TWO OpenWrt clients behind a CG-Nat 4G ISP crossing by a Wireguard tunnel with the help of a Google Cloud VM (server)

Hi, I have read this post https://forum.openwrt.org/t/double-cg-nat-4g-isp-crossing-by-wireguard-tunnel-between-openwrt-router-server-and-android-phone-client/100912 and some viewer has recommend me to open a new post.

This is what I have. I have two MR200 4G LTE router with openwrt firmware in which I could install wireguard packet. Both ISP providers are behind a CGNAT so I can not a public IP and incomming ports are closed, you know.

I also have a Google VM running with an static public IP. (static or not static it could be solve with no-ip service, here the most important thing is that it is public).

Google VM is serving also norered, mosquitto, grafana,.... to internet and I must keep this working.

"Today" I have one openwrt router tunneling with wireguard with the google vm in order to upload all my domotic house parameters (mqtt by tasmota), so I know the basics (very very basics) of how to configure wireguard in openwrt or editing config file in google vm.

With my phone or any other device, I could check my grafana data from GoogleVM, or even send mqtt messages throught internet with a less secure system in compare with wireguard tunnel. (magenta line, yellow line from "phone or external pc" will be like "client3", I have painted it only for reference, I think that it will be very easy to configure if I have the server-client1-client2 working)

I want to make what this schema shows:

wireguard962×678 91.6 KB

I need to add a second client in other city also behind a 4G LTE CGNAT sim card. I want to see the devices connected to client1 from client2 and client2's devices from client1's devices.

Ideally, after I have this working (and probably I need to search more before opening new posts....) I will try to solve some of these questions:

1. I will try to make two different wifi SSIDs in both routers, one for wireguard tunneling and the other one without any tunnel.
2. I will want to know how I can make the machines connected to the wireguard tunnel, access internet throught Google VM (may be it is not possible) or even directly from openwrt router without tunneling. It will be like a switch which I will turn on or off as my needs. My smart home devices are tasmota, so sometimes I need to update the firmware, so I coudl "turn on" tunnel's internet gate to update them and after that, turn them off to protect my home network.
3. Configure openwrt wireguard "SSID" with an special MAC/IP to get tunnel devices throught wireguard tunnel, but also to connect internet directly from router. This special MAC/IP will be my laptop. It will be perfect to have it connected directly to internet (by my openwrt router) without "going inside tunnel", but also that I could connect to my devices (tasmotas or remote desktops) that are connected to the same router (easy) and also to the other client, in this case, throught the tunnel, of course.

But first, as question "0", could anyone help me with the three config files for server, client1 and client2 ?

Thanks a lot.

I provided a config here:

I believe you asked in the thread how to make more peers. Wireguard configs are the same (they are peers not client/server) - so you simply make the third config. But here again (using the names you gave "server", "client1" and "client2"):

For "server":

config interface 'connect'      
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
        option listen_port 'xxxxx'
        list addresses '192.168.xx.1/24'
                                 
config wireguard_connect                       
        option public_key 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaa=' #<---generated from client1's private key
        list allowed_ips '192.168.xx.2/32'

config wireguard_connect            
        option public_key 'bbbbbbbbbbbbbbbbbbbbbbbbbbbbb=' #<---generated from client2's private key
        list allowed_ips '192.168.xx.3/32'

Client 1:

config interface 'connect'      
        option proto 'wireguard'
        option private_key 'yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy='
        list addresses '192.168.xx.2/32'
                                 
config wireguard_connect                     
        option public_key 'wwwwwwwwwwwwwwwwwwwwwwwwwww=' #<---generated from server's private key
        list allowed_ips '0.0.0.0/0'
        option endpoint_port 'xxxxx'                                    
        option endpoint_host '37.37.37.37'
        option route_allowed_ips '1'

Client 2:

config interface 'connect'      
        option proto 'wireguard'
        option private_key 'zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz='
        list addresses '192.168.xx.3/32'
                                 
config wireguard_connect                     
        option public_key 'wwwwwwwwwwwwwwwwwwwwwwwwwww=' #<---generated from server's private key
        list allowed_ips '0.0.0.0/0'
        option endpoint_port 'xxxxx'                                    
        option endpoint_host '37.37.37.37'
        option route_allowed_ips '1'

(This can be done easily in the LuCI web GUI by adding the package luci-proto-wireguard.)

