Wireguard site to site and using remote gateway

I have two openwrt routers, 21.02-rc4, and site-to-site over wireguard.
Site1 LAN: 10.42.0.0/18

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.42.0.1'
	option netmask '255.255.192.0'

[...]

config interface 'wg0'
	option proto 'wireguard'
	option private_key '...'
	list addresses '192.168.33.42/24'
	list addresses '10.42.224.1/24'

config wireguard_wg0 'link81'
	option public_key '...'
	option route_allowed_ips '1'
	list allowed_ips '192.168.33.81/32'
	list allowed_ips '10.81.0.0/16'

Site2 LAN: 10.81.0.0/18

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.81.0.1'
	option netmask '255.255.192.0'

[...]

config interface 'wg0'
	option proto 'wireguard'
	option private_key '...'
	list addresses '192.168.33.81/24'
	list addresses '10.81.224.1/24'

config wireguard_wg0 'link42'
	option public_key '...'
	option route_allowed_ips '1'
	list allowed_ips '192.168.33.42/32'
	list allowed_ips '10.42.0.0/16'

And this is all working fine between them. wg0 is in the LAN firewall zone.

Now I have additional vlan interface on the site1

config device
	option type 'bridge'
	option name 'br-lan99'
	list ports 'eth0.99'

config interface 'lan99'
	option proto 'static'
	option device 'br-lan99'
	option ipaddr '10.42.99.1'
	option netmask '255.255.255.0'

And I'd like everything that connects to this interface (10.42.99.0/24) to be routed through site 2 (10.81.x.x) rather than site 1 (10.42.x.x).
How can I do that?

Currently I have additional wireguad interface

config interface 'wg181'
	option proto 'wireguard'
	option private_key '...'
	list addresses '10.81.224.241/24'

config wireguard_wg181
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option public_key '...'
	option description 'srv81'

and vpn-policy-routing that routes 10.42.99.0/24 over WG181 interface.

This works but it doesn't seem right. Is there a better way without additional wireguard interface?

Thanks!

If you don't need domain-based policies, then better use PBR with netifd:
https://openwrt.org/docs/guide-user/network/routing/pbr#pbr_with_netifd

# Each site, except for one hosting link81
/etc/init.d/vpn-policy-routing disable
/etc/init.d/vpn-policy-routing stop
uci -q delete network.wg181
uci -q delete network.@wireguard_wg181[0]
uci -q delete network.link81.allowed_ips
uci add_list network.link81.allowed_ips="0.0.0.0/0"
uci add_list network.link81.allowed_ips="::/0"
uci set network.lan.ip4table="1"
uci set network.lan.ip6table="1"
uci set network.wg0.ip4table="2"
uci set network.wg0.ip6table="2"
uci set network.lan99.ip4table="3"
uci set network.lan99.ip6table="3"
uci -q delete network.lan_vpn
uci set network.lan_vpn="rule"
uci set network.lan_vpn.in="lan"
uci set network.lan_vpn.dest="10.0.0.0/8"
uci set network.lan_vpn.lookup="2"
uci set network.lan_vpn.priority="30000"
uci -q delete network.lan99_vpn
uci set network.lan99_vpn="rule"
uci set network.lan99_vpn.in="lan99"
uci set network.lan99_vpn.lookup="2"
uci set network.lan99_vpn.priority="30000"
uci -q delete network.lan99_vpn6
uci set network.lan99_vpn6="rule6"
uci set network.lan99_vpn6.in="lan99"
uci set network.lan99_vpn6.lookup="2"
uci set network.lan99_vpn6.priority="30000"
uci commit network
/etc/init.d/network restart

# Site hosting link81
/etc/init.d/vpn-policy-routing disable
/etc/init.d/vpn-policy-routing stop
uci -q delete network.wg181
uci -q delete network.@wireguard_wg181[0]
uci -q delete network.link42.allowed_ips
uci add_list network.link42.allowed_ips="192.168.33.42/32"
uci add_list network.link42.allowed_ips="10.42.0.0/16"
uci set network.lan.ip4table="1"
uci set network.lan.ip6table="1"
uci set network.wg0.ip4table="2"
uci set network.wg0.ip6table="2"
uci -q delete network.lan_vpn
uci set network.lan_vpn="rule"
uci set network.lan_vpn.in="lan"
uci set network.lan_vpn.dest="10.0.0.0/8"
uci set network.lan_vpn.lookup="2"
uci set network.lan_vpn.priority="30000"
uci commit network
/etc/init.d/network restart
1 Like

Thank you so much for this @vgaetera. Really appreciate it.

I've tested it and that works great, but I guess I haven't fully explained the setup.

The network layout is multiple sites connected like explained in the original post, and clients which connect to any of these sites (S1: 10.42.224.1/24, S2: 10.81.224.1/24, etc.). From each site they are able to access all other sites, while their route to internet is determined by site's wan connection.

This works fine in my current setup.

In addition to that some clients should always use specified route regardless of the site they are on. In this example, lan99 exists in all sites and should always go through 10.81.x.x. On Site2 there is nothing to do, but Site1, or Site3 (10.50.0.0/18 same configuration) or SiteN should have a policy that routes all traffic through Site2.

So if I set uci add_list network.link81.allowed_ips="0.0.0.0/0" for one peer and network.link81.route_allowed_ips='1' I can set it only for one site, one peer.

If I omit setting route_allowed_ips on wireguard peer, then the traffic from lan99 doesn't go through the wireguard interface.

I'm not sure how to populate routing tables correctly.

1 Like

Updated the above instruction:

  • Expand the routing rule range for lan_vpn.dest=10.0.0.0/8 to cover all peers.
  • On each site, use only link81.allowed_ips=0.0.0.0/0 for that one peer.

Something doesn't look right here. Working with 3 sites, let's name them Site42, Site50 and Site81, I have the following wireguard configuration

Site42

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.42.0.1'
	option netmask '255.255.192.0'

[...]

config interface 'wg0'
	option proto 'wireguard'
	option private_key '...'
	list addresses '192.168.33.42/24'
	list addresses '10.42.224.1/24'

config wireguard_wg0 'link50'
	option public_key '...'
	option route_allowed_ips '1'
	list allowed_ips '192.168.33.50/32'
	list allowed_ips '10.50.0.0/16'

config wireguard_wg0 'link81'
	option public_key '...'
	option route_allowed_ips '1'
	list allowed_ips '192.168.33.81/32'
	list allowed_ips '10.81.0.0/16'

Site50

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.50.0.1'
	option netmask '255.255.192.0'

[...]

config interface 'wg0'
	option proto 'wireguard'
	option private_key '...'
	list addresses '192.168.33.50/24'
	list addresses '10.50.224.1/24'

config wireguard_wg0 'link42'
	option public_key '...'
	option route_allowed_ips '1'
	list allowed_ips '192.168.33.42/32'
	list allowed_ips '10.42.0.0/16'

config wireguard_wg0 'link81'
	option public_key '...'
	option route_allowed_ips '1'
	list allowed_ips '192.168.33.81/32'
	list allowed_ips '10.81.0.0/16'

Site81

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.81.0.1'
	option netmask '255.255.192.0'

[...]

config interface 'wg0'
	option proto 'wireguard'
	option private_key '...'
	list addresses '192.168.33.81/24'
	list addresses '10.81.224.1/24'

config wireguard_wg0 'link42'
	option public_key '...'
	option route_allowed_ips '1'
	list allowed_ips '192.168.33.42/32'
	list allowed_ips '10.42.0.0/16'

config wireguard_wg0 'link50'
	option public_key '...