 WireGuard server as follows, with the public IP addresses of www.whatismyipadress.com (104.19.222.79 and 104.19.223.79), which are the public IPs for that website, then the situation changes. When I configure this on the House2 Brume2 WireGuard server, and if I use a laptop in House2 (with WireGuard client running), when I type www.whatismyipadress.com in Chrome, it shows the House1 public IP instead of the House2 public IP. This makes me believe that the House1 router knows how to resolve internet addresses.

Now, what I need help with is instructing the Brume2 WireGuard server at House2 to route all traffic from the WireGuard laptop client (with IP 10.0.12.32) to 10.0.12.52 (the House1 WireGuard client IP) as the gateway. Essentially, I want the Brume2 server to handle any traffic originating only from the laptop client and route it to the House1 WireGuard client running on the router (exit node for laptop in house2).

The House2 / routerB Wireguard needs to have allowed_ips '0.0.0.0/0' in its House1 client section. This will allow Internet use at House2 to be tunneled to House1. In the simple case of directing all Internet use of House2 through House1, the route_allowed_ips option can be set-- which will make the router's default route to the Internet through the tunnel (and also install a "hole punch" route for the encrypted packets to use the regular WAN not the tunnel so they can reach the other house). If you want only one device in House2 to route through the VPN then you'd need conditional routing i.e. pbr or manually built multiple routing tables, and do not set route_allowed_ips.

Another way for only one laptop in House2 to tunnel to House1 would be to run Wireguard directly on that laptop instead of in the House2 router.

@mk24 routerB is in house1 not house2. House2 has brume2 router running wireguard server. This server has two client one is routerB at house1 and another client is laptop at house2. What we need is any traffic originating from laptop at house2 should have gateway as wireguard client running at house1 so that any internet traffic sees house1 public IP. Note wireguard server is at house2 and house1 has a client. can you restate your solution since you incorrectly interpreted routerB at house2

Where is OpenWRT in this setup?

Why is a laptop in house 2 a WireGuard client to a WireGuard server which is in the same house?

@krazeh its Brumw2 Now can you help

@egc its in same house now but it will do different location. Hope you can help now

Flashed with stock OpenWRT or running the default gl.inet software?

Why can't you connect the laptop directly to RouterB (using wireguard)?

openwrt

routerB is behind CGNAT so using brume2 as wireguard server because it has public IP. what is the way to forward all traffic from laptop to routerb if this it will work we tested as mentioned in first post

I understand what you want and it is possible, but not very simple.

Short explanation (because I do not have much time today):
First setup as a site to site setup between both routers.
On the server side you use PBR to make a default routing table via WireGuard and create a rule for your laptop to use that routing table so when your laptop connects all its traffic will be routed via the WireGuard tunnel to the other side.

The laptop traffic comes out of the other side (router B) and will take the default route out via the WAN.

As router B will know that the laptop belongs to the WG subnet it will route that traffic back to router A.
But now the hard part return traffic will come from the internet so on the server side you have to allow all that traffic so the peer of router B on server A must have 0.0.0.0/0 as allowed IP but we have route allowed IPs enabled to route the subnet of router B (that is the site-to-site setup) but we do not want to route everything. To stop that we have to disable the creation of the Default route on the WireGuard interface of Router A.
Under Advanced settings > "Use Default Gateway" > disable/untick
(`option defaultroute '0' )

I can imagine that it does not make sense but start with the site to site setup between the two routers.

My notes have a paragraph about that see: WireGuard Server Setup guide

@egc i didnt understand the entire hence waiting for detailed step when you have time.

Also can we solve it by two wireguard tunnel

To give you the best support please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

Please show output for both routers

@egc Apologies for delay in responding I was unwell yesterday. find below the response I have redact keys and numbered them in case youneed to refer to it just refer them with the number

Problem: restating so that you dont need read the original post again

House2 Openwrt router wireguard server
House2 has laptop which act as client to wireguard server in house2 this laptop will move to different place

House1 mikrotik router runs another wireguard client connected to wireguard server running at house2 (openwrt)

we need to make sure that any traffic from laptop when connected to wireguard VPN should use house1 as exit node

Openwrt router at house2

ubus call system board

{
    "kernel": "5.4.211",
    "hostname": "[REDACTED_1]",
    "system": "ARMv8 Processor rev 4",
    "model": "[REDACTED_2]",
    "board_name": "[REDACTED_3]",
    "release": {
        "distribution": "OpenWrt",
        "version": "21.02-SNAPSHOT",
        "revision": "[REDACTED_4]",
        "target": "[REDACTED_5]",
        "description": "[REDACTED_6]"
    }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '[REDACTED_IP_1]'
        option netmask '[REDACTED_IP_2]'

config globals 'globals'
        option ula_prefix '[REDACTED_IP_3]'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports '[REDACTED_IFACE_1]'

config device
        option name '[REDACTED_IFACE_2]'
        option macaddr '[REDACTED_MAC_1]'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '[REDACTED_IP_4]'
        option netmask '[REDACTED_IP_5]'
        option ip6assign '60'
        option isolate '0'

config device
        option name '[REDACTED_IFACE_3]'
        option macaddr '[REDACTED_MAC_2]'

config interface 'wan'
        option device '[REDACTED_IFACE_4]'
        option proto 'dhcp'
        option force_link '0'
        option ipv6 '0'
        option classlessroute '0'
        option metric '10'

config interface 'wan6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@wan'

config interface 'tethering6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@tethering'

config interface 'wwan6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@wwan'

config interface 'wgserver'
        option proto '[REDACTED_CONF_1]'
        option config '[REDACTED_CONF_2]'
        option disabled '0'

