WireGuard setup between two routers

Greetings.

I would like to ask the community for help. I'm trying to get WireGuard to function between two routers and I'm having trouble. I think it's coming down to a routing issue. My scenario is below:

Main router to internet has a second router connected to it. It's this connection I'd like to use WireGuard on.

The second router sits on the main router's 192.168.3.0 subnet as 192.168.3.215 and that second router (and all of its devices) can access the internet fine without WireGuard.

I tried the following configurations and it locked me out of the second router (had to boot to safe mode to restore it), which is why I think my routing was wrong.

Any thoughts on what I might be doing wrong? Do I need to use different "allowed_ips"? Do I need to add additional routing (and I'm not sure what routing to use if so)?

Thanks for your thoughts.

Main router

config interface 'vpn'
        option proto 'wireguard'
        option private_key '###'
        option listen_port '51820'

config wireguard_vpn
        option public_key '###'
        option preshared_key '###'
        option description 'Site B'
        list allowed_ips '192.168.3.0/24'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 192.168.3.215
        option endpoint_port '51820'

Second router

config interface 'vpn'
        option proto 'wireguard'
        option private_key '###'
        option listen_port '51820'

config wireguard_vpn
        option public_key '###'
        option preshared_key '###'
        option description 'Site A'
        list allowed_ips '192.168.0.0/24'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 192.168.3.1
        option endpoint_port '51820'

A few questions:

1. What is the purpose of this setup? It seems that you're trying to run WG between two routers on the same network. This doesn't really achieve anything useful (except for the educational value of learning how to do the setup). Do you have a particular goal in mind here?

2. How are the routers connected to each other?

Your IP addresses are not going to work based on the way things are currently shown, but we can fix that. It would be helpful if you could provide a diagram of your topology, complete with the IP addresses of each device, and including the LAN and WAN port designations, that will help a lot.

Hi psherman,

Thanks so much for responding.

Our setup has the second router 3 miles away in a remote location on a set of Ubiqiti 5 GHz dishes. We're just looking to add another layer of security on that link. And given how much time we've spent trying to do this, it has indeed become educational

I've attached the interface page from Luci on the main router. That main router is connected to the ISP on its WAN interface. The second router is on the "LAN_PORT_3" interface as 192.168.3.215 and all devices connected to that second router can access the internet through the main router without issue (without WireGuard of course).

Oh, the VPN interface is for OpenVPN and isn't related to WireGuard in this case. It sits on 192.168.8.0 when it has a client.

Thanks again.

Main Router Interfaces973×927 136 KB

Ok... now I understand the goal.

You said that the second router connects to the main router's LAN_PORT_3 -- that is fine. What port is it connected to on the second router (LAN or WAN)?

For each router, we should look at the full network and firewall configurations -- please make it clear which is which.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

Hi psherman,

The WAN port of the second router is connected to the LAN_PORT_3 of the main router. Good clarification!

We do want to able to have the second router access some devices on the main router's other interfaces (LAN_PORT_4 and LAN). We'd like to eventually do that by adding traffic rules on the main router rather than using zone forwarding. We could do that well enough without WireGuard, but I'm just putting that out there in case there are additional considerations we need to think about with WireGuard.

Below you'll find the info you requested.

Thank you!

Main Router /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd93:61c1:5c0c::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'

config device
        option name 'wan'
        option macaddr 'X'

config interface 'wan'
        option device 'wan'
        option proto 'static'
        option ipaddr 'X'
        option netmask '255.255.255.0'
        option gateway 'X'
        option broadcast 'X'
        list dns '8.8.8.8'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'LAN_Port_4'
        option proto 'static'
        option device 'lan4'
        option netmask '255.255.255.0'
        option ipaddr '192.168.4.1'

config interface 'LAN_Port_3'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.3.1'
        option device 'lan3'

config interface 'Wireless'
        option proto 'static'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'
        option device 'wlan1'
        option ipaddr '10.0.0.1'

config route
        option target '192.168.11.204'
        option gateway '192.168.3.215'
        option interface 'LAN_Port_3'

config interface 'VPN'
        option proto 'none'
        option device 'tun0'

