Wireguard hotspot

Hi. I'm not a network expert and no experience on openwrt. I'm a sysadmin.

I have an Routerboard 750GL and a cheap TP-link old 4/32MB wifi hotspot both with openwrt with wireguard installed plus Luci. I would like to get the wifi router as a hotspot to connect to home thru it's lan connected to an upstream ISP router with dhcp. The RB 750GL will be at home connected to ISP router, and can expose ports to internet. I read howtos, documentation and forum, but I'm not able to configure both devices to achieve this setup.

To do a plain text diagram:

wifi hotspot->ISP router DHCP->internet->home router ISP->RB 750GL->lan
          |----wireguard client---->>----wireguard server----|

What I need to understand is how to setup the wireguard server and client, the firewall, and the forwarding rules.

Any one willing to help and guide a little bit how this must be set from the base install?
Do you recommend any other set up to do this?

Thanks a lot.

What you want is basically the WireGuard Road Warrior Configuration with a minor modification because the peer that sits on your home network is not actually on the main router (see this thread for the relevant change).

I'm guessing that you must be running an old version of OpenWrt (likely <=18.06) Be aware that anything earlier than 22.03 is EOL and unusupported. There are many serious security vulnerabilities in versions 19.07 and earlier and those devices should not be used on the internet. You should serioulsy consider getting a newer travel router that has appropriate resources to run the latest versions of OpenWrt.

Thanks! I have the RB 750GL listening and I'm able to stablish the tunnel from the wifi hotspot. I can see it's connected.

Now the work is on the wireless station. I don't know how to set up the routing on the wifi hotspot. If I do a "normal" wireless configuration I can direct the wifi to the lan - that's working fine. But I want to route the wireless associated stations thru to wireguard. I mean this part of the schema:

wifi hotspot->ISP router DHCP
          |----wireguard client---->

I tried setting up another interface static IP on the same wireguard interface, setting up a dhcp on it and attaching this network to the wireless network. No luck. I also checked firewall I would say it's ok.

So the question now is: how I should theorically do the routing from the wireless traffic thru the wireguard tunnel?

Yes, I'm aware and thanks to point it out. I will buy a new one when I can.

Thanks again!

let's see the config on the wifi hotspot device...

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall

here goes:

root@OpenWrt:~# ubus call system board
{
	"kernel": "4.9.243",
	"hostname": "OpenWrt",
	"system": "Atheros AR9341 rev 3",
	"model": "TP-Link TL-WA830RE v2",
	"board_name": "tl-wa830re-v2",
	"release": {
		"distribution": "OpenWrt",
		"version": "18.06.9",
		"revision": "r8077-7cbbab7246",
		"target": "ar71xx\/tiny",
		"description": "OpenWrt 18.06.9 r8077-7cbbab7246"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdff:b046:d28c::/48'

config interface 'dhcplan'
	option proto 'dhcp'
	option ifname 'eth0'
	option delegate '0'
	option type 'bridge'

config interface 'wireguard'
	option proto 'wireguard'
	list addresses '192.168.33.2/32'
	option private_key 'REDACTED'

config wireguard_wireguard
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host 'REDACTED'
	option persistent_keepalive '25'
	option public_key 'REDACTED'
	option preshared_key 'REDACTED'
	option endpoint_port 'REDACTED'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/REDACTED'
	option htmode 'HT20'
	option country 'ES'
	option legacy_rates '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'REDACTED'
	option isolate '1'
	option encryption 'psk2'
	option key 'REDACTED'
	option network 'dhcplan'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'dhcplan'
	option masq '1'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option network ' '
	option output 'ACCEPT'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user' # this is empty

config rule
	option enabled '1'
	option target 'ACCEPT'
	option name 'wireguard'
	option src '*'
	option proto 'all'
	option dest '*'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'wireguard'
	option forward 'ACCEPT'
	option masq '1'
	option network 'wireguard'

config forwarding
	option dest 'lan'
	option src 'wireguard'

Notice the firmware is an own build one to get wireguard in the 4MB... The device has only one ethernet port. I know the firewall is all wide too open, I have to properly set it again after tests...

Thanks!

The travel router can't be configured as a dumb AP i.e. "hotspot" as it is now. The wifi clients need to be in a separate network than the upstream connection. Configuration of a travel VPN router is built from standard lan->wan routing. Then by adding a wireguard interface you can switch over to lan->vpn routing, including directing all Internet usage by the wifi clients (LAN) into the VPN tunnel if that is what you want-- it usually is.

Understood. I created a new interface with a new zone, added the DHCP, allowed forward on from it to wireguard zone. All good!

Thanks everyone!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.