I am wanting to setup a portable OpenWRT Router (Pi4 in my case) to be able to connect directly to my wireuard VPN on my home router. I only need one tunnel (unless it is easy to setup multiples)
The issue I need to solve, my daughter is in college and I use ChannelsDVR for recording TV programs. she was able to connect her tv with the Channels App, but recently is having problems, if she connects VIA Wireguard on her computer she can watch shows that way but it would be nicer on the TV. it is a FireTV and while ChannelsDVR supports Tailscale, I am not sure it is supported on the Fire TV app, so I thiought doing this might be a solution
Is it possible to make an OpenWRT router a specific Wireguard client? I saw features and I started down this path but have had no success,
Yes. This is quite easy. This guide should help -- be sure to adapt to your config on your home router.
If it doesn't work, we can help, but we'll need the following info from both sides:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
(if your home router isn't OpenWrt, we will at least need to see the wireguard related configuration).
I will work my way through those instructions. But one question, The router has an option for WireGuard on the WAN side so I just leave the WAN side set up like it would be for a normal router?
I’m. Or sure what you are asking here. Are you referring to the idea that the traffic can be entirely routed through the tunnel, or you can have a split tunnel where only certain traffic goes though the tunnel while the rest flows through the standard wan?
There are a few methods of handling this. Policy based routing is probably what you want to use, but it depends on the specifics. First, get the tunnel working in general, then you can refine the setup with PBR.
here is the remote router I want to auto connect to my home router VIA WireGuard
root@Pi4Wrt:~# ubus call system board
{
"kernel": "5.10.176",
"hostname": "Pi4Wrt",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi 4 Model B Rev 1.4",
"board_name": "raspberrypi,4-model-b",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "22.03.5",
"revision": "r20134-5f15225c1e",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
}
}
root@Pi4Wrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf8:36ee:bdcd::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.remote.1’
config interface 'wan'
option proto 'dhcp'
option device 'eth1'
config interface 'wan6'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option device 'eth1'
config interface 'wg0'
option proto 'wireguard'
option listen_port '51820'
list addresses '192.168.wg.1/24'
option private_key ‘private key’
root@Pi4Wrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'wan-local-wg'
list proto 'udp'
option src 'wan'
option dest_port '51820'
option target 'ACCEPT'
config zone
option name 'wg'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wg0'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'wg'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'wg'
config rule
option name 'port-443'
option src 'wan'
option dest_port '443'
option target 'ACCEPT'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
root@Pi4Wrt:~# wg show
interface: wg0
public key: ‘public key’
private key: (hidden)
listening port: 51820
root@Pi4Wrt:~#
Here is my Home Router config. I have several Tunnels for Devices and those I think all currently work. Pi4 Gateway1 is the peer config for the Pi4 Router. I know the remote router is not set right.. that is where I am stuck
root@3060Wrt:~# ubus call system board
{
"kernel": "5.15.137",
"hostname": "3060Wrt",
"system": "Intel(R) Core(TM) i3-8100T CPU @ 3.10GHz",
"model": "Dell Inc. OptiPlex 3060",
"board_name": "dell-inc-optiplex-3060",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "x86/64",
"description": "OpenWrt 23.05.2 r23630-842932a63d"
}
}
root@3060Wrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf8:36ee:bdcd::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.home.1’
config interface 'wan'
option proto 'dhcp'
option device 'eth1'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth1'
option reqaddress 'try'
option peerdns '0'
list dns '2606:4700:4700::1111'
list dns '2606:4700:4700::1001'
option reqprefix '60'
config interface 'wg0'
option proto 'wireguard'
option private_key ‘private’
option listen_port '51820'
list addresses '192.168.wg.1/24'
config wireguard_wg0
option description 'Jeff'\''s iPhone'
option public_key ‘publickey1’
option private_key ‘’privatekey1’
list allowed_ips '192.168.wg.15/32'
option persistent_keepalive '60'
config wireguard_wg0
option description 'Jeff'\''s MBP-M1'
option public_key ‘publickey2’
option private_key ‘’privatekey2’
list allowed_ips '192.168.wg.17/32'
option persistent_keepalive '60'
config wireguard_wg0
option description 'Alex Test'
