Separate LANs for WireGuard and WAN directly

I'm absolutely new to this, sorry.

I have a router I got from my ISP and one of it's interfaces goes into my OpenWRT router as a WAN. My router has 6 ethernet ports and I want to utilize them. One goes to WAN, one to LAN and one to VPN connection - that's the plan.

I was pretty sure that my plan was quite simple to do. I wanted to have two networks:

• lan using wan interface
• vpn-lan using vpn interface

This just won't work. It's either WAN or VPN picking all the traffic. If VPN picks up the traffic, vpn-lan has no connection to the internet and if VPN picks it up - there's no connection to the internet on lan. I have no idea what's happening.

I've seen some people just linking the PBR thing - I don't know what it is honestly. I got it, saw the config having 123890123 toggles and I decided to post a question here instead.

Here's what I've got going on:

image1049×312 31.5 KB

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb9:398a:5b78::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option gateway '192.168.0.170'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '10.2.0.1'
	option metric '20'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option device 'vlan-guest'

config interface 'internal'
	option proto 'static'
	option device 'vlan-internal'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'vpnlan'
	option proto 'static'
	option device 'br-vpn'
	option ipaddr '192.168.60.1'
	option netmask '255.255.255.0'
	option gateway '10.2.0.1'

config device
	option type 'bridge'
	option name 'br-vpn'
	list ports 'eth2'
	option ipv6 '0'

config interface 'vpn'
	option proto 'wireguard'
	option private_key '2IsIDUOUGlzPjN8V3tHBu/RISsi8yH/CvqXKumb4/2k='
	list addresses '10.2.0.2/32'
	list dns '10.2.0.1'
	option force_link '1'
	option mtu '1392'
	option metric '10'

config wireguard_vpn
	option description 'Proton PL#100'
	option public_key 'wpfRQRhJirL++QclFH6SDhc+TuJJB4UxbCABy7A1tS4='
	option route_allowed_ips '1'
	option endpoint_host '79.127.186.193'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '10.2.0.2/32'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'internal'
	option interface 'internal'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'vpnlan'
	option interface 'vpnlan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option family 'ipv4'

config zone
	option name 'vpnlan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vpnlan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wan'
	list network 'wan6'
	option mtu_fix '1'
	option masq6 '1'
	option masq '1'
	option family 'ipv4'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'vpn'

config zone
	option name 'internal'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'internal'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config rule
	option name 'Allow-Guest-DHCP-DNS'
	option src 'guest'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'Allow-WireGuard-DHCP-DNS'
	option src 'vpnlan'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config forwarding
	option src 'vpnlan'
	option dest 'vpn'

config rule
	option name 'Allow-WireGuard-Inbound'
	option src 'vpnlan'
	option dest_port '51820'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

So your openwrt router is connected with its WAN port to the ISP router with a different subnet of the ISP router?

If so there are a lot of things not quite right with your setup.

Consider just starting fresh from default.

Setup as regular router.

Setup the WireGuard client see: Direct download WireGuard Client Setup guide

To route different interfaces differently you need Policy Based Routing (PBR):

There is also a PBR app see:

But if you want only to route one specific interface via the VPN you can also use netifd e.g.:
/etc/config/network:

config route
	option interface '<my-wg-interface>'
	option table '102'
	option target '0.0.0.0/0'

config rule
	# for ip source:
	#option src '192.168.30.0/24'
	# destination e.g. from all to dest
	#option dest '25.52.71.40/32'
	# for interface
	option in 'vpnlan'
	#table number to use for lookup
	option lookup '102'

Hey, thanks for your answer.

This is what I believe I'm failing to understand. Why do I need any such thing? If I've set a the interfaces of my lans to only have a single possible FORWARD interface, why should I need any other policy on top of that? How's PBR any better than just limiting the firewall zone to a single forward and REJECTing anything else? Same with the netifd - it looks like allowing vpnlan to only route through the <my-wg-interface> - how's that different than only allowing vpnlan to be FORWARD'ed to ` and nothing else?

I need this, because if I didn't have the ISP router, I'd have already broken the home network. So I'd rather keep my new router to be a subnet of that main router, until I feel I understand what's happening. Once it's there, I wanted to set my ISP router to become a bridge to my new OpenWRT router. But yeah - I probably don't even know what I don't know about setting it up right.

The setup you have for your router so with its WAN connected to your ISP router and on a separate subnet is fine.

But there are really a lot of things not quite right.

So better start fresh and follow the basic setup instructions for your router and WireGuard as outlined in my previous post.

