I have an OpenWrt router with Wireguard on it. "Router A" has a static public IP address, and I can connect/administer it just fine from my two laptops. I gave the router's Wireguard interface the address 10.0.10.1/32, and my laptops are 10.0.10.2/32 and 10.0.10.3/32.
I want to administer several other OpenWrt routers ("Router B" and "Router C") from my laptop. Unfortunately, they are behind CGNAT, so I cannot establish connections from my laptop directly to those routers.
I read about a Wireguard "bounce" or "relay" server. Apparently, another OpenWrt router can establish a persistent connection to the relay (Router A, with static public IP address). When my laptop connects into Router A with the proper public key, the relay routes ("bounces") connections from my laptop(s) to the appropriate router.
This leads to multiple questions:
Should I configure the relay for the other routers in the same 10.0.10.0/24 subnet (giving them addresses like 10.0.10.5/32 and 10.0.10.6/32)? Or should the second router be at, say, 10.0.20.0/24 (and the third at 10.0.30.0/24)?
My laptop will (obviously) need a separate configuration for Router B and Router C. Does it need a separate public/private key for each? Or should it simply re-use its existing public/private keys for Router A?
It doesn't really matter tbh. There is no need for a wireguard 'subnet' at all. As long as devices have valid, non-overlapping, IP assignments then you should be able to give them any IP address you choose.
Router A will need configs for Routers B and C (and they will need appropriate configs to speak back to router A), but you don't need additional configs on the laptop. You need to consider what Allowed_IPs you need on the various configs (and routing if you're not allowing wireguard to create the routes) to allow the traffic to pass from the laptop to router A and then onto Router B or C (and back again).
The question would be more social, than technical - namely to what extent you trust the individual routers and the networks they're serving. Do you want to effectively merge the sites in a big site-to-site VPN or keep them separate to the extent possible.
This is a case of something simple getting obscured by the introduction of a term like "bounce server." Quite simply, when any instance of Wireguard has multiple peers attached, it will bridge the peers. It is much like plugging virtually private Ethernet cables into a central switch. If you then give the interfaces at each endpoint an IP address in the same subnet, they can readily communicate.
This is excellent for administrative connections. But if you need to move large amounts of data between peers you could consider one of the mesh VPN systems like Zerotier, Tailscale, Nebula, etc. These attempt to negotiate direct connections between peers by using a central server to direct the opening of holes in the NAT.
For the administrative access use case, you should firewall the Wireguard interfaces strictly to limit the damage that might be possible if one of the nodes is compromised. For example only allow ssh with a private key. This key would be held only on your laptop, not on any of the other devices so even if someone breaks into a router gaining access to the Wireguard tunnel, they still can't access anything on any of the other routers. Once you have logged into a remote router you can then indirectly access its LAN, rather than routing LAN to LAN all the time.
Also each router that is behind NAT should run a process that pings the central server periodically. I've found that WIreguard's "persistent keepalive" doesn't always keep the connection active enough to be ready for an incoming connection.
Interesting. Having a fleet of openwrt+wireguard devices, haven't seen this. May be, you need to set the
PersistentKeepalive = 15 or similar.
Switch might drop an idle connection after couple of seconds.
Thanks for all these responses. I would like to keep the tunnels separate, not bridge them together.
It seems as if there are a couple alternatives. What are the ramifications of the following:
Separate subnets: In the "relay server", put each router on its own subnet (10.0.10.1/24 for Router A; 10.0.20.1/24 for Router B; 10.0.30.1/24 for Router C) My laptop would then be configured to have three separate tunnels - one for each destination router.
Does AllowedIPs provide sufficient isolation between the separate tunnels?
Separate interfaces: In the "relay server", create a separate WG interface for each router. WG1 would listen on one port, and be configured (only) to talk to Router A (the local router); WG2 would listen on a different port, and be configured to pass traffic between my laptop and Router B, etc.
I know I'll need a firewall rule to open the various ports.
Will it be necessary to create separate firewall zones for each of the tunnels/WG interfaces?
After a packet has been received and decrypted at a Wireguard interface, the allowed_ips setting is the inside the tunnel IP source address(es) that will be allowed in. Others will be discarded.
So you could use allowed_ips to block all but one member of a star bridge from reaching another router. That allowed_ip (configured in every router) would be your laptop. If your central server is set up properly this is secure against a hacked endpoint changing its IP to impersonate your laptop. The server should be configured to only allow the peer's assigned IP /32. Only someone holding your laptop's Wireguard private key could connect to the server in a way that could be received by a router.