Main Router /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option name 'WAN'
        option input 'DROP'
        option forward 'DROP'
        list network 'wan'
        list network 'wan6'

config zone 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'LAN'
        list network 'lan'

config forwarding
        option dest 'WAN'
        option src 'LAN'

config rule
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option src 'WAN'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'WAN'

config rule
        option name 'Allow-IGMP'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'WAN'

config rule
        option name 'Allow-DHCPv6'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'WAN'

config rule
        option name 'Allow-MLD'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'WAN'

config rule
        option name 'Allow-ICMPv6-Input'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'WAN'

config rule
        option name 'Allow-ICMPv6-Forward'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'WAN'

config rule
        option name 'Allow-IPSec-ESP'
        option proto 'esp'
        option target 'ACCEPT'
        option src 'WAN'
        option dest 'LAN'

config rule
        option name 'Allow-ISAKMP'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option src 'WAN'
        option dest 'LAN'

config rule
        option name 'Support-UDP-Traceroute'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option src 'WAN'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'LAN_Port_3'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option input 'REJECT'
        list network 'LAN_Port_3'

config zone
        option name 'LAN_Port_4'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'
        list network 'LAN_Port_4'

config forwarding
        option src 'LAN'
        option dest 'LAN_Port_4'

config zone
        option name 'Wireless'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option input 'REJECT'
        list network 'Wireless'

config forwarding
        option src 'Wireless'
        option dest 'WAN'

config rule
        option name 'LAN Port 3 DHCP'
        option src 'LAN_Port_3'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'LAN Port 3 DNS'
        option src 'LAN_Port_3'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'LAN_Port_4'
        option name 'LAN Port 4 DHCP'
        option dest_port '67-68'

config rule
        option target 'ACCEPT'
        option src 'LAN_Port_4'
        option name 'LAN Port 4 DNS'
        option dest_port '53'

config rule
        option target 'ACCEPT'
        option src 'Wireless'
        option name 'Wireless DHCP'
        option dest_port '67-68'

config rule
        option target 'ACCEPT'
        option src 'Wireless'
        option name 'Wireless DNS'
        option dest_port '53'

config rule
        option name 'VPN DHCP'
        option src 'VPN'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option src 'VPN'
        option dest_port '53'
        option target 'ACCEPT'
        option name 'VPN DNS'

config forwarding
        option src 'LAN_Port_3'
        option dest 'WAN'

config rule
        option src 'LAN_Port_3'
        option target 'DROP'
        option dest_port '80'
        list dest_ip '192.168.0.1'
        option name 'LAN Port 3 Block to Router Luci'

config rule
        option name 'LAN Port 3 Block to Router Luci'
        option src 'LAN_Port_3'
        list dest_ip '192.168.0.1'
        option dest_port '443'
        option target 'DROP'

config zone
        option name 'VPN'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'VPN'

config forwarding
        option src 'VPN'
        option dest 'LAN_Port_4'

config forwarding
        option src 'VPN'
        option dest 'WAN'

config forwarding
        option src 'LAN'
        option dest 'VPN'

config forwarding
        option src 'Wireless'
        option dest 'LAN_Port_4'

config forwarding
        option src 'LAN'
        option dest 'LAN_Port_3'

Second Router /etc/config/network. Note that this router's WAN port is given a static address of 192.168.3.215 via DHCP by the Main Router.

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fd8c:2876:c182::/48'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0.201'
        option peerdns '0'
        list dns '208.67.222.123'
        list dns '208.67.220.123'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option device 'eth0.201'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 4'
        option vid '3'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 5'
        option vid '4'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '201'
        option ports '0t 1'

config interface 'LAN_Port_4'
        option proto 'static'
        option ipaddr '192.168.14.1'
        option netmask '255.255.255.0'
        option device 'eth0.4'

config interface 'LAN_Port_3'
        option proto 'static'
        option ipaddr '192.168.13.1'
        option netmask '255.255.255.0'
        option device 'eth0.3'

config interface 'Wireless'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.0.1.1'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '2'
        option ports '0t 3'

config interface 'LAN_Port_1'
        option proto 'static'
        option ipaddr '192.168.11.1'
        option netmask '255.255.255.0'
        option device 'eth0.1'

config interface 'LAN_Port_2'
        option proto 'static'
        option ipaddr '192.168.12.1'
        option netmask '255.255.255.0'
        option device 'eth0.2'

