Hello everyone !
I managed to install a Wireguard VPN server on my OpenWRT with the help of the tutorials available on OpenWRT's docs, but I still have a small issue: when I try to join my OpenWRT device (WRT3200ACM) with a client throught the VPN with his DNS name, I get two answers:
- 192.168.100.254 (GUEST)
- 192.168.51.254 (LAN)
As the first answer is not the right one, is takes some times, and, that's not what I want.
The VPN interface (wg0) is in the same firewall zone as my br-lan, so my clients acts as if there were in the LAN.
I also added a Guest Lan for, surprise, my guests, wich is in a different subnet and firewall zone.
Here are my configs:
DHCP
config dnsmasq 'lan_dns'
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option authoritative '1'
option leasefile '/mnt/usb/log/dnsmasq_lan.leases'
option localservice '1'
option logqueries '1'
option logfacility '/mnt/usb/log/dnsmasq_lan.log'
option local '/localnet.lan/'
option domain 'localnet.lan'
option allservers '1'
option nohosts '1'
option filterwin2k '1'
option nonegcache '1'
option noresolv '1'
list server '127.0.0.1#5353'
option enable_tftp '1'
option tftp_root '/mnt/usb/pxe/'
option nonwildcard '1'
list interface 'lan'
list interface 'wg0'
list notinterface 'wan'
list notinterface 'guest'
config dhcp 'lan'
option interface 'lan'
option force '1'
option dynamicdhcp '0'
list dhcp_option '42,192.168.51.254'
option start '100'
option limit '150'
option leasetime '24h'
option instance 'lan_dns'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
...
SOME HOSTS DEFINITION IN LOCALNET
...
config dnsmasq 'guest_dns'
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option authoritative '1'
option localservice '1'
option logqueries '1'
option logfacility '/mnt/usb/log/dnsmasq_guest.log'
option local '/guest.lan/'
option domain 'guest.lan'
option allservers '1'
option nohosts '1'
option filterwin2k '1'
option nonegcache '1'
option noresolv '1'
list server '9.9.9.9'
list server '149.112.112.112'
list server '80.67.169.12'
list server '80.67.169.40'
list server '1.1.1.1'
list server '1.0.0.1'
option nonwildcard '1'
list interface 'guest'
option leasefile '/mnt/usb/log/_guest.leases'
list notinterface 'loopback'
list notinterface 'lan'
list notinterface 'wan'
list notinterface 'wg0'
config dhcp 'guest'
option interface 'guest'
option force '1'
option limit '200'
option leasetime '12h'
option start '10'
option instance 'guest_dns'
Firewall
config rule
option name 'WAN -> DEVICE | Allow DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'WAN -> DEVICE | Allow Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'WAN -> DEVICE | Allow IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'WAN -> DEVICE | Allow DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'WAN -> DEVICE | Allow MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'WAN -> DEVICE | Allow ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'WAN -> ANY ZONE | Allow ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'WAN -> LAN | Allow IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'WAN -> LAN | Allow ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'GUEST -> LAN | Deny All'
option src 'guest'
option dest 'lan'
option proto 'all'
option target 'DROP'
config rule
option name 'GUEST -> LAN | Allow DHCP Request'
option src 'guest'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'GUEST -> WAN | Allow DNS Queries'
option src 'guest'
option dest_port '53'
option proto 'tcpudp'
option target 'ACCEPT'
config rule
option name 'GUEST -> WAN | Allow HTTP/HTTPS'
option src 'guest'
option proto 'tcp'
option target 'ACCEPT'
option dest 'wan'
option dest_port '80 443'
config rule
option name 'GUEST: Deny Guest -> WAN'
option src 'guest'
option dest 'wan'
option proto 'all'
option target 'DROP'
config defaults
option syn_flood_protect '1'
option drop_invalid '1'
option syn_flood '1'
option input 'DROP'
option output 'DROP'
option forward 'DROP'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wg0'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option network 'guest'
option output 'ACCEPT'
option input 'DROP'
option forward 'DROP'
config forwarding
option dest 'wan'
option src 'guest'
config rule
option enabled '1'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '12345'
option name 'WAN -> DEVICE | Allow WireGuard VPN'
Network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'blablabla'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.51.254'
option broadcast '192.168.51.255'
option _orig_ifname 'eth0.1 radio1.network1 radio2.network1'
option _orig_bridge 'true'
option delegate '0'
option dns '127.0.0.1'
option ifname 'eth0.1'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option broadcast '192.168.100.255'
option delegate '0'
option ipaddr '192.168.100.254'
option dns '127.0.0.1'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
option delegate '0'
option peerdns '0'
option dns '127.0.0.1'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'wg0'
option proto 'wireguard'
option private_key 'AWESOME_KEY'
option listen_port '12345'
list addresses '172.16.64.1/24'
option delegate '0'
config wireguard_wg0 'wgclient'
option public_key 'AWESOME_KEY'
list allowed_ips '172.16.64.0/24'
option route_allowed_ips '1'
option persistent_keepalive '25'
option description 'AWESOME_NAME'
option preshared_key 'AWESOME_KEY'
wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option channel '120'
option htmode 'VHT160'
option country 'FR'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option legacy_rates '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'AWESOME_NAME_1'
option macfilter 'allow'
option encryption 'psk2+ccmp'
option key 'AWESOME_KEY'
option wpa_disable_eapol_key_retries '1'
...
list maclist 'blablabla'
...
option network 'lan'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option channel '3'
option htmode 'HT40'
option country 'FR'
option noscan '1'
option ar '1'
option bursting '1'
option ff '1'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option legacy_rates '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid 'AWESOME_NAME_2'
option encryption 'psk2+ccmp'
option key 'AWESOME_KEY'
option wpa_disable_eapol_key_retries '1'
option macfilter 'allow'
...
list maclist 'blablabla'
...
option network 'lan'
config wifi-iface 'guest'
option device 'radio1'
option mode 'ap'
option ssid 'AWESOME_KEY'
option isolate '1'
option key 'Vivelebassind'''arcachon!'
option encryption 'psk2+ccmp'
option wpa_disable_eapol_key_retries '1'
option network 'guest'
config wifi-device 'radio2'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'default_radio2'
option device 'radio2'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
I found that there's two files for each dnsmsaq instance that contains my router's name and ip which could be probably the cause but I'm unable to fix it:
root@linksys:/tmp/hosts# ls -l
-rw-r--r-- 1 root root 75 Nov 24 22:41 dhcp.guest_dns
-rw-r--r-- 1 root root 74 Nov 24 22:41 dhcp.lan_dns
root@linksys:/tmp/hosts# cat *
# auto-generated config file from /etc/config/dhcp
192.168.100.254 linksys
# auto-generated config file from /etc/config/dhcp
192.168.51.254 linksys
If someone has an idea, I'll be gratefull to him 
Thank you !