The firewall only blocks things but you need routing i.e. Policy Based Routing

That makes more sense now. So ALLOWing my traffic to go through a specific interface doesn't mean it'll ever try?

I will give it another go and try to use the PBR app on Luci to set the routing then.

Before I do it I'd like to know one more thing. Why do I need the PBR? Can't I just use the LuCI Network > Routing menus to set it up?

How's what LuCI provides in the GUI different from PBR?

Yeah I absolutely don't get it. So I've set the most basic rule I could think of - do not let LAN -> WAN. And yet I can still scroll the internet after it's been applied. Why? :c IPv6 is disabled on LAN.

image902×624 47.3 KB

Ignoring some network configuration errors, here's how to implement the solution suggested by egc:

Network->Interfaces, the wireguard interface peer tab (Edit).

image757×169 5.09 KB

Network->Routing->IPv4 Rules

image1076×338 15.3 KB

Network->Routing->Static IPv4 Routes

image1018×360 16.6 KB

Thanks for your input I really appreciate it. I will admit I have no idea what we've done here - but it seems to work. At least partially.

Let me do a quick update on what I've done:

1. As @egc suggested I have cleaned my entire OpenWRT setup to fresh install and started over.
2. I've set up WireGuard and it seems to have a connection.
3. As @pavelgl suggested I have added the settings.

It seems to work at least partially - I am able to ping 8.8.8.8 from my PC that's in the vpnlan zone, yet DNS seems to not be working. I have a DNS address provided by my VPN provider that I'm using for the vpn interface. But my nslookup google.com timeouts.

Here's my config:

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd95:f13:1605::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'IjustnoticedIpostedprivatekeyonthefirstpostimsodumb='
	list addresses '10.2.0.2/32'
	option mtu '1392'
	list dns '10.2.0.1'

config wireguard_vpn
	option description 'HELLO#100'
	option public_key ':cccccccccccccccc='
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '71.127.116.193'
	option endpoint_port '51820'

config rule
	option priority '2'
	option src '192.168.60.0/24'
	option lookup '102'

config route
	option interface 'vpn'
	option target '0.0.0.0/0'
	option table '102'

config device
	option type 'bridge'
	option name 'br-vpnlan'
	list ports 'eth2'

config interface 'vpnlan'
	option proto 'static'
	option device 'br-vpnlan'
	option ipaddr '192.168.60.1'
	option netmask '255.255.255.0'
	option defaultroute '0'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'vpnlan'
	option interface 'vpnlan'
	option start '100'
	option limit '150'
	option leasetime '12h'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'vpnlan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vpnlan'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vpn'
	option masq '1'
	option family 'ipv4'
	option mtu_fix '1'

config forwarding
	option src 'vpnlan'
	option dest 'vpn'

From that same PC, run nslookup google.com 10.2.0.1.

If it works, remove the DNS server from the wireguard interface and add it to the vpnlan dhcp section using option 6.

config dhcp 'vpnlan'
	option interface 'vpnlan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,10.2.0.1'

If you prefer to use LuCI, you can find the field in the advanced DHCP settings of the interface.

After setting DHCP-Option to 6,10.2.0.1 the nslookup google.com works but there's yet another problem. I tried browsing to openwrt.org and the website just loads forever - YouTube works just fine.

I checked traceroute and it seems to just stop there and timeout. I tried traceroute google.com and then traceroute openwrt.org:

$ traceroute google.com
traceroute to google.com (142.250.75.14), 64 hops max
  1   192.168.60.1  0,342ms  0,207ms  0,191ms 
  2   10.2.0.1  13,716ms  15,944ms  15,697ms 
  3   79.127.186.254  17,409ms  14,401ms  9,563ms 
  4   80.239.133.86  21,499ms  12,146ms  17,443ms 
  5   62.115.61.22  15,352ms  11,990ms  12,285ms 
  6   64.233.174.229  14,600ms  13,485ms  12,788ms 
  7   142.250.238.3  14,554ms  13,953ms  16,313ms 
  8   142.250.75.14  21,675ms  14,781ms  13,853ms

$ traceroute openwrt.org
traceroute to openwrt.org (64.226.122.113), 64 hops max
  1   192.168.60.1  0,355ms  0,218ms  0,201ms 
  2   10.2.0.1  14,344ms  13,663ms  14,936ms 
  3   79.127.186.254  14,685ms  14,839ms  12,217ms 
  4   169.150.194.193  25,712ms  40,250ms  25,898ms 
  5   185.229.188.11  47,217ms  49,776ms  43,444ms 
  6   79.127.192.216  42,250ms  46,731ms  44,313ms 
  7   146.190.180.32  43,729ms  40,009ms  39,380ms 
  8   *  *  * 
  9   *  *  * 
 10   *  *  * 
 11   *  *  * 
 12   *  *  * 
 13   *  *  * 
 14   *  * ^C