Second Router /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option mtu_fix '1'
        option network 'wan wan6'
        option masq '1'
        option forward 'REJECT'
        option input 'DROP'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'LAN_Port_4'
        option output 'ACCEPT'
        option network 'LAN_Port_4'
        option forward 'REJECT'
        option input 'ACCEPT'

config zone
        option name 'LAN_Port_3'
        option output 'ACCEPT'
        option network 'LAN_Port_3'
        option forward 'REJECT'
        option input 'ACCEPT'

config zone
        option name 'Wireless'
        option output 'ACCEPT'
        option network 'Wireless'
        option input 'REJECT'
        option forward 'ACCEPT'

config forwarding
        option dest 'wan'
        option src 'LAN_Port_4'

config forwarding
        option dest 'wan'
        option src 'LAN_Port_3'

config forwarding
        option dest 'wan'
        option src 'Wireless'

config rule
        option target 'ACCEPT'
        option src 'Wireless'
        option name 'Wireless DHCP'
        option dest_port '67-68'

config rule
        option target 'ACCEPT'
        option src 'Wireless'
        option name 'Wireless DNS'
        option dest_port '53'

config rule
        option target 'ACCEPT'
        option src 'LAN_Port_4'
        option name 'LAN Port 4 DHCP'
        option dest_port '67-68'

config rule
        option target 'ACCEPT'
        option src 'LAN_Port_4'
        option name 'LAN Port 4 DNS'
        option dest_port '53'

config rule
        option target 'ACCEPT'
        option name 'LAN Port 3 DHCP'
        option src 'LAN_Port_3'
        option dest_port '67-68'

config rule
        option target 'ACCEPT'
        option src 'LAN_Port_3'
        option name 'LAN Port 3 DNS'
        option dest_port '53'

config zone
        option network 'LAN_Port_1'
        option output 'ACCEPT'
        option name 'LAN_Port_1'
        option forward 'REJECT'
        option input 'ACCEPT'

config forwarding
        option dest 'wan'
        option src 'LAN_Port_1'

config zone
        option name 'LAN_Port_2'
        option network 'LAN_Port_2'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option dest 'wan'
        option src 'LAN_Port_2'

config rule
        option src 'LAN_Port_2'
        option name 'LAN Port 2 DHCP'
        option target 'ACCEPT'
        option dest_port '67-68'

config rule
        option src 'LAN_Port_2'
        option name 'LAN Port 2 DNS'
        option target 'ACCEPT'
        option dest_port '53'

config rule
        option dest_port '67-68'
        option src 'LAN_Port_1'
        option name 'LAN Port 1 DNS'
        option target 'ACCEPT'

config rule
        option dest_port '53'
        option src 'LAN_Port_1'
        option target 'ACCEPT'
        option name 'LAN Port 1 DNS'

config rule
        option name 'Luci from WAN'
        list proto 'tcp'
        option src 'wan'
        option target 'ACCEPT'
        option dest_port '80'

config rule
        option name 'Luci from WAN SSL'
        list proto 'tcp'
        option src 'wan'
        option target 'ACCEPT'
        option dest_port '443'

config rule
        option name 'SSH from WAN'
        list proto 'tcp'
        option src 'wan'
        option target 'ACCEPT'
        option dest_port '22'

config rule
        option src 'wan'
        option dest 'LAN_Port_1'
        list dest_ip '192.168.11.204'
        option target 'ACCEPT'
        option name 'From main router to third router (which is behind second router)'
        list src_ip '192.168.4.225'
        list src_ip '192.168.0.194'
        list src_ip '192.168.0.214'
        list src_ip '10.0.0.1/24'
        list src_ip '192.168.8.1/24'

I don’t see any sign of wireguard in your config files. Have you not yet set it up?

Ah...I deleted the interfaces and firewall zones on both routers since we were having such trouble.

oh

Well, your WireGuard interfaces should have addresses on them that are unique relative to the subnets that are already defined, which may be a large part of your issue.

