Wireguard on two routers : route all clients traffic through specific peer (not the Wireguard server)

Hi, been spending 2 days on this already, requesting help, deeply apologize for the long post in advance.

In country A : On a freshly installed OpenWRT on WRT1900AC router, I configured Wireguard through the luci UI as a server. The ISP here gives me public IPv4 address, and I can do NAT to forward Wireguard server port from modem to the OpenWRT router.
Country A does censor internet though.

In country B : There is no censorship, but ISP doesn't provide public IP adress and has something called CGNAT that doesn't allow me to host the Wireguard server. So I want to setup a OpenWRT router as Wireguard peer, let's call it Peer1, and have all traffic coming from peers in Country A routed through this Peer1.

There will be multiple peers :

• Some devices in Country A will be on the same site (same downstream subnet) as router hosting the Wiregaurd Server, so they won't need to have any Wireguard client installed.
• Some other devices will be in Country A but will need to have Wireguard installed as regular peers (say a smartphone). Their traffic will also need to be routed through Peer1, to escape censorship
• No other peers will be in Country B, but ideally devices downstream in the subnet of the OpenWRT router hosting PeerX will need to be reachable from the OpenWRT wireguard server router. I can expand more on this requirement if needed.

image1311×688 99.2 KB

So I setup Wireguard Server router on a freshly installed WRT1900AC, and generated Peer1 configuration that I installed on a Win10 Wireguard client (for testing, when everything OK I will install that configuration on another router and ship it to Country B).
I setup another peer as say PeerX. But everytime PeerX is connected to the Wireguard server, its traffic is routed through the server, not Peer1.

I tried to follow recommendations made on this post : https://serverfault.com/questions/1074729/route-all-traffic-through-wireguard-peer
but I have trouble understanding where to put the parameter Table=off in OpenWRT, can't seem to find a conf file to modify... Couldn't also find where to put PostUp and PostDown commands, so I entered the following commands manually via ssh on the router :

ip rule add iif wg0 from 192.168.121.0/24 lookup 200
ip route add default via 192.168.121.3 dev wg0 table 200

But no success, peers connect successfully, can browse the internet, but traffic gets routed only through the server...

On the Wireguard server, I followed online guide with the following conf below.

Relevant Wireguard server conf on first OpenWRT router:
interface wg0 created through luci UI, with MTU = 1360 (that's the MTU that worked best through all the testing I did)
IP Adresses = 192.168.121.1/24
No host Routes unchecked
Use default gateway checked
Firewall settings : the tutorial suggested to put the wg0 interface in the same zone as lan
Metric = 20 (WAN interface was set as metric 10)

Peers configuration on the server :
Peer1 :
Allowed IPs = 192.168.121.3/32, 0.0.0.0/0
Route Allowed IPs checked

PeerX :
Allowed IPs = 192.168.121.2/32
Route Allowed IPs checked

Peer1 configuration :

[Interface]
PrivateKey = xxxx
Address = 192.168.121.3/32
DNS = 192.168.21.1 (this .21 subnet is the subnet used by the OpenWRT WGserver router on its lan interface)
MTU = 1360
[Peer]
PublicKey = yyyy
AllowedIPs = 192.168.121.0/24,192.168.21.0/24 (this .21 subnet is the subnet used by the OpenWRT WGserver router on its lan interface)
Endpoint = MY_COUNTRY_B_PUBLIC_IP:PORT
PersistentKeepalive = 25

PeerX configuration :

[Interface]
PrivateKey = zzzzz
Address = 192.168.121.2/32
DNS = 192.168.21.1 (this .21 subnet is the subnet used by the OpenWRT WGserver router on its lan interface)
MTU = 1360
[Peer]
PublicKey = yyyy
AllowedIPs = 0.0.0.0/0, 192.168.121.0/24, 192.168.21.0/24 (this .21 subnet is the subnet used by the OpenWRT WGserver router on its lan interface)
Endpoint = MY_COUNTRY_B_PUBLIC_IP:PORT
PersistentKeepalive = 25

/etc/config/network output :

