[SOLVED] Wireguard Help

Hello everyone. I start this by saying I'm a total noob on vpn & wireguard things & iptables in general

I've read on various tutorial about using wireguard to do a tunnel NAT-NAT (or LAN to LAN?) between two openwrt/lede routers.
This would be awesome for my use case (shop + home) but I struggle to understand how to configure it

I've set house lan to 192.168.0.x range and shop lan to 192.168.1.x range and set-up like this:

Shop:

config wireguard_WireGuard
        option persistent_keepalive '25'
        option public_key 'housepublickey'
        option route_allowed_ips '1'
        option endpoint_host '<homedyndns>'
        option endpoint_port '51820'
        list allowed_ips '192.168.0.0/24'

config interface 'WireGuard'
        option proto 'wireguard'
        option private_key 'shopprivatekey'
        option listen_port '51820'
        list addresses '192.168.3.1/24'

House:

config interface 'Wireguard'
        option proto 'wireguard'
        option private_key 'houseprivkey'
        option listen_port '51820'
        list addresses '192.168.3.1/24'

config wireguard_Wireguard
        option public_key 'shoppubkey'
        option route_allowed_ips '1'
        option endpoint_host '<shopdyndns>'
        option persistent_keepalive '25'
        option endpoint_port '51820'
        list allowed_ips '192.168.1.0/24'

I also added wireguard interface to the lan firewall zone on both.

The two routers look like to be connected (handshake sent and bytes transfered) but can't ping any host of "other side"

I imagine I've got to add routes to allow traffic to get router through wireguard but I don't really know how. I've tried several times but I obtain only whole lan traffic to travel to wg instance (cutting down my web connection) so if anyone can help with correct steps it would be awesome (and I think useful for other people too maybe) :smiley:

Thanks in advance :wink:

Yes, you can do this on the LuCI web GUI at Network > Static Routes, or by making route config in /etc/config/network:

  • on the Shop router, you make a route to 192.168.1.0/24 via Wireguard
  • then, on the Home router, you make a route to 192.168.3.0/24 via Wireguard
  • make sure Masquerade is NOT checked on the Wireguard firewall zones
  • don't forget to ALLOW FORWARD from LAN to your Wireguard zone on BOTH routers
  • If you do this, you can disable the "Route Allowed IPs" option when configuring the Interfaces
  • Lastly create routes to the subnets that will be at the far-end of the tunnel (i.e. allowed 192.168.3.0/24 on the home router and allowed 192.168.1.0/24 on shop)

You should now be able to reach those subnets.

On Shop Router /etc/config/network:

config route                                     
        option interface 'test_wireguard'
        option target '192.168.1.0'
        option netmask '255.255.255.0'

On Home Router /etc/config/network:

config route                                     
        option interface 'test_wireguard'
        option target '192.168.3.0'
        option netmask '255.255.255.0'
2 Likes

Thank you for the fast reply! I've put zones as you suggested (I hope :wink:)

zones

And also tried to route 192.168.1.0 with 255.255.255.0 netmask to wireguard interface on shop network but as soon as I do that I loose any access to router / wan (I guess that any traffic in lan goes through WG only and not in local anymore?)
So I had to restart router and kill network connection to be able to access router and remove the route :smiley:

I need to figure out what I did wrong, thanks for the help! :slight_smile:

Does an upstream device in your Shop also use the 192.168.1.0/24 subnet by any chance?

If so, you have to renumber 192.168.1.0/24 at one of the locations, as your Shop gateway is in the same subnet as your home network.

Oh so it only needs to have different subnets?
Then I think it should be ok like it is
Shop: 192.168.1.x for lan
House: 192.168.0.x for lan
I used 192.168.3.x only for wireguard interface assigned ip (on both routers)
There are no other devices on different subnets

The problem as said is if i route 192.168.1.x (lan addresses) to wg interface on shop everything gets locked down
Same at house (just tried) if i route 192.168.0.x (lan addresses) to wg interface, everything locked down :frowning:

With "lock down" I mean I cannot even ping router anymore, there is no lan or wan access

This is the thing I cannot seem able to understand. I should route my own lan ip addresses to wg interface on both routers and it should work... like if I then ping from house a 192.168.1.1 address I should get it from the "shop lan"

Did I get it right? :confused:

P.S. And thanks! Sorry for such stupidity >_<

I think there's some confusion here...

  • LAN
  • WAN
  • Wireguard

Yes, number both Wireguard Interfaces to be in the same subnet.

Not exactly, you can't have network conflicts!

I understand.

I'm asking something very important. DOES 192.168.1.0/24 exist on ANY WAN INTERFACES AT HOME OR SHOP????

This is wrong! You need to make a route to the home subnet! You DO NOT make a circular route to itself!

Shop:

  • 192.168.1.x for lan
  • WAN??? MUST NOT BE 192.168.1.0/24!!!
  • Wireguard 192.168.3.x/xx
  • STATIC ROUTE TO 192.168.0.0/24 via Wireguard

House:

  • 192.168.0.x for lan
  • WAN???? MUST NOT BE 192.168.0.0/24!!!
  • Wireguard 192.168.3.y/xx
  • STATIC ROUTE TO 192.168.1.0/24 via Wireguard
1 Like

Thank you! This final post was perfectly clear and solved the issue :slight_smile:

I added routes to the other end, also added firewall forward TO lan (I only used "from lan" before)
Deactivated "add routing for allowed ips" from wireguard and all works fine! ^^

Sorry for taking so much but I finally understood :smiley:
I can't believe I was so stupid :smiley:

If you travel to Italy a pizza and beer is waiting, haha :wink:

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.