Seeking Assistance: Setting Up WireGuard VPN on OpenWrt C20 Router Behind LTE MR200 Router

Hello OpenWrt community,

I hope this message finds you well. I am reaching out to seek your expertise and guidance on a networking challenge I'm facing with my OpenWrt routers. Here's a brief overview of my setup and the issue I'm encountering:

My Setup:

  1. TP-Link MR200 LTE Router:

    • This router has a mobile internet connection (NATed) and serves as my primary gateway to the internet.
    • Unfortunately, it does not support WireGuard VPN.
  2. TP-Link C20 Router with OpenWrt:

    • I have flashed this router with OpenWrt firmware.
    • I wish to set up WireGuard VPN on this router to connect to my server at home.
    • Additionally, I want to route specific traffic through the WireGuard tunnel.

My Challenge:
I'm facing difficulties in configuring the TP-Link C20 router running OpenWrt to run WireGuard and route its traffic through the TP-Link MR200 LTE router. The MR200 serves as the sole internet connection source, and I want the C20 router to utilize it while connected to the WireGuard VPN.

Specifically, I need help with:

  1. Setting up WireGuard on the C20 router as a client. (I believe I did that already)
  2. Configuring the C20 router to route traffic through the WireGuard tunnel.
  3. Ensuring that the C20 router can access the internet through the MR200 LTE router.

I used the ChatGPT AI to help me write this post because my English isn't great.

If any community members have experience with similar setups or can provide guidance, I would greatly appreciate your assistance. Any advice, tutorials, or step-by-step instructions would be immensely helpful in achieving my goal.

I look forward to your insights and suggestions. Thank you for your time and support in helping me navigate this networking challenge.

Best regards.

It depends on how the routers are connected.

If the C20 is connected with its WAN port and the router is on its own subnet you can just follow the normal procedure for a WG client setup

1 Like

Hello,

When I connected the mr200 to the c20s wan port I can't get network at all.

I know I can only have 1 dhcp server.. I'll try again..
Thanks!

Make sure the c20 is on a different subnet:
https://openwrt.org/docs/guide-user/network/openwrt_as_routerdevice#:~:text=Click%20on%20Network%20→%20Interfaces,main%20router's%20address%20is%20192.168.

1 Like

Ohh , I didn't do that.

So essentially the mr200 only job will be as a 4g modem.

And it will pass through internet to the c20.

The c20 will do everything.

Why do I need a different subnet? I've run multiple routers in a few setups for years, mostly running ddwrt.

I always just disable dhcp server on the ones I don't need and enable dhcp on the router that os connected to the Internet as it's the default gateway.

There are some things here to do:

Wires:

  • Read up on what a "dumb AP" is called.
  • Make sure the IP range your MR200 uses for its LAN doesn't overlap with the IP range your home network uses as its IP range.
  • Give your C20 a static LAN IP address within the range what your MR200 uses fo its LAN addresses.
  • Make sure the MR200 doesn't assing this very address via DHCP.
  • Turn DHCP off on your C20.
  • Connect the C20 with one of its LAN ports (not WAN!) to one of the MR200s LAN ports.

Wireguard on the C20:

  • Install " luci-proto-wireguard" on your C20.
  • Set up wirguard via LuCI web ui
  • Add a new interface, of protocol "Wireguard". You might reboot your C20 before that option becomes available.
  • Creating public+private key for your router can be done via web UI
  • Give your local wireguard interface an IP address which is neither within the IP range of your MR200 network nor within the IP range of your home network.
  • In section "Firewall", start with making that interface part of the "LAN" zone.
  • In section "Peers", add your home network as peer.
  • Add the public key of your home networks wireguard link.
  • Make sure to allow your home networks IP range
  • Make sure to allow your home networks wireguard link IP.
  • Make sure to tick the "Route allowed IPs" box.

Wireguard at home:

  • Set up wireguard
  • Add our C20 as peer.
  • Add the public key of your C20.
  • Make sure to allow your C20 wireguard links IP to the allowed IPs list.
  • Make sure to allow the IP range your MR200 spans to the allowed IPs list.
  • Make sure to tick the "Route allowed IPs" box.

Route on your MR200:

  • Add a static route to your MR200.
  • Make the IP range of your home network to be routed via the private LAN IP address of your C20.

This should be all.

[edit]

Now that I'm thinking about it, that's certainly an option. That would demote the MR200 basically to the uplink and would require every LAN device be connected to the C20. But I guess that makes the setup a bit easier and skips the whole "add a static route" part.

I'm not going to rewrite what I've written since most if it applies anyway. But you're right, if the MR200 is the WAN side, the C20 needs to have different IP ranges for LAN and WAN side. Considering the C20 has to connect to the home network, that means: The OP needs three different, non-overlapping IP ranges. One for his home network, one for the MR200 which the C20 consers as WAN, and one the C20 uses for its LAN range.

1 Like