There's documentation and examples in the wiki here:

Okay, thanks. We did try using unique addresses and the two WireGuard interfaces were able to sling UDP packets back and forth every 25 seconds or so, but no traffic was being routed through the interfaces even with option route_allowed_ips '1'

I'll research it more, including rereading the wiki doc, and come back if I find out what we did wrong. We must be missing something Would love to mark this one as [Solved]!

Thank you again!

Once you have what appears to be the basic config on both routers, if you are still having trouble, come back to this thread and post the latest config files from each router. We'll get things working, I'm sure.

Okay, I built it back up. The WireGuard interfaces see other (the packet RX and TX counts go up together). Here are the changes made to the config files. I bet there's something simple I'm missing in "list allowed_ips" to route all traffic from the second router over its WireGuard interface.

I tried testing the second router config with list allowed_ips '192.168.4.0/24' to push all traffic from the second router to the main router's LAN_PORT_4 (after opening the firewall properly) and I couldn't connect to anything on 192.168.4.0. Even with 0.0.0.0/24, nothing seemed to go out onto the WireGuard interface.

Gotta be something simple I'm missing!

Thank you.

Main Router /etc/config/network (additions only)

config interface 'WireGuard'
        option proto 'wireguard'
        option private_key 'X1'
        option listen_port '51820'
        list addresses '10.11.14.1/24'

config wireguard_WireGuard
        option description 'Second'
        option public_key 'Y2'
        option endpoint_host '192.168.3.215'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        list allowed_ips '10.11.14.2/32'
        option persistent_keepalive '5'

Main Router /etc/config/firewall (additions only)

config zone
        option name 'WireGuard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'WireGuard'

config forwarding
        option src 'WireGuard'
        option dest 'LAN_Port_3'

config forwarding
        option src 'WireGuard'
        option dest 'WAN'

Second Router /etc/config/network (additions only)

config interface 'WireGuard'
        option proto 'wireguard'
        option private_key 'Y1'
        option listen_port '51820'
        list addresses '10.11.14.2/24'

config wireguard_WireGuard
        option description 'Main'
        option public_key 'X2'
        option endpoint_host '192.168.0.1'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        option persistent_keepalive '5'
        list allowed_ips '10.11.14.1/32'

Second Router /etc/config/firewall (additions only)

config zone
        option name 'WireGuard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'WireGuard'

config forwarding
        option src 'WireGuard'
        option dest 'WAN'

config forwarding
        option src 'WAN'
        option dest 'WireGuard'

Your list allowed_ips entries are wrong. They need to contain the IP(s) or subnets that you want to allow traffic from and traffic to in the tunnel.

For example, if you had two LANs using 192.168.0.0/24 (call this LAN A) and 192.168.1.0/24 (LAN B) and wanted to connect them via wireguard then the router in LAN A would need list allowed_ips 192.168.1.0/24 (because you want to let traffic from that subnet out of the tunnel and traffic to that subnet into the tunnel) and the router in LAN B would need list allowed_ips 192.168.0.0/24.

If you wanted one LAN to route traffic out of the other LANs internet connection (say LAN B using LAN A's internet) then you would have list allowed_ips 0.0.0.0/0 on the LAN B router.

krazeh,

Thanks! I think we're getting closer to where my misunderstanding of how WireGuard works is. I think I'm just accustomed to the client-server model.

So, I tried the following changes and it effectively stops all traffic. Though the keep alive packets keep the counters going up on the two WireGuard interfaces, I don't see packets associated with traffic increasing the counters. They seem like they're getting dropped.

Would it be a firewall issue? I've intentionally kept the firewall zone for the WireGuard interface wide open until I get things to work.

