Wireguard between two OpenWRT

Hi there,

I didn't now this forum exists! Glad I came through. So, my situation:

I'm trying to setup a WireGuard tunnel between two OpenWRT routers, one at my place and the other at my parents'. My goal is to route only certains IPs when I'm connected at home through the tunnel and exit the tunnel from my parents', because I don't want to pass all my traffic through my parents router.

For that, I'm using a Sercomm H500-s vf-es at my place, which is the main router, connected to ISP modem, with LAN 192.168.68.0/24, which has Wireguard installed.

At my parents, I have an old ADB A4001N (https://openwrt.org/toh/hwdata/adb/adb_p.dg_a4001n_a-000-1a1-ae), from the ISP, which lacks of WAN port, it only has 4 ethernet ports for LAN and one for ADSL, which is not RJ45. This router is connected to the main ISP modem + router, as I don't want to mess my parents network, so I don't have to open ports or something like that. So this router is at 192.168.1.182 (192.168.1.0/24 as the LAN provided by ISP router), configured the LAN interface as DHCP client, and this interface is the only physical one as WAN does not exist.

On this ADB router I've also installed Wireguard and configured the interface with the peer from my home, and yes, it works, the handshake is made and I can ping from each peer the other side of the tunnel.

So, theorically is working... until I don't have internet access from my home when the traffic is going through the tunnel. The ADB router (at my parents, the "client" one) has internet access as i'm unable to install packages and within the diagnostic tool i reach and ping every public IP/domain I put.

My guess is that the firewall is not allowing the traffic from the tunnel to go to the LAN zone to have internet access. So I tried the following things at my parents (other peers works flawlessly when stablishing a connection with my openwrt at home, like phones or tablets):

  • Put the wg interface within the LAN zone, so it reduces the problems or traffic rules between zones and interfaces. Does not work.
  • Put the wg interface in a new zone, allowing traffic from and to LAN zone, and masquerading. Does not work.
  • Disable firewall (as the ADB is a client behind ISP router and ports are closed) entirely. Does not work.

I don't now if the problem is strictly the firewall and I'm mixing concepts and messing around, or that I need more than that and fix some more routes, or the OpenWRT/Lan interface has to be something difrerent than DHCP client.

Thanks in advance!

What you probably want is a site-to-site setup, basically it connects the two networks but each network uses its own WAN to get internet access:

See:

1 Like

That is close, but you need to turn on masquerading on the lan zone, not the wireguard zone. Then when packets from your house arrive by Wireguard, their 192.168.68 IP will be masqueraded to 192.168.1.182, and the parents' main router can route them to the Internet, more importantly the reply from the Internet goes to 192.168.1.182 not 192.168.68.x.

This is because the parents' main router does not know about your home LAN and the need to gateway it through your ADB router. If you could install a static route in that main router (192.168.68.0/24 via 192.168.1.182) then it will work without masquerading.

Thank you for your answer! I think I may not explained myself well. I don't want to access the LAN from my parents home or the other way around, I only want to use its WAN when visiting certains IPs. The rest of the time, my WAN.

Thank you again.

A site-to-site setup also helps avoid double NAT.
Otherwise, it doesn't matter if you go with site-to-site or server-client.
Just follow the OpenWrt wiki to set up a working connection.

Set up PBR assuming your tunnel is configured properly:
https://openwrt.org/docs/guide-user/network/routing/pbr

1 Like