Wireguard client on seperate WLAN

Hi!
I am an absolute beginner on OpenWRT and installed OpenWRT 23.05 on a Netgear R7800. [LuCI openwrt-23.05 branch (git-23.236.53405-fc638c8)] / OpenWrt 23.05.0 (r23497-6637af95aa)].
I managed to configure 3 WLANs:
STD (2.4 and 5MHz) via bridge_1
VPN (2.4 and 5MHz) via bridge_2
GUEST (2.4 MHz).
The Guest network is working perfectly fine and the other two as well. My intention is though to use the VPN WLAN with a Wireguard client. I managed to configure the Wireguard client and it seems up and running (handshake, etc).
Despite reading several articles, watching Youtube videos and looking in forum, I do not manage to set up the firewall rules that I guess would be needed.
Here is an image of my Firewall Zone settings. DEU would be the VPN and the VPN zone is set up in analogy to the wan zone. With these settings, all WIFIs do work but traffic on DEU is not using the Wireguard client. Deleting wan from forwarding will break all traffic. I gotkind of stuck, all help greatly appreciated.

This looks like my home configuration. You need policy based routing for this to work.

Thanks. Will have a look this evening!

I was also looking into a solution for this. I was able to find a very elegant solution in this thread. This will lead you to Route LAN to VPN and DMZ to WAN section of the PBR with netifd guide. No need to install PBR, works like a charm.

1 Like

Thanks again. I‘ll give it a try. Didn’t have the time look into any solution. Will be some work during the weekend.
Really appreciate your help!

Looks good, I am though really struggling with shell commands. Is there a way to solve it in LuCI? Right now I can't forward any zones via the wireguard interface although it seems up and running:

Post the relevant configs redacting the private parts:

uci show network; uci show dhcp; uci show firewall
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fde7:53cc:e357::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth1.1'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.8.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.device='eth0.2'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='8.8.8.8'
network.wan6=interface
network.wan6.device='eth0.2'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.wan6.peerdns='0'
network.wan6.dns='2001:4860:4860:0:0:0:0:8888'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 2 3 4 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='5 0t'
network.GUEST=interface
network.GUEST.proto='static'
network.GUEST.device='br-guest'
network.GUEST.ipaddr='192.168.10.1'
network.GUEST.netmask='255.255.255.0'
network.@device[1]=device
network.@device[1].type='bridge'
network.@device[1].name='br-guest'
network.@device[2]=device
network.@device[2].type='bridge'
network.@device[2].name='br-deu'
network.DEU=interface
network.DEU.proto='static'
network.DEU.device='br-deu'
network.DEU.ipaddr='192.168.9.1'
network.DEU.netmask='255.255.255.0'
network.wg01=interface
network.wg01.proto='wireguard'
network.wg01.private_key='private_key'
network.wg01.listen_port='51820'
network.wg01.addresses='10.14.0.2/16'
network.wg01.dns='162.252.172.57' '149.154.159.92'
network.wg01.mtu='1420'
network.wg01.defaultroute='0'
network.wg01.dns_metric='0'
network.@wireguard_wg01[0]=wireguard_wg01
network.@wireguard_wg01[0].description='Frankfurt'
network.@wireguard_wg01[0].public_key='public_key'
network.@wireguard_wg01[0].allowed_ips='0.0.0.0/0'
network.@wireguard_wg01[0].endpoint_port='51820'
network.@wireguard_wg01[0].persistent_keepalive='30'
network.@wireguard_wg01[0].endpoint_host='de-fra.prod.surfshark.com'
1 Like
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].cachesize='1000'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.@dnsmasq[0].filter_aaaa='0'
dhcp.@dnsmasq[0].filter_a='0'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv4='server'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_flags='managed-config' 'other-config'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.GUEST=dhcp
dhcp.GUEST.interface='GUEST'
dhcp.GUEST.start='100'
dhcp.GUEST.limit='150'
dhcp.GUEST.leasetime='12h'
dhcp.DEU=dhcp
dhcp.DEU.interface='DEU'
dhcp.DEU.start='100'
dhcp.DEU.limit='150'
dhcp.DEU.leasetime='12h'

firewall.@defaults[0]=defaults
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='GUEST'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].network='GUEST'
firewall.@zone[3]=zone
firewall.@zone[3].name='DEU'
firewall.@zone[3].input='ACCEPT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].forward='ACCEPT'
firewall.@zone[3].network='DEU'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='GUEST'
firewall.@forwarding[0].dest='wan'
firewall.@rule[9]=rule
firewall.@rule[9].name='GUEST DHCP_DNS'
firewall.@rule[9].src='GUEST'
firewall.@rule[9].dest_port='53 67 68'
firewall.@rule[9].target='ACCEPT'
firewall.@zone[4]=zone
firewall.@zone[4].name='VPN'
firewall.@zone[4].input='REJECT'
firewall.@zone[4].output='ACCEPT'
firewall.@zone[4].forward='REJECT'
firewall.@zone[4].masq='1'
firewall.@zone[4].mtu_fix='1'
firewall.@zone[4].network='wg01'
firewall.@zone[4].family='ipv4'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='DEU'
firewall.@forwarding[1].dest='VPN'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='lan'
firewall.@forwarding[2].dest='wan'
uci -q delete network.wg01.defaultroute
uci set network.@wireguard_wg01[0].route_allowed_ips="1"
uci set network.lan.ip4table="1"
uci set network.DEU.ip4table="2"
uci set network.GUEST.ip4table="3"
uci set network.wg01.ip4table="4"
uci -q delete network.DEU_wg
uci set network.DEU_wg="rule"
uci set network.DEU_wg.in="DEU"
uci set network.DEU_wg.lookup="4"
uci set network.DEU_wg.priority="30000"
uci commit network
service network restart
1 Like

Thanks for helping me out. Still not able to connect to the internet via DEU-wg01.
Is there any possibility the wireguard configuration is wrong although status seems fine with repeated handshakes?

1 Like

Would that be the "use default gateway" checkbox in LuCI? Tried to check and uncheck earlier without effect. The command line does not do the trick either.

Wireguard interfsce seems ok, some packets are transfered:
image

Was thinking if there may be some errors with the DNS server but LuCI Diagnostics gives a ping response with right name resolution:
image

Trying to locate the problem, I set the lan zone to " Allow forward to destination zones" to VPN with the same effect, that I can't reach any websites through the WLANs on the lan bridge br-lan.

Finally!


Thought I had to choose only the VPN zone...
When adding both wan and VPN I got an IP via the wireguard interface.
There seem to be some DNS leak though. Hopefully I can amnage that with some more rearch :slight_smile:

Removing custom DNS servers fram the wan gateways solved the DNS leak :smile:

Thanks a lot! Would it bother you to explain what these ipv4 rouring tables commands do? Assigning a routing table to each device and setting a rule that DEU uses the wireguard interface with table4?

1 Like

This makes each interface use its own routing table, allowing to utilize multiple default routes based on the routing rules.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.