Main Router (Router with LAN A in your example) /etc/config/network and firewall

config interface 'WireGuard'
        option proto 'wireguard'
        option private_key 'X1'
        option listen_port '51820'
        list addresses '10.11.14.1/24'

config wireguard_WireGuard
        option description 'Second'
        option public_key 'Y2'
        option endpoint_host '192.168.3.215'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        list allowed_ips '192.168.3.215/32'
        option persistent_keepalive '5'

Second Router (Router with LAN B in your example) /etc/config/network and firewall

config interface 'WireGuard'
        option proto 'wireguard'
        option private_key 'Y1'
        option listen_port '51820'
        list addresses '10.11.14.2/24'

config wireguard_WireGuard
        option description 'Main'
        option public_key 'X2'
        option endpoint_host '192.168.0.1'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        option persistent_keepalive '5'
        list allowed_ips '0.0.0.0/0'

Again, Second Router uses its WAN interface to connected to LAN_PORT_3 interface (192.168.3.0) of the Main Router. The Main Router has its WAN inteface connected to the ISP.

Thank you.

While WG technically treats all devices as peers, you can still think of it with a server/client relationship insofar as which device initiates the connection to another device. In my case, personally, I have a road-warrior type WG configuration where my OpenWrt WG endpoint at home is the "server" and my devices that travel with me (i.e. phone, travel router, etc.) are the "clients" that initiate a connection back to my home network.

Assuming that router B is the one to initiate the connection, you can make the config look like this and it should work:

config interface 'WireGuard'
        option proto 'wireguard'
        option private_key 'X1'
        option listen_port '51820'
        list addresses '10.11.14.1/24'

config wireguard_WireGuard
        option description 'Second'
        option public_key 'Y2'
        option route_allowed_ips '1'
        list allowed_ips '10.11.14.2/32'
        option persistent_keepalive '25'

config interface 'WireGuard'
        option proto 'wireguard'
        option private_key 'Y1'
        list addresses '10.11.14.2/32'

config wireguard_WireGuard
        option description 'Main'
        option public_key 'X2'
        option endpoint_host '192.168.13.1'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'

Your firewall files probably still need to be fixed -- they are likely not what you want. But in order to determine the firewall rules that are appropriate, we need to understand the desired operation -- what is allowed, what is prohibited for both inter-VLAN routing as well as internet access, and also the access to the router itself for administration.

The peer that has listen_port configured should not have any endpoint_host set. It listens on the port, from anywhere. Generally this one is considered a server-- it can take multiple connections on that listen_port, provided the other peer exists in a config wireguard_ section. The identity of the other peers will be determined by their public keys, which need to be unique.

The other peer(s) should have endpoint_host pointing at the "server's" IP, and endpoint_port being the listen_port of the server, and no listen_port of their own. Just like at the server, they will refuse to communicate unless the other peer (server) public key matches what is shared in the config wireguard_ section.

Next consider IP addresses and allowed_ips. Since a Wireguard tunnel is an interface, in the simplest case it holds one IP address, which is part of a network that at least includes the other end of the tunnel. In a point to point scheme, one IP would be .1 and one would be .2. This still requires a netmask of at least /30 to include both endpoints and the .0 network and .3 would be reserved for broadcast. Unless you're trying to be real stingy with IPs it is straightforward to just use a /24 even if at first you only have two endpoints. If you later add another device on the same network, its IP might be .3 -- and .2 and .3 could communicate with each other (via two hops to the server) since they are both in the /24 network.

allowed_ips is a sort of very basic access restriction in the Wireguard kernel. After decrypting / unwrapping a packet, the destination end of the tunnel looks at the source IP in the packet, and if it does not match an allowed_IP, the packet is silently dropped, making this feature a good way to break things.

Consider the "road warrior" use case. The road warrior has an IP of its end of the tunnel. All traffic from the road warrior has this source IP. Even if there is another network behind that IP (e.g. a basic travel router where the objective is "share the VPNd Internet" without making a whole site-to-site LAN), the users on that LAN will be NATd into the tunnel IP. Thus at the server end the allowed_ip is simply the road warrior or travel router's Wireguard tunnel IP with a /32.

Note that the matching IP needs to be configured into the main interface block in the road warrior. Unlike OpenVPN, Wireguard does not push clients their IP addresses. They need to be statically defined in advance, and manually properly matched.

