Wireguard Server and Client on the same router

Hello - I'm looking to do the same thing, although I'd like to be able to access the full internet through the tunnel, not just local devices on the same LAN as the dumbAP. I'd also prefer to use the openwrt device as my DHCP server (i.e. not a totally dumbAP).

The dumbAP instructions on the wiki require me to disable the firewall, dnsmasq and odhcpd. I guess I'd leave odhcpd in order to still use this device as a DHCP server.

My question is this: most wireguard instructions include enabling IPv4 forwarding. Will I still need to do that (and if so, will I still be able to do that) if I follow the dumbAP instructions and disable the firewall?

I wouldn't disable the firewall on a wireguard router. IP forwarding (routing) is enabled automatically I think. Don't forget adding a static route to your wireguard networks on the main router.

1 Like

It's an ISP router - it doesn't have the ability to set static routes, unfortunately - just port forwarding and the like. Is there any way around this?

Use WG router as the default gateway for LAN clients with DHCP options.
If you run DHCP server on the WG server, that should work by default.

Not sure that's all necessary - through tinkering, I appear to have got it working. Just a write up for those coming here later:

Setup:

  • Commercial ISP box acting as modem/router/firewall gateway device. This is 192.168.0.1. Its DHCP server is turned off. It's set to forward traffic to my chosen wireguard port (let's called it 51820) to 192.168.0.2.
  • Openwrt box (BT HomeHub 5a) operating as a DHCP server and access point, connected to the ISP router over ethernet. Luci-app-wireguard is installed on this box. This is 192.168.0.2.

Aim is to connect to the Openwrt box from my mobile phone over wireguard, from anywhere in the world, and get access to both the rest of the Internet (tunneled via my home network, for added privacy/security, and to defeat geoblocking when travelling), and also access to devices on the home network.

Openwrt box has two interfaces: LAN, and wg0 (the wireguard interface).

The openwrt box's LAN interface has a static address (192.168.0.2); gateway is 192.168.0.1; DNSs are 192.168.0.1 and 1.1.1.1. This is also setup to act as my home network's DHCP server.

The wg0 interface is 10.0.0.1/24. The firewall zone is same as 'lan'. Peers are each given an IP address like 10.0.0.2/32, 10.0.0.3/32, 10.0.0.4/32, etc.

The Openwrt box's "firewall" (if you can call it that, when it's so permissive!) is setup as shown in the following screenshot:

My mobile phone's wireguard is setup as follows:

  • Interface IP is 10.0.0.2/24 (where the .2 changes for each other client device, matching the peers setup on the Openwrt box's peer settings).
  • DNS servers are 192.168.0.2, 1.1.1.1 (i.e. the Openwrt box, falling back to 1.1.1.1)
  • Peer details: Allowed IPs is set to 0.0.0.0/0, ::/0

By the way, my box also does dynamic DNS (luci-app-ddns) - so I can use a URL to connect from the wireguard client (my mobile phone) even when my ISP-assigned IP address changes.

2 Likes

You want a different solution than the OP and you should open a new topic rather than write in this dead topic.
@tmomas maybe we can split and lock this one?