Setup for Home remote acces using two routers

setup

The remote access is just for the client E. I do not know what would be the drawbacks of having LAN1 == LAN2 (performance, security). But since I do not need remote access to the devices from LAN1, we can keep them isolated.

The motivation to separate in two LANs is because I do not want all my internet traffic to go through the tunnel. But maybe I am overthinking things?

I think that I am getting close... Setting aside having a separate net on the wan, I think that all that is left is the configuration on the ISP router. I read somewhere that there is no port forwarding for IPv6, is that correct? If so, what is the configuration that I need to do in the ISP router in order to allow/route the incoming IPv6 traffic?

/etc/config/firewall

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'
	option masq '1'
	
config zone 'wireguard'
	option name 'wireguard'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'wg0'

config forwarding
    option dest 'wireguard'
    option src 'lan'

config forwarding
    option dest 'lan'
    option src 'wireguard'
/etc/config/network

config globals 'globals'
	option ula_prefix '<hidden>'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.0.1'
	list dns '8.8.8.8'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '<hidden>'
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fd00:9::1/64'

config wireguard_wg0 'wgclient'
	option public_key '<hidden>'
	option preshared_key '<hidden>'
	list allowed_ips '192.168.9.2/32'
	list allowed_ips 'fd00:9::2/128'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option description 'test'

Do clients A-D need to be able to access client E? What about the other way around? If they are on two different networks, that becomes harder.

But, it occurs to me that we can setup firewall rules on the AP to restrict WG access to only client E.

1 Like

Maybe remove forward from wireguard to lan and only allow forward access to ip address of client E ?

1 Like

Exactly what I was thinking :-). Masquerading will be needed on the AP's lan zone, but the firewall will only allow forwarding to that singular IP from the WG tunnel. Should be pretty easy.

1 Like

Going one step back, I first want to test if I am able to communicate with my openwrt device using ipv6.

I setup a wireguard client on my macbook that is on a different network:

[Interface]
PrivateKey = <hidden>
ListenPort = 51820
Address 192.168.9.2/32, fd00:9::2/128

[Peer]
PublicKey = <openwrt_wgclient_publickey>
AllowedIPs = 192.168.9.1/24, fe80::aabb:eeff:fe12:3456/64
Endpoint = <myddnsaddres>:51820
PersistentKeepAlive = 25

On the OpenWrt dumb AP I created a new interface:

config interface 'lan6'
	option proto 'dhcpv6'
	option reqprefix 'no'
	option device '@lan'

The wireguard configuration on the dumb AP:

config interface 'wg0'
	option proto 'wireguard'
	option private_key '<hidden>'
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fe80::aabb:eeff:fe12:3456/64'
	option ip6assign '60'

config wireguard_wg0 'wgclient'
	option public_key '<openwrt_wgclient_publickey>'
	option preshared_key '<hidden>'
	list allowed_ips '192.168.9.2/32'
	list allowed_ips 'fd00:9::2/128'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option description 'test'

The firewall is the same:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'
	option masq '1'
	
config zone 'wireguard'
	option name 'wireguard'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'wg0'

config forwarding
    option dest 'wireguard'
    option src 'lan'

config forwarding
    option dest 'lan'
    option src 'wireguard'

On my macbook I tried to do a ping6 using on <myddnsaddres> but I receive the follwing error:

UDP Connect: No route to host

Maybe my ISP router is blocking the connection, or maybe my configuration is messed up, I don't know. Any idea what could be wrong?

What is the existing IPv6 support at home? Is there an IPv6 ISP and GUAs on the LAN? Or are you using ULAs for LAN devices?

The configuration you posted is messed up, it doesn't have a consistent set of ULAs on the wireguard tunnel:

Home:
Address: fd00:9::1/64
Allowed IP (from Macbook) fd00::2/128

Macbook
Address: fd00:9::2/64
Allowed IP (from home) fd00:9::/64
Allowed IP (from home) Home LAN

Make sure that both wireguard tunnel ends also have link local addresses, assign them manually if needed.

As proof of concept you should be able to ping the other end's tunnel ULA through the tunnel.

Maybe what I am trying to do is not possible at all? Because my ISP delegates just /64 IPv6 address?

Unfortunately IPv6 is a no-go for me :frowning:. The ISP router doesn't allow to configure firewall rules, and as far as I understand, this is necessary for the setup that I am trying to do.

I called my ISP and asked them to remove me from the CG-NAT, and they did it. With IPv4 will be a lot easier to configure.

Well, that's unexpected and nice of them!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.