Hi there,
I'm trying to setup an OpenWRT router to act as a 'VPN bridge to the office network like this:
client <-wifi-> VPN bridge <-wifi-> residential AP <-> Office router <-----> office network
Where the VPN bridge will connect to my residential AP for internet access and provide an wireless network for clients to connect to. The VPN is realized using Wireguard.
Most of this setup is working but one problem remains: when the Wireguard connection is setup, a client connecting to the VPN bridge router is unable to use the VPN.
The reason why I want this setup is because I have a client running VMs in combination with Windows, which gives lots of troubles using Wireguard.
Here is what I do:
1. Configure the VPN Brdige to connect to my residential AP and provide an wireless network:
/etc/config/wireless:
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/10300000.wmac'
option country 'NL'
option legacy_rates '1'
option hwmode '11g'
option htmode 'HT20'
option disabled '0'
config wifi-iface
option network 'wwan'
option device 'radio0'
option mode 'sta'
option ssid 'residential AP'
option encryption 'psk2'
option key 'Secret
option disabled '0'
config wifi-iface
option device 'radio0'
option mode 'ap'
option encryption 'psk2'
option network 'lan'
option ssid 'Tunnel'
option key 'Secret2'
option disassoc_low_ack '0'
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group defaul t qlen 1000
link/ether 0c:cf:89:69:d8:45 brd ff:ff:ff:ff:ff:ff
5: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qle n 1000
link/ether 0c:cf:89:69:d8:44 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.155/24 brd 192.168.2.255 scope global wlan0
valid_lft forever preferred_lft forever
6: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default q len 1000
link/ether 0e:cf:89:69:d8:44 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.254/24 brd 10.10.10.255 scope global wlan0-1
valid_lft forever preferred_lft forever
At this point, any client can connect to the "Tunnel" wifi-network and access internet as well as my residential LAN.
2. Setup the Wireguard tunnel
Next, to setup Wireguard client on the OpenWrt VPN Tunnel device, I run this script:
#!/bin/sh
export WG_IF="VPN"
export WG_SERV="**SERVER PUBLIC IP**"
export WG_PORT="500"
export WG_ADDR="192.168.2.30/24"
export WG_KEY="**MY PRIVATE KEY**"
export WG_PSK=""
export WG_CLT_PUB="**MY PUBLIC KEY**"
export WG_SRV_PUB="**SERVER PUBLIC KEY**"
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wwan"
uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.wan.network="${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart
# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci set network.${WG_IF}.public_key="${WG_CLT_PUB}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
# Add VPN peers
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${WG_IF}"
uci set network.wgserver.public_key="${WG_SRV_PUB}"
#uci set network.wgserver.preshared_key="${WG_PSK}"
uci set network.wgserver.endpoint_host="${WG_SERV}"
uci set network.wgserver.endpoint_port="${WG_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips="0.0.0.0/0"
uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restart
wifi
The output is:
# ./setup.sh
uci: Invalid argument
uci: Invalid argument
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section 'wwan' cannot resolve device of network 'wan6'
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Forward 'lan' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
At this point, from the console / CLI of the OpenWRT VPN Tunnel, the Wireguard VPN is setup and I can access the office LAN:
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 0c:cf:89:69:d8:45 brd ff:ff:ff:ff:ff:ff
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 0c:cf:89:69:d8:44 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.155/24 brd 192.168.2.255 scope global wlan0
valid_lft forever preferred_lft forever
11: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 0e:cf:89:69:d8:44 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.254/24 brd 10.10.10.255 scope global wlan0-1
valid_lft forever preferred_lft forever
12: VPN: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 192.168.2.30/24 brd 192.168.2.255 scope global VPN
valid_lft forever preferred_lft forever
ping google.com
PING google.com (142.250.179.174): 56 data bytes
64 bytes from 142.250.179.174: seq=0 ttl=118 time=9.673 ms
64 bytes from 142.250.179.174: seq=1 ttl=118 time=9.309 ms
64 bytes from 142.250.179.174: seq=2 ttl=118 time=9.362 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 9.309/9.448/9.673 ms
~# ping 192.168.188.1
PING 192.168.188.1 (192.168.188.1): 56 data bytes
64 bytes from 192.168.188.1: seq=0 ttl=64 time=7.519 ms
64 bytes from 192.168.188.1: seq=1 ttl=64 time=8.757 ms
64 bytes from 192.168.188.1: seq=2 ttl=64 time=9.962 ms
^C
--- 192.168.188.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 7.519/8.746/9.962 ms
# ping 192.168.188.226
PING 192.168.188.226 (192.168.188.226): 56 data bytes
64 bytes from 192.168.188.226: seq=0 ttl=63 time=125.081 ms
64 bytes from 192.168.188.226: seq=1 ttl=63 time=146.614 ms
^C
--- 192.168.188.226 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 125.081/135.847/146.614 ms
But clients connected to the Tunnel network can only access my local LAN and internet via IP-addresses (so DNS not working obviously).
Seems like I am almost there, any idea what to do next or what I have done wrong?
Thanks!