Site to site connection between OpenWrt LTE (no public IP) and Fritzbox 7590 (latest lab version)

IngoTB303 · November 23, 2022, 3:30pm

Hi, since I do not have a public IP address in my garden I want to connect my remote LAN (192.168.125.0/24) via OpenWRT LTE router with my home Fritzbox (this has a public ip) LAN (192.168.123.0/24), because I need to access a device in my remote LAN (garden with LTE) from my home LAN and other way round.
I managed to establish a connection from OpenWRT router via Wireguard to my Fritzbox, but in my Fritzbox network overview the remote devices do not appear, even not the OpenWRT Router. Did I miss sth. in the network configuration?

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde4:2d59:c547::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option force_link '0'
        option ipaddr '192.168.125.126'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'wwan'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option pdptype 'ipv4v6'
        option default_profile '1'
        option apn 'internet'
        option auth 'none'
        option ipv6 '1'

config interface 'wlan0'
        option type 'bridge'
        option proto 'static'
        option device 'wlan0'
        option force_link '0'
        option ipaddr '192.168.125.125'
        option netmask '255.255.255.0'

config device
        option name 'eth0.2'
        option type '8021q'
        option ifname 'eth0'
        option vid '2'

config interface 'vpn'
        option proto 'wireguard'
        option private_key <key>
        list addresses '192.168.125.1/24'
        list addresses '192.168.123.128'

config wireguard_vpn
        option description 'Imported peer configuration'
        option public_key <key>
        option preshared_key <key>
        list allowed_ips '192.168.123.0/24'
        option persistent_keepalive '25'
        option endpoint_host <dyndns address>
        option endpoint_port '50066'

I am not that good in the routing topic, so many thanks for some ideas or help.

Here is a schematic how it should be (there is a pi, cause earlier the pi did the vpn tunnel to my Fritzbox, but also there I did not manage to make the 192.168.125.0/24 devices visible in my 192.168.123.0/24 network.

All the best,
Ingo

mk24 · November 23, 2022, 3:50pm

This is not good practice here.

Names starting with wlan should be reserved for automatic assignment by the wifi UCI system.
option type bridge in a config interface is deprecated. The new syntax requires declaring bridges separately-- see br-lan and lan for an example.
Do not reference wifi devices in /etc/config/network. They are attached to network interfaces (or bridges) using option network in /etc/config/wireless.

Do you really need a separate network for the garden wifi. At least for initial testing, you may want to just add an AP to the existing lan in the garden router.

Now on to Wireguard:

If you give your wg0 interface an IP address (which is optional for point to point, but it helps greatly with testing) it needs to be a separate subnet from all of your other LANs. On the peer, configure a different IP address in the same subnet so you can test by pinging directly through the tunnel.
On the peer config, allowed_ips should be the other lan and route_allowed_ips should be on.
For testing, place the wg interface in the lan firewall zone, though this limits options for security compared to giving it a separate zone.

IngoTB303 · November 23, 2022, 4:44pm

To be honest I mainly use the web interface and this is the output from it. I don't know, what UCI is and what is best practice. I try to follow your instructions. Do you mean that I should use the same ip network range in my remote lan like my home lan?

mk24 · November 23, 2022, 5:04pm

The two LANs have to be different such as 123 and 125 like you have. The tunnel endpoints need to be in the same subnet range as each other, but different from the other networks. For example:

House LAN 192.168.123.1/24
House wg0 192.168.200.123/24
Allowed IPs 192.168.125.0/24

Garden LAN 192.168.125.1/24
Garden wg0 192.168.200.125/24
Allowed IPs 192.168.123.0/24

IngoTB303 · November 23, 2022, 5:14pm

OK this make sense now. Now I have to figure out, how to give the Fritzbox' tunnel interface a different IP address than the house LAN.

IngoTB303 · November 24, 2022, 9:14am

Hmhh, I did not get it to work. I understand your idea, but I think this does not work in my environment, because:

your setup needs 2 OpenWrt Routers, where both routers have their wireguard configurations like you mentioned (allowed IPs etc.)
both sides need a public IP address

I have only one OpenWrt router (no public IP) and a Fritzbox 7590 (public IP) with the latest lab version. It's hard to make detailed configurations for wireguard (e. g. set the IP address of the tunnel interface). Maybe I need to add a second OpenWrt Router behind that Fritzbox, where I

connect only the devices, which have to talk through the VPN tunnel, so they only use the OpenWrt Router as default gateway
make the configurations like you mentioned on both OpenWrt routers, where the OpenWrt router behind the Fritzbox uses the Fritzbox as WAN (PPoE?)

Somewhere I read that maybe I have to make extra routing adjustments or activate masquerading in the firewall section.

So momentary I am a little stucked, but I will see. One thing is clear, I will learn something

All the best,
Ingo

mk24 · November 24, 2022, 2:52pm

Only one site needs a public IP. The other one makes an outgoing connection and it can do that through NAT from a private IP.

The Wireguard instance that is listening for a connection (some might call it the server) at the site with the public IP will have a listen_port configured and that port open for UDP from the Internet through the router firewall(s).

If the machine running Wireguard at the site with the pubilc IP is not the main router at that site, you will need to forward the incoming VPN port through the main router, and also install a route to the remote LAN in that main router.