I thought it could be my VPN address getting blocked - but doesn't seem like it. I picked exact same server through desktop app of the VPN provider, and it resolved:

$ traceroute openwrt.org
traceroute to openwrt.org (64.226.122.113), 64 hops max
  1   10.96.0.1  12,290ms  13,279ms  11,963ms 
  2   79.127.186.254  14,517ms  13,094ms  14,613ms 
  3   169.150.194.193  26,430ms  30,893ms  31,332ms 
  4   185.229.188.11  41,858ms  41,684ms  42,115ms 
  5   79.127.192.216  39,416ms  39,789ms  42,633ms 
  6   146.190.180.36  43,954ms  44,738ms  39,198ms 
  7   *  *  * 
  8   *  *  * 
  9   *  *  * 
 10   *  *  * 
 11   *  *  * 
 12   *  *  * 
 13   *  *  * 
 14   64.226.122.113  55,818ms  53,002ms  56,214ms

I have no idea what could be causing that.

I've reduced MTU to 1200 and it loaded... But I'm not sure it's a good idea?

Edit:
I set it to 1340 and it worked fine. But I decided to reboot the device and see if it's still ok. After reboot, it doesn't load up openwrt.org again. But me changing the value to literally 1420 and back to 1340 makes it work again. I don't know what's happening... What does changing the MTU do?

Edit 2:
Something's really off. Whenever website has any stuff to load it's super, super slow. When I connect to the same VPN from my PC using the desktop app (and LAN instead of VPNLAN), it's not that slow. And I am 100% sure it's not the router being slow, it's a very strong machine and top reports 0% CPU utilization all the time. I'm lost

Okay, addressing my bold statement that

"VPN from my PC using the desktop app [...] it's not that slow"

... turns out I lied. My desktop app was set to be using OpenVPN instead of WireGuard. I didn't know these were that far different. From what I've learned so far - WireGuard requires both sides of the tunnel to have correct MTU size.

What does "correct" mean? As far as I've learned it's just an educated guess and if it's slow just keep changing it until satisfied... sounds absolutely insane tbh.

But I eyeballed the MTU value for my VPN provider at around 1280 bytes. Took me 1 hour.

I wonder if I can somehow leverage the fact that VPN client is running on my router so I could somehow cut off these MTU shenanigans. Maybe I can somehow advertise to anyone connected to vpnlan that preferred MTU is XXXX? I just hope there's a way for me so that I wouldn't have to set MTU manually for every single device that ever decides to use this interface.

From my WireGuard Client Setup guide:

MTU (Maximum Transmission Unit)

afbeelding994×200 32.9 KB

The MTU setting on the Advanced Settings tab can usually be left at its default setting (1420 or 1412 for PPPoE).
On occasion if you have slow or hanging connections especially when streaming you have to lower the MTU, start lowering to 1280, but sometimes you have to go even lower.

Note that you also have to enable MSS clamping on the firewall zone the WireGuard interface is added to

There's one last thing I don't get - do I only set MTU on the WireGuard interface? There are a few places where I can set the MTU on the whole path from VPN to my PC:

• vpn interface
• br-vpnlan device - bridges eth2, that's where I plug in the cable to my PC
• my PC - I use Ubuntu and it's set to automatic but I don't think it works well

Then there's MSS clamping - so in my case I have vpnlan that forwards to vpn. Should I give MSS clamping to the vpnlan then? Should I set it to vpn too?

Edit:
or maybe the automatic works, but me switching the interface on my PC from lan to vpnlan over and over makes it loose it and it doesn't know what MTU is right on this interface anymore?

The MTU settings we are talking about are for the wireGuard interface (vpn in your case) leave the rest alone

MSS clamping option mtu_fix '1' should be set to the firewall zone the vpn interface is added (I checked and it is in your case)

Thank you, it seems to be working fine after I set just the vpn to 1280. I checked the speedtest and there isn't any regression on the transfers either from what I have connecting directly through the desktop app.

So it works! Thank you @egc and @pavelgl

Now the last thing - now that I have a setup that works I really want to make it's snapshot. Is copying: /etc/config/network, /etc/config/dhcp and /etc/config/firewall sufficient to restore all these settings if I mess something up? Maybe OpenWRT has a more sophisticated method of making config snapshots?

You mean you want to make a backup from your settings?

For things you do not know yet you can consult the openwrt wiki e.g.: