Routing traffic Wifi -> Wireguard over LAN

Installing and Using OpenWrt Network and Wireless Configuration
21
  • Is this router at location 1 or location 2? [EDIT: I can assume this is location 2, based on the WG config; please correct me if I'm wrong]

it is Location 2.

  • How is this router connecting to the upstream network?

Router is connected via LAN cable to the upstream network

  • How are your clients going to connect to this device?

Clients connect via Wifi to the Router

Starting with your wlan0 network...

I deleted the network interface now. Because I understood that it´s not needed here

Is the uplink on the wan or the lan? If the lan, your firewall needs masquerading enabled on the lan zone.

yes, thats the case here. I enabled masquerading on the lan zone.

If you intend to route all traffic through the tunnel, the correct allowed_ips is 0.0.0.0/0

done

please find the actual configs below:

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd8a:5de2:5558::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'WireGuard'
	option proto 'wireguard'
	option private_key 'XXXXXXXXXXX'
	option listen_port '51820'
	list addresses '192.168.9.23/24'

config wireguard_WireGuard
	option description 'Location2'
	option public_key 'XXXXXXX'
	option route_allowed_ips '1'
	option endpoint_host 'XXXXXXX.ddnss.de'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'WireGuard'
	option masq '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config zone
	option name 'WGZone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'WireGuard'

config forwarding
	option src 'lan'
	option dest 'WGZone'

config forwarding
	option src 'lan'
	option dest 'wan'

The interfaces overview looks like this:

Bildschirmfoto 2023-04-23 um 09.15.25
Bildschirmfoto 2023-04-23 um 09.15.25977×548 67.8 KB

Is it right that at "wan" there is no traffic?

Thanks for your help

22

Guys, it´s working!!!! I managed it with your help to figure out!!! Thanks a lot!!!

What was the problem:
I connected my Location2 router via LAN port for upstream and now changed to WAN port. Also I changed the network interfaces. Gave my LAN a static IP and my WAN DHCP. Nothing else and now it´s working!!!!! Thanks a lot for your support and ideas!

1 Like
23

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.