I have a functional "private” wireguard vpn “server” at home. It runs behind the ISP router on a second mini openwrt router connected by ethernet on one of the lan ports. Wan is a configuration only backup port. Wifi is totally disabled. When connecting to my VPN from “outside” I have access to all my LAN ressources and Internet as if I were at home.
My goal:
I want to configure a second wg server router that will be installed at a “satellite” site with same functionality but there is a limitation: the ISP configuration there is locked and I cannot set any port redirection. The plan is to have this satellite connect to my home server first and then clients would use this link to find the exit point at the stallite location. Ideally clients established connections would not pass through my home router.
Any idea how I could accomplish that?
(btw both ISPs only provide IPv4)
Here are the pertinent (hopefully) current server configs (lan ips:192.168.22.0/24):
Thanks but, unfortunatly, I am not sure I fully understand the implications of your answer (I am just an enlightened amateur ). In the mean time I found this article that should guide me to the solution. I would probably need a second wg instance on my router that would act as a hub.
Does this server connect to another fixed location now? endpoint_host is the name or IP of the other side of the link. If you're building a true "server" that only accepts connections from outside you should leave endpoint_host and endpoint_port undefined.
One wg interface at home can have multiple peers defined to accept multiple connections from away and route them all to the Internet using the home's ISP connection. A wg interface that routes out to another site to reach the Internet from there needs to be standalone with only that one peer.
I think you are really getting the idea but let’s clarify the scenario anyway. The currently working private wg vpn is a distraction from the intended scenario, so let’s ignore it. Revised scenario:
Site H (home"): has the router reachable from the Internet (would act as a gateway).
Site F (far away ): the 2nd router overthere would be the exit point for the internet but since it cannot be reached directly from the wan side, it would “out” connect automatically to site H router first.
Site R (on the road") would then reach site H but its trafic would be tunneled through site F to exit to the Internet overthere.
It looks like it’s possible but I am unsure on how to configure that.
My test environment is in place. Being new to wg, I haven’t killed all the “detail devils” yet. If I undestand well, the “far away” router would have a “wg-far interface” with one peer defined that auto-connects to “home router”. I am still unsure about how to configure the auto-connect. The “home” router would have a “wg-home0” interface to accept incoming connection. Would it also need a "wg-home2” interface to route the trafic to “far away”?
Yes, if Internet use is going out via Wireguard that link must be point to point (since allowed IPs are the whole Internet) and you need a separate interface to accept incoming connections from devices like a smartphone, also called a road warrior.
You also need source-conditional routing so that encrypted packets returning to the road warrior peers go over the regular WAN while other Internet usage goes over the Wireguard tunnel.
If an endpoint_host / endpoint_port is specified, Wireguard will initiate an outgoing connection to that place. If the peer config is only public_key and allowed_ips then it will wait for incoming connections on listen_port. (It always waits for incoming connections even while attempting an outgoing connection, so there is no harm in specifying a specific endpoint on both sides if they are known IPs.)
If endpoint_host is a DNS name it is only looked up once at startup. If the endpoint IP can change and be followed with DDNS you should run wireguard_watchdog to detect loss of connection and resolve the name again to attempt to restart.
You need a dedicated interface to add specific routes.
For the many user to home router scenario you can connect all users to a single remote end point.
But if you want to have multiple routers doing routing with different routes, then each router needs a peer link to each other router or at least a route trough an other router, so called multi hop.
That's the point where you enter dynamic routing protocol land because with static routes you only gonna suffer.
Thanks for the explanation, this sounds very logical indeed for a point to point protocol. Unfortunately, I am strugling to configure the “Far away” to connect as a client to “Home”. The provided guide for “client” uses scripts that would interfere with the configuration on my test “far away” router and the videos guides I found all use pre-fab config files. So far using the luci interface, I added a wg0_far interface on “far away” but I am unsure how I should populate the fields to trigger an automatic connnection to “Home”; do I need “peer” definition as well? It does not seem to make sense. Adding a peer to “home” to receive connection from “far way” sounds pretty straightforward though.
What I need is in between. If the “far away” ISP would allow port redirection, everything would be simpler but I need one “reverse” hop to get to the internet. Fortunately I don’t need to go beyond that. Public Ip adresses on both sites have been pretty stable over time so far.
status update: after absorbing the learning curve, I managed to establish a successfull connection between “far away” and “home”. Now I can concentrate on “redirecting” the internet out to “far away”. Thank you both for your help. I’ll keep posting my progress.
status update 2: My test environement had a few bugs in it, got stuck in routing nightmare. Should be fixed now… more progress to come
). In the mean time I found 
): the 2nd router overthere would be the exit point for the internet but since it cannot be reached directly from the wan side, it would “out” connect automatically to site H router first.