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2a:4aeb:05c6::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.21.1'

config device
        option name 'wan'
        option macaddr 'c2:56:27:7b:c2:27'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option metric '10'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option metric '11'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'REDACTED'
        option listen_port 'REDACTED'
        list dns '192.168.21.1'
        list addresses '192.168.121.1/24'
        option metric '20'
        option mtu '1360'

config wireguard_wg0
        option description 'PeerX'
        option public_key 'REDACTED'
        option private_key 'REDACTED'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '192.168.121.2/32'
        list allowed_ips '0.0.0.0/0'

config wireguard_wg0
        option description 'Peer1'
        option public_key 'REDACTED'
        option private_key 'REDACTED'
        list allowed_ips '192.168.121.3/32'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

/etc/config/firewall output :

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Before getting into the details of the required setup can you clarify if the following is correct:

• You want a site to site VPN connection between Country A and B to allow devices connected to the LAN at each end to access devices at the opposing site.
• In addition, you want devices connected to the LAN in Country A to use the internet connection in Country B.
• You also want to connect other remote devices to the wireguard 'server' in Country A and have them also end up using the internet connection in Country B.

That is absolutely right, I am creating also a schema to post here to illustrate the situation.
Thank you

I would setup two WG instances (servers) on site A.

One as a site-to-site setup to site B and one as a regular server.

One thing to take into account is that both WG ports have to be routed via the WAN as you route everything via the the tunnel to site B.

Here is an illustration of the situation

image1311×688 99.2 KB

And you currently don't have the device in Country B?

The allowed IPs (i.e. 0.0.0.0/0) must be set on the correct peer.

Indeed, but currently I set up Peer1 in an office on a completely separate location and separate internet connection. So that should simulate being in Country B...

I am planning on going there next week to setup the router being Peer1...

Is that going to be an issue ?

As long as you're using the same (or similar) device that you're intending to use in Country B it should be fine. Difficulties will come up if you're using a non-router device or something not running OpenWRT as the setup is different and wouldn't directly copy across to the device in Country B.

As long as you're using the same (or similar) device that you're intending to use in Country B it should be fine. Difficulties will come up if you're using a non-router device or something not running OpenWRT as the setup is different and wouldn't directly copy across to the device in Country B.

Yes of course, I have a second OpenWRT router ready to use, as soon as we figure out how to configure the Wireguard client part on it, it's good to go

The allowed IPs (i.e. 0.0.0.0/0) must be set on the correct peer

Can you expand on that ? Do you mean I need to add Allowed IPs = 0.0.0.0/0 on the Peer1 wg configuration ? (since it is already there for PeerX). Or are you talking about setting it on the server side for PeerX block ?

I would setup two WG instances (servers) on site A.
One as a site-to-site setup to site B and one as a regular server.
One thing to take into account is that both WG ports have to be routed via the WAN as you route everything via the the tunnel to site B.

I'd like to avoid having to do that... I would need 3 routers, which if could be avoided would be nice.
Thank you though

No that is not necessary, I run three wg tunnels on the same router, one server and two clients.

Basically you setup a server for your phone etc. and a client tunnel but without the endpoint.

On site B you setup a server tunnel but with endpoint to connect to site A.

WG is symmetric so the division between server and client is arbitrarily but it has implications for the firewall.

Note you need some form of Policy based routing on site A

The configuration on this router is the simple part. You just need a single peer which connects to the endpoint at 'Country A'. For allowed IPs it needs the wireguard subnet (i.e. 192.168.121.0/24) and the Country A LAN (i.e. 192.168.21.0/24). You can then either put it in the LAN firewall zone, or create a new 'vpn' firewall zone and allow forwarding to/from the LAN zone.

The tricky configuration is on the country A router, but I wouldn't get started on that until you have a working site to site VPN set up. Then you can add forwarding of internet traffic to Country B, and then add additional peers to Country A.

