So I've been using wireguard for some time and it's been working great for field devices connecting back to home. So laptop or iphone, push the connect button and and I can access my home network like magic. That's been working great.
My latest effort is a second OpenWRT router, which I want to use as my travel router. What is different here is that I DON'T want to redirect all traffic over the Wireguard tunnel (which is how all of the other devices are configured). I only want to route the home lan subnet (10.0.1.0/24) over the wireguard tunnel. The travel router uses the 192.168.1.1 subnet, and wireguard is configured to use the 192.168.2.x subnet (with each device adding a digit; the router being .5).
I'm convinced I'm not doing something right with the setup and although my mobile devices are working, this isn't the way to do this. It's come to a head that the travel router cannot connect to any devices over the tunnel. I'm not sure if this is a routing issue on the home router or something on the travel router.
Configs with keys removed:
On Home router:
config interface 'wg0'
option proto 'wireguard'
option private_key ''
option listen_port '5000'
list addresses '192.168.2.1/24'
list addresses 'fd86:ea04:2225::1/64'
config wireguard_wg0
list allowed_ips '192.168.2.5/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
ip -4 ro: (asterisks for public ips)
default via *** dev eth0.2 proto static src ****
10.0.1.0/24 dev br-lan proto kernel scope link src 10.0.1.1
****/24 dev eth0.2 proto kernel scope link src 96.231.200.188
192.168.2.0/24 dev wg0 proto kernel scope link src 192.168.2.1
192.168.2.2 dev wg0 proto static scope link
192.168.2.3 dev wg0 proto static scope link
192.168.2.4 dev wg0 proto static scope link
192.168.2.5 dev wg0 proto static scope link
On Travel router:
config interface 'wg0'
option proto 'wireguard'
option force_link '1'
list addresses '192.168.2.5/24'
config wireguard_wg0
option route_allowed_ips '1'
option endpoint_host '.duckdns.org'
option endpoint_port '5000'
option persistent_keepalive '25'
list allowed_ips '10.0.1.232/32'
list allowed_ips '192.168.2.1/24'
ip -4 ro (travel router is presently connected behind the home router which may contribute to the issue. This is not how it would normally function).
default via 10.0.1.1 dev eth0 proto static src 10.0.1.209
10.0.1.0/24 dev eth0 proto kernel scope link src 10.0.1.209
10.0.1.232 dev wg0 proto static scope link
96.231.200.188 via 10.0.1.1 dev eth0 proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev wg0 proto kernel scope link src 192.168.2.5
Port 5000 is open on the home router's firewall. I can ping from 192.168.2.5 to 192.168.2.1 so the tunnel appears to connect (and wg shows the tunnel connecting). Both devices are in the LAN zone. However anything set to run over the tunnel appears to drop off. On my other devices, allowed_ips are set to 0.0.0.0/0 (send everything) and that seems to be working without much issue.
On home router, the wg0 interface allows only 192.168.2.5/32. And wg0 of travel router is in lan zone, I assume it does not have masq present. If that is the case, traffic from travel router to home router will be at least silently dropped at the target device.
Ok, thank you both for those insights. I've gone ahead and removed the route ip's option on the home router. On the travel router, I am using .232 as my "test ip". I'm presently hooking the travel router to the main router, so it's WAN IP is in 10.0.1.0/24 as well. So if I route everything over wg0 and the connection doesn't work everything drops out. I know I have to switch .232 to 0/24 when I"m finally done.
The part I think I'm missing logically is what yousong alluded to. I have a packet coming into the home router's wg0 interface from 192.168.2.5 to 192.168.2.1. It's destined for 10.0.1.232. When the packet arrives into the router, shouldn't it know to route that on to 10.0.1.232 which is on br-lan? I know I don't have NAT enabled here, but I wouldn't think I would need it. It just needs to route from one subnet to the other (which admittedly I've not done much of).
Home router:
config interface 'wg0'
option proto 'wireguard'
option private_key
option listen_port '5000'
list addresses '192.168.2.1/24'
config wireguard_wg0
option persistent_keepalive '25'
list allowed_ips '10.0.1.0/24'
list allowed_ips '192.168.2.5/32'
Travel router:
config interface 'wg0'
option proto 'wireguard'
option force_link '1'
list addresses '192.168.2.5/32'
config wireguard_wg0
option route_allowed_ips '1'
option endpoint_host ''
option endpoint_port '5000'
option persistent_keepalive '25'
list allowed_ips '10.0.1.232/32'
list allowed_ips '192.168.2.1/24'
It also may be confused at the moment because the travel router is hook to the home router's network directly.
Home router LAN 10.0.1.0/24
Traver router LAN 10.0.2.0/24
No NAT needed.
Home router:
config interface 'wg0'
option proto 'wireguard'
option private_key
option listen_port '5000'
list addresses '192.168.2.1/24'
config wireguard_wg0
option public_key 'mplampla'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '10.0.2.0/24'
list allowed_ips '192.168.2.5/32'
Travel router:
config interface 'wg0'
option proto 'wireguard'
option force_link '1'
list addresses '192.168.2.5/24'
option private_key 'mplampla'
config wireguard_wg0
option public_key 'mplampla'
option route_allowed_ips '1'
option endpoint_host 'WAN_IP_HOME_ROUTER'
option endpoint_port '5000'
option persistent_keepalive '25'
list allowed_ips '10.0.1.0/24'
list allowed_ips '192.168.2.1/24'
Make sure that firewall allows forwarding between wg and br-lan interfaces. Either add wg0 in LAN firewall zone, or allow forwarding between the firewall zones.
Thanks! Adopting your netmasks means it's working now I believe. I'm forwarding 1 address through the tunnel with a /24 and it's coming through nicely. I can't forward the whole 10.0.1.0/24 subnet through while the travel router is connected directly to the home router but when I'm in a remote location I think we will be up and running. Thank you again!
travel router:
LAN 192.168.1.1/24
Wireguared PtP 192.168.2.5
home router:
LAN 10.0.1.0/24
Wireguard PtP 192.168.2.1
where 192.168.2.0/24 is "wireguard subnet" for the point-to-point links.
When routing between two subnets, in this case home LAN and travel LAN the idea is that you route only traffic for the particulars subnets and the wireguard tunnel IP counterpart.
In your case (I omit anything not related to the problem in the config):
Home router
config interface wg0
list addresses 192.168.2.1/24
config wireguard_wg0
list allowed_ips 192.168.2.5/32
list allowed_ips 192.168.1.1/24
option route_allowed_ips 1
Travel router
config interface wg0
list addresses 192.168.2.5/24 <-- local IP and the subnet
config wireguard_wg0
list allowed_ips 192.168.2.1/32 <-- only the peer link IP is allowed
list allowed_ips 10.0.1.0/24
option route_allowed_ips 1
In particular, notice that for the "peer" you always specify in allowed_ips only the opposite (single) IP address, not the subnet, while for the "local" you always configure the subnet address. The former ensures the correct routing over the point-to-point link, while the latter is used to set up the local wireguard interface (so it needs the subnet).