Hi, I have already done the two tunnels to the VM as you said. Handshakes are correct.

Now I want to configure both openwrt router so I could do:
0. ping from VM to client1 and client2 devices

1. ping devices connected in client1 to client2 and from client2 to client1
2. imagine that 192.168.1.180 in client2 has a webserver, how could I access it from client1 devices?
3. do I need some configuration in VM to "route" all trafic between client1 and client2?

Thanks a lot

What's not working currently?

You just use their IP address.

Hi, I have reset all my openwrt routers configuration, start again, and try to go step by step not to solve something by broking any other thing.

This is my actual configuration and I can see the wireguard handshakes working perfectly.

I have a LAPTOP 556 connected by cable to a HG556 openwrt router and another laptop connected by wifi to a MR200 openwrt router.

I have attached here the schema and all information about my ping tests, I hope it is all information that you need to help me, and THANKS A LOT for that.

The last image is the pings tests.

image719×604 21.9 KB

image866×628 72.6 KB

image805×154 3.86 KB

On both "clients" the Allowed IP's are 0.0.0.0/0 but route Allowed IP's is disabled.

It looks like you only want to connect from client to client and have internet access via the regular WAN.

If so first Enable Route Allowed IP's

For allowed IPs. use 10.10.0.0/24 on both clients then on your clients add the subnet of the other side so add e.g.: 10.10.0.0/24 and 192.168.10.0/24 on one side and on the other 10.10.0.0/24 and 192.168.2.0/24

Furthermore your firewall have to allow incoming traffic from the WG interfaces

Thanks @egc for your answer.

Just to clarify, at this moment I have NO internet access from WIFI-GUARD wireless from MR200 and from LAN ports in HG556. I am a newbie with openwrt, that I have both zones (LAN in HG556 and WIFI-GUARD in MR200) "routed" to WG0 (wireguard) so all traffic go thought tunnel.

If I connect by lan to MR200 I have internet accesc with any problem.

If I understand you correctly, I must do this, don't I? Then, why "route allowed IPs" have two options (check or unchecked), with unchecked option I am only making a tunnel between two clients? Why then 0.0.0.0/0 as allowed IPs. I dont understant this very well.

With this configuration (I have not changed anything more):

image692×523 20.6 KB

I have these results , of course, probably because I need to do more in firewall traffic rules?
(I now can ping to 10.10.0.100)

image812×160 3.94 KB

Thanks a lot for your help.
.

I am not at home and it is not something I know by heart.
But normally you setup a client with a firewall, but in this case you setup the firewall as if it is not a wireguard client but a wireguard server e.g. open up the firewall for incoming traffic.

You can google for this.

Allowed ips are not only that i.e. allowing incoming traffic from that ips, but normally also used to route back to that ips.
In almost all cases you have to Enable Route Allowed IPs.
Actually very few WireGuard clients have this option but route allowed IPs by default.

Thanks EGC, i will wait for you or for other one how to setup the openwrt firewall. I want to do step by step and not changing lots of parameters at the same time because i will get lost.
How could I try to know if which router is "stoping" the ping? trace route or similar? (i don't even know how to use that command).
Thanks.

It's not clear exactly how this network is set up. Are you running Wireguard on each site's main router, or on the laptops? Further discussion here assumes it is on the main router.

The simplest firewall configuration at each OpenWrt site (main router also running Wireguard link) is to place the wireguard tunnel in the lan zone with list device 'wg0' If all the routes and tunnels are properly set up, that will allow unrestricted connections between the various LANs. After confirming that works, if you want to later you can make the firewall more restrictive.

Thanks for your answer.
Wireguard is running is three places: Google VM as "server", and in the two openwrts as "clients"

About lan zone, you can see in my configuration schema that I have both cases. HG556 router is connected to a laptop by LAN, and MR200 is connected by a "dedicated" wireless.

How could I make that configuration in order to, as you say, check in HG556? and in MR200?

Thanks a lot.

Hi, anyone could go on helping me? Thanks.

Hi, anyone, please?

• Please provide the current configs
• Can you describe what still isn't working (the ping chart wasn't helpful -I've been reviewing, but I don't think you noted the SRC IP)