I'm pretty sure I can get the site-to-site configuration working without problem, as I said in first post, I have Peer1 (P1) setup on a Win10 computer and it works. But OK I can setup the P1 peer on a second OpenWRT router in a few hours, and then will wait for some pointers on how to indeed configure on Country A router routing all traffic through P1. I'll post back here in a few hours when this is done, in the meantime, would you be able to describe what needs to be done on A ? Or point me to a resource I could read ?
Thank you again for your help

For the site to site setup it should pretty much mirror 'Country B' with the exception of don't add an endpoint address and change the LAN subnet in AllowedIPs to 192.168.1.1. Then to forward local internet traffic to Country B add 0.0.0.0/0 to the AllowedIPs (on the peer at Country A end).

It then gets more complicated as you'll have to start adding routing rules to deal with devices connecting remotely to Country A.

I think there's a confusion. Country B is the second router you asked me to setup (instead of the current Win10 client I'm using to simulate). So I believe you mean :
it should pretty much mirror 'Country A' with the exception of don't add an endpoint address (What do you mean don't add an endpoint adress ?) and change the LAN subnet in AllowedIPs to 192.168.1.1 (OK to change the lan subnet in allowed IPs of course).

This part is hence confusing:

Then to forward local internet traffic to Country B add 0.0.0.0/0 to the AllowedIPs (on the peer at Country A end).

This second router will already be in Country B. Do you mean "to forward A's local traffic to CountryB, then add 0.0.0.0/0 to the AllowedIPs (on the peer at Country A end).

Will post back once it's done

No. I mean what I say. I was answering

The setup for 'country B' is in the post a little further up.

Just to be clear, you should do what @egc said and run two instances of Wireguard within A. One is a point to point link to B and the other accepts connections from client endpoints (or routers) that I'll call C.

Router A should not have a general default route to B, since it needs to interact directly with the various clients C with direct Internet links within country A.

Policy based routing can be used within A so that Internet requests from A's LAN and from the C wireguard interface default into the tunnel to B and thus access the Internet from country B.

As @krazeh said, the routing configuration of B and C are straightforward but A is a special case.

Thank you @mk24 and @egc : I didn't understand you could setup two different instances of Wireguard on the same router. I imagine this is done by creating a new wg1 interface ? I will get on that, in the meantime if you could please confirm the setup for site-to-site is correct and follows @krazeh instructions.

@krazeh : So I setup Country B router : freshly flashed OpenWrt 22.03.2 r19803-9a599fee93 firmware with all packages updated. The site-to-site seems to work. a laptop behind RouterA can ping 192.168.121.3 or 192.168.31.1 (router B's subnet).
If I SSH into RouterB, I can ping 192.168.121.1, 192.168.21.0/24 and I can even ping A's upstream modem... There is possibly an issue with a laptop behind RouterB that cannot reach RouterA's subnet, but that doesn't seem important for now.

So here's what I have now, what are the next steps ? Setup a second wg interface ? Tweak firewall/routing rules ?

I am grateful for your help, and sorry for being a network noob....

Wireguard_Scenario1426×901 123 KB

Here are the conf files for both routers:

Router A (Country A) /etc/config/network output :

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2a:4aeb:05c6::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.21.1'

config device
        option name 'wan'
        option macaddr '[REDACTED]'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option metric '10'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option metric '11'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '[REDACTED]'
        option listen_port '[REDACTED]'
        list dns '192.168.21.1'
        list addresses '192.168.121.1/24'
        option metric '20'
        option mtu '1360'

config wireguard_wg0
        option description 'ClientRouterB'
        option public_key '[REDACTED]'
        option private_key '[REDACTED]'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '192.168.121.3/32'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '192.168.31.0/24'

Router A (Country A) /etc/config/firewall output :

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Router B (Country B) /etc/config/network output:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd62:fec6:68a0::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.31.1'

config device
        option name 'wan'
        option macaddr '[REDACTED]'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '[REDACTED]'
        option mtu '1360'
        list addresses '192.168.121.3/24'

config wireguard_wg0
        option description 'WgServerCountryA'
        option public_key '[REDACTED]'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_port '[COUNTRYA_ROUTER_PUBLIC_IP]'
        option endpoint_host '[REDACTED]'
        list allowed_ips '192.168.121.0/24'
        list allowed_ips '192.168.21.0/24'

Router B (Country B) /etc/config/firewall output:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'