option public_key ‘publickey3’
option private_key ‘’privatekey3’
list allowed_ips '192.168.wg.21/32'
option persistent_keepalive '60'
config wireguard_wg0
option description 'Lindsay'
option public_key ‘publickey4’
option private_key ‘’privatekey4’
list allowed_ips '192.168.wg.22/32'
option persistent_keepalive '60'
config wireguard_wg0
option description 'Alex #2'
option public_key ‘publickey5’
option private_key ‘’privatekey5’
list allowed_ips '192.168.wg.23/32'
option persistent_keepalive '60'
config wireguard_wg0
option description 'Alex #3'
option public_key ‘publickey6’
option private_key ‘’privatekey6’
list allowed_ips '192.168.wg.24/32'
option persistent_keepalive '60'
config wireguard_wg0
option description 'Jeff'\''s MBP 16'
option public_key ‘publickey7’
option private_key ‘’privatekey7’
list allowed_ips '192.168.wg.25/32'
option persistent_keepalive '60'
config wireguard_wg0
option description 'Pi4 Gateway1'
option public_key ‘publickey8’
option private_key ‘’privatekey8’
option persistent_keepalive '60'
list allowed_ips '192.168.wg.30/32'
root@3060Wrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'wan-local-wg'
list proto 'udp'
option src 'wan'
option dest_port '51820'
option target 'ACCEPT'
config zone
option name 'wg'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wg0'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'wg'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'wg'
config rule
option name 'port-443'
option src 'wan'
option dest_port '443'
option target 'ACCEPT'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
interface: wg0
public key: 'public Key'
private key: (hidden)
listening port: 51820
peer: ‘peer1’
endpoint: 192.168.home.124:50439
allowed ips: 192.168.wg.25/32
latest handshake: 14 hours, 26 seconds ago
transfer: 73.48 KiB received, 1.58 MiB sent
persistent keepalive: every 1 minute
peer: ‘peer2’
allowed ips: 192.168.wg.17/32
persistent keepalive: every 1 minute
peer: ‘peer3’
allowed ips: 192.168.wg.15/32
persistent keepalive: every 1 minute
peer: ‘peer4’
allowed ips: 192.168.wg.22/32
persistent keepalive: every 1 minute
peer: ‘peer5’
allowed ips: 192.168.wg.21/32
persistent keepalive: every 1 minute
peer: ‘peer6’
allowed ips: 192.168.wg.23/32
persistent keepalive: every 1 minute
peer: ‘peer7’
allowed ips: 192.168.wg.24/32
persistent keepalive: every 1 minute
peer: ‘peer8’
allowed ips: 192.168.wg.30/32
persistent keepalive: every 1 minute
You should upgrade to 23.05.2 (latest as of this moment).
There is no need to redact this information -- please edit so that it includes the real addresses here (RFC1918 addresses do not reveal anything private or personally identifying about your network. Omitting/redacting it actually makes it harder to understand and debug the config.
Because these are so critical, please fix this and then let me know when it is done. After that, I can review.
remove the listenport since this side isn't listening for inbound connections.
more importantly, the peer config stanza is missing. There should be another section that looks like this (setting 0.0.0.0/0 and route allowed IPs for now to ensure that traffic traverses the tunnel properly):
THANKS, I will make those changes and see how it goes. I do have a question
this:
config interface 'wg0'
option proto 'wireguard'
option listen_port '51820'
list addresses '192.168.15.1/24'
option private_key ‘private key’
Specifically the question is around the IP, should this be the IP that the Home router will accept meaning my config on the home router is 192.168.15.30? so is that IP in the code above wrong and should be the 192.168.15.30? the IP there is leftover from when it was setup as my home router originally
made the changes and I think I have everything in order. Now when I connect it, I was assuming it will auto connect to the tunnel, but maybe there is something missing?
Also the Private Key in that same code I questioned with the IP, should be the Private key from the Peer setting of the Home router right?
Side note, I have an error updating to the latest using Attended upgrade, so I need to do it a different way, but will deal with that laterer.
Don't copy private keys to the other peer. They should exist only in one place, the main config of the local wireguard interface. The peer setting only needs the public key of the remote peer.
After thinking it was wise to upgrade to the latest version.. LOL,
Anyway, from what I can tell, it is working, I don't have an external connection to test it, however, plugging the WAN into the home network and then the PI4 into my computer I can access my internal network. Now I need to figure out how to access the internet from that connection.. my other Tunnels seem to work correctly. How can I check that?
Thank you so much for your help so far, I really appreciate it
