Wireguard on dumb AP behind fritzbox

t4gg4rt · February 3, 2022, 1:23pm

Hey guys,
I need some help with the following problem. I have some basic knowledge about networks, googled a lot and already have set up some wireguard connections but this set up brings me to the end of my knowledge:

FritzBox 7583 (192.168.178.1)

works as modem and main router, has devices like a printer and NAS connected to it, does the DHCP

TP Link Router (192.168.178.2)

running OpenWRT 21.02 as dump Access Point connected via LAN Ports to FritzBox, no DHCP
running wireguard server (10.11.14.1/24)
firewall, dnsmasq, odhcpd deactivated

what I achieved already:

set up portforwarding on fritzbox from WAN to 192.168.178.2
connect to wireguard server from outside (mobile phone) and access GUI on 192.168.178.2

!!!what I want to achieve:

access from outside the network via wireguard to 192.168.178.1 and the other LAN devices connected to fritzbox (like nas at 192.168.178.11)

/etc/configs/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd37:af3d:e802::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.178.2'
        option gateway '192.168.178.1'
        list dns '192.168.178.1'

config device
        option name 'eth0.2'
        option macaddr '84:16:f9:66:3f:f5'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'PRIVATE KEY'
        option listen_port '51820'
        list addresses '10.11.14.1/24'

config wireguard_wg0
        option persistent_keepalive '25'
        option public_key 'PUBLIC KEY'
        option description 'peer1'
        option route_allowed_ips '1'
        list allowed_ips '10.11.14.2/32'
        list allowed_ips '192.168.178.0/32'

Do I need to set up a route on the fritzbox? Or on the openwrt AP? Or both?
Would be awesome if someone could help me with this I have already tried a lot.
If needed I can share more infos.
THX a lot already

trendy · February 3, 2022, 2:04pm

You could enable masquerade on lan firewall zone of tplink.
Or you can add a static route on fritzbox.
Also:

route allowed ips is not necessary.
The 192.168.178.0/32 is wrong, delete it.

t4gg4rt · February 3, 2022, 2:46pm

Thx so much for your response!
activating masquerade did it! Everything works fine now

slh · February 3, 2022, 9:24pm

The static route would be the nicer solution, avoiding double-NAT on the OpenWrt router.

trendy · February 4, 2022, 10:40am

It is a cleaner solution, however I have seen some issues with the asymmetric routing and firewalls blocking invalid packets. In OpenWrt that can be adjusted, however I am not sure about Fritzbox.

system · February 14, 2022, 10:40am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.