config interface 'modem_1_1_2_6'
        option proto 'dhcpv6'
        option disabled '1'
        option device '@[REDACTED_IFACE_5]'

config rule 'policy_direct_rt'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule 'policy_default_rt_vpn'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

config rule6 'policy_direct_rt6'
        option lookup 'main'
        option suppress_prefixlength '0'
        option priority '1100'

config rule6 'policy_default_rt_vpn6'
        option mark '0x8000/0xc000'
        option lookup '8000'
        option priority '1101'
        option invert '1'

config rule 'policy_default_rt_vpn_ts'
        option lookup 'main'
        option priority '1099'
        option mark '0x80000/0xc0000'
        option invert '0'

config interface 'zerotier'
        option proto 'none'
        option device '[REDACTED_IFACE_6]'

config interface 'wgclient'
        option proto '[REDACTED_CONF_3]'
        option config '[REDACTED_CONF_4]'
        option disabled '1'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network '[REDACTED_NETWORK_1]'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option input 'DROP'
        list network '[REDACTED_NETWORK_2]'
        list network '[REDACTED_NETWORK_3]'
        list network '[REDACTED_NETWORK_4]'

config rule
        option name '[REDACTED_NAME_1]'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp tcp'
        option family 'ipv4'
        option dest_port '[REDACTED_PORT_1]'

config rule
        option src '*'
        option name '[REDACTED_NAME_2]'
        option dest '*'
        option target 'ACCEPT'
        list dest_ip '[REDACTED_IP_1]/24'
        list src_ip '[REDACTED_IP_2]/24'

config rule '[REDACTED_NAME_3]'
        option name '[REDACTED_NAME_3]'
        option dest '*'
        option proto 'all'
        option extra '-m owner --gid-owner [REDACTED_GID]'
        option target 'MARK'
        option set_xmark '0x8000/0xc000'

mikrotik router entire config

# 2025-04-11 10:04:23 by RouterOS 7.18.2
# software id = REDACTED_ID_1
# model = REDACTED_MODEL_2
# serial number = REDACTED_SERIAL_3

/interface bridge
add admin-mac=REDACTED_MAC_4 auto-mac=no comment=defconf name=bridge port-cost-mode=short

/interface wireguard
add listen-port=37131 mtu=1420 name=wg1
add listen-port=13231 mtu=1420 name=wireguard1-brume2

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=default-dhcp ranges=REDACTED_IP_5-REDACTED_IP_6

/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf

/zerotier
set zt1 disabled=no

/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=zt1 name=zerotier1 network=REDACTED_ZTNET_7

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1

/ip firewall connection tracking
set udp-timeout=10s

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

/interface ovpn-server server
add mac-address=REDACTED_MAC_8 name=ovpn-server1

/interface wireguard peers
add allowed-address=REDACTED_SUBNET_9 endpoint-address=REDACTED_DDNS_10 endpoint-port=REDACTED_PORT_11 interface=wg1 name=puchu persistent-keepalive=25s public-key="REDACTED_KEY_12"
add allowed-address=0.0.0.0/0 interface=wireguard1-brume2 name=BrumeOrWindows public-key="REDACTED_KEY_13"

/ip address
add address=REDACTED_IP_14/24 comment=defconf interface=bridge network=REDACTED_SUBNET_15
add address=REDACTED_IP_16/24 interface=wg1 network=REDACTED_SUBNET_17
add address=REDACTED_IP_18/24 interface=wireguard1-brume2 network=REDACTED_SUBNET_19

/ip dhcp-client
add comment=defconf interface=ether1

/ip dhcp-server network
add address=REDACTED_SUBNET_20 comment=defconf dns-server=REDACTED_IP_21 gateway=REDACTED_IP_22

/ip dns
set allow-remote-requests=yes

/ip dns static
add address=REDACTED_IP_23 comment=defconf name=router.lan type=A

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept loopback" dst-address=127.0.0.1
add action=drop chain=input comment="drop not from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="accept ipsec in" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept ipsec out" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop new not dstnated" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="winbox from WAN" disabled=yes dst-port=8291 protocol=tcp

/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade" ipsec-policy=out,none out-interface-list=WAN

/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5

/ip proxy
set enabled=yes

/ip service
set www-ssl disabled=no

/ip socks
set enabled=yes version=5

/ip socks access
add dst-address=0.0.0.0 dst-port=0-65535 src-address=0.0.0.0 src-port=0-65535

/ipv6 firewall address-list
add address=::/128 comment="unspecified address" list=bad_ipv6
add address=::1/128 comment="loopback" list=bad_ipv6
add address=fec0::/10 comment="site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="ipv4-mapped" list=bad_ipv6
add address=::/96 comment="ipv4 compat" list=bad_ipv6
add address=100::/64 comment="discard only" list=bad_ipv6
add address=2001:db8::/32 comment="documentation" list=bad_ipv6
add address=2001:10::/28 comment="ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="6bone" list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="accept DHCPv6-Client" dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="accept ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="drop not from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="accept HIP" protocol=139
add action=accept chain=forward comment="accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="accept ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="drop everything else not from LAN" in-interface-list=!LAN

/system clock
set time-zone-name=America/New_York

/system note
set show-at-login=no

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

Hope sharing this information helps me to achieve what I want. Thanks

Redacting private (RFC1918) IP addresses is not necessary and makes it very difficult to give proper support, not that it matters as we can only give support for genuine and current OpenWRT and not for forks/offshoots/vendor-specific builds.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

So I am sorry but we cannot help you