I'm having difficulty configuring my WG tunnel for a travel router environment. For context, I have this setup working perfectly with OpenVPN, but I just can't seem to figure out the right set of options for the WireGuard related configuration.
Here's the setup:
- OpenWrt 18.06.4 on a router at home as the "server side" endpoint (server in OpenVPN, peer in WG).
- OpenWrt 18.06.4 on a travel router as my 'remote' endpoint. The WAN of this router is wifi/ethernet in my remote location (hotel, cafe, etc.), and all of the devices I have with me (phones, computers, tablets, etc.) connect to the LAN of this device. This travel router can be just a regular old NAT/firewall setup, or can create a VPN tunnel back to my home endpoint -- and this is all transparent to the devices that are on the LAN. This allows all of my devices to access the internet as if I were home (geo IP restrictions, security when on an unknown network, etc.). and I can also access resources on my home network.
With OpenVPN, I use the redirect gateway def1 directive to direct all traffic through the tunnel. I then have the following statements in my firewall:
config zone
option name 'vpn'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'tun0'
config forwarding
option dest 'vpn'
option src 'lan'
Now, with that in mind, I'm trying to figure out how to setup the WG tunnel. I have it working properly between my iPhone and the home router. Therefore, I can confirm that the "server side" (home) peer is configured properly.
I can get a peer-to-peer handshake successfully established between the two routers. But when I establish the connection, no traffic flows through the tunnel. If I enable the "route allowed IPs" option, it seems to kill connectivity entirely.
Here is the relevant stuff from the firewall and network files. What's wrong, and what options should be enabled/disabled (for example, force link, route allowed IPs, masquerade & mtu_fix, the wireguard firewall zone settings, etc.).
config zone
option output 'ACCEPT'
option name 'WireGuard'
option forward 'REJECT'
option input 'REJECT'
option network 'wg0'
config forwarding
option dest 'WireGuard'
option src 'lan'
config interface 'wg0'
option proto 'wireguard'
list addresses '10.0.5.3'
option private_key '[REDACTED]'
option delegate '0'
option force_link '1'
config wireguard_wg0
option public_key '[REDACTED]'
option endpoint_host '[REDACTED]'
option endpoint_port '8444'
option persistent_keepalive '25'
option preshared_key '[REDACTED]'
option description 'Home VPN'
list allowed_ips '0.0.0.0/0'
Thanks!