[Solved] Multiple Wireguard connections and routing

I have two wireguard connections on my OpenWRT router:

  • wg0 connected to a VPN provider I use, this with 0.0.0.0/0 Allowed IPs (all traffic should go through this connection)
  • wg1 connected to another router of mine with 192.168.1.0/24 as Allowed IPs (I want to "bridge" to my other router, so I want to access devices on this other network)

Both wireguard connections are established and normal internet traffic is routed through wg0 - but I can't access my other network, i.e. 192.168.1.1 etc.
"Use default gateway" is checked for both wireguard interfaces, in Status->Routing I only see a route for 0.0.0.0/0 to wg0 but nothing to wg1
I'm not very versed in linux network routing so any help would be appreciated!

Can you draw a quick diagram of your network? Is the other router physically remote and being bridged via the wg connection over the internet?

What is the subnet of the router you’re working on now?

You’ll probably be using policy based routing, or setting up manual routes. But let’s first get a better idea of the topology and let’s also look at your config.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

Does wg1 come up if wg0 is down? Is it possible there's an error in the wg1 config (at either end of that tunnel)?

My network setup is exactly as you described it, my other router is at another location and the wg connection should bridge those two networks over the internet.
My OpenWRT router has the ip 192.168.2.1 with subnet 255.255.255.0, and my other router has the ip 192.168.1.1 and subnet 255.255.255.0
Here's the output:

Network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd53:f243:d31f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'
        list dns '10.128.0.1'
        list dns 'fd7d:76ee:e68f:a993::1'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        list dns 'fd7d:76ee:e68f:a993::1'
        list dns '10.128.0.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '3 6t'

config interface 'Broadband'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option dhcp '0'
        option autoconnect '1'
        option pdptype 'ipv4'
        option default_profile '1'
        option apn 'internet'
        option auth 'pap'
        option pincode 'XXXX'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'XXXXXXX'
        list addresses '10.179.99.59/32'
        list addresses 'fd7d:76ee:e68f:a993:400d:65b2:75e:6e55/128'
        list dns '10.128.0.1'
        list dns 'fd7d:76ee:e68f:a993::1'

config wireguard_wg0
        option description 'AirVPN Peer'
        option public_key 'XXXXXXX'
        option preshared_key 'XXXXXXXXX'
        option endpoint_host 'airdns.org'
        option endpoint_port '1637'
        option persistent_keepalive '15'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option route_allowed_ips '1'

config interface 'wg1'
        option proto 'wireguard'
        option private_key 'XXXXXXXXXX'
        list addresses '10.50.1.2/32'

config wireguard_wg1
        option description 'Zuhause Peer'
        option public_key 'XXXXXXXXXXXXX'
        option preshared_key 'XXXXXXXXXXXX'
        list allowed_ips '192.168.1.1/24'
        option route_allowed_ips '1'
        option endpoint_host 'xyz.com'
        option endpoint_port '51820'
        option persistent_keepalive '25'

Firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'fw_AirVPN'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg0'

config forwarding
        option src 'lan'
        option dest 'fw_AirVPN'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'Broadband'

@iplaywithtoys it looks like both wg0 and wg1 are up and connected, I see data sent and received for both interfaces.

Change the allowed ips to 192.168.1.0/24

If this doesn’t work, you will need to manage the routes manually.

2 Likes

Thanks for the help so far - now under Status->Routing I see a route for 192.168.1.0/24 to wg1! Pinging 192.168.1.1 works when I SSH into the OpenWRT router - but when I try to ping from a connected windows PC (also tried an android phone, both via wifi) it does not work.

Not sure if the other side does NAT but try to add the tunnel subnet as allowed ips e.g.
10.50.1.0/24

Otherwise it could be firewall related so show firewall config

I'm sorry, I don't really know how/where to add that, could you give me more information on that? As for the firewall config, check my second post in this topic, the firewall config is a bit further down, after the network config.

add the WG subnet e.g.:
list allowed_ips '10.50.1.0/24'

Thanks for the explanation! I added the route but that alone did not work, I then added the following firewall nat rule

config nat
        option name 'HomeBridge'
        option src 'lan'
        option dest_ip '192.168.1.0/24'
        option target 'MASQUERADE'
        list proto 'all'

And now I can access the other LAN!
Thank you all for the help!

Glad you've got a solution!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.