The packets coming back to the road warrior are the result of its requests for the Internet, so they may have any source IP. The allowed_ips should be set to 0.0.0.0/0. This is where route_allowed_ips is also useful. Activating this option generates a routing table entry (or two, using the trick of splitting 0.0.0.0 in half) so that requests for an allowed IP (the whole Internet in this case) route out through the Wireguard tunnel. That is what a road warrior wants. A server serving on a /32 basis does not need route_allowed_ips. Configuring the interface with a /24 puts all the client IPs into the routing table automatically.

Specific to the OPs case, running Wireguard tunnels around the LAN seems pointless at first-- until you realize that means you can treat the whole LAN as a cloud like untrustworthy mess like the Internet. It isn't as necessary to set up a bunch of VLANs and firewall zones for security. Instead security is realized point to point by what lies beyond the ends of the VPN tunnels.

I agree with this, in general, but it may depend on the rest of the network's structure and requirements. The extra subnets may be needed for other purposes. I'm hoping the OP can clarify the reasoning for the VLANs and the security/routing considerations for each so we can clean up the firewall.

Hey all.

Thanks for helping me sort this all out. mk24, your explanation is very helpful and makes a lot of sense.

I've changed the configuration per psherman's suggestion two posts up (using an endpoint host of 192.168.3.1 instead). The WireGuard interfaces can see other as confirmed with packet counts going up and the handshake being identified on the "Status" page of Luci. However, traffic is somewhere being squashed. I can't get traffic out. The TX counter on secondary router's (B) WireGuard interface seems to go up with the traffic that is trying to get out. But the RX counter on the primary router (A) doesn't go up commensurately (just goes up with the keep-alive packets it looks like).

So then I tried to change the firewall a bit thinking maybe that's where we have a problem now...On the primary router (A), I put the WireGuard interface on the LAN_PORT_3 firewall (which manages the interface that router B is on). On the secondary router, I put the WireGuard interface on the LAN_PORT_1 interface (since I'm plugged in to that port/interface when I'm testing WireGuard on router B). No change.

Relative to the VLANs, the primary router (A) is quite a busy router managing lots of different devices that need to be isolated from each other. This is why it has the VLANs. Its LAN_PORT_3 serves the secondary router (B). That router B is remote (3 miles away on a pair of Ubiquiti dishs). Within the secondary router are additional VLANs to isolate the users on that remote router.

It's important to note that the firewall and VLAN configurations as they're setup (before any WireGuard implementation), work as we designed them so we'd like to preserve that firewall setup (so that the different VLANs on both routers can't talk to each other). We don't need a unique firewall for WireGuard interfaces if it can fold in to the existing framework however. Maybe it's nonsensical to have a firewall for the WireGuard interfaces given its tunneling approach?

So, to summarize where we're at: The WireGuard interfaces talk to each other with the keep-alives and handshakes, but traffic seems to not get routed properly.

Thanks so much folks, for taking the time to help us with this.

Just add the wireguard interfaces to the appropriate firewall zones on each router, so LAN_Port_3 on the main router and WAN on the second router.

A plain English description of what you hope to achieve with this remote network in terms of inter-VLAN routing (and any directionality) would be useful.
For example (just laying out scenarios):

• secondary router's LAN_Port_3 can reach all other networks on the primary router.
• all other networks on the secondary router will get internet access, but be prohibited from connecting to the other networks on the primary router.
• all primary router networks are prohibited from initiating connections with the networks on the secondary router

I recommend putting the Wireguard network into its own zone on both sides (let's call it the vpn zone for now).

On the 'client' side (secondary router), enable masquerading on the vpn zone. On the primary side ('server'), you don't need masquerading.

The forwarding rules on both networks will be determined by the description that I have requested. You may possibly also need some static routes defined, depending on the specific goals.

That sounds like an allowed_ips problem. You could set allowed_ips to 0.0.0.0/0 on both ends (without route_allowed_ips) to prevent allowed_ip rejection. I'm not sure what happens if you leave allowed_ips out of the configuration entirely.

Can you ping from one end of the tunnel to the other, using the IP addresses on the tunnel interfaces (configured in Wireguard)? This doesn't depend much on the firewall other than allowing input (ICMP) on the interface.
The tcpdump program would be useful here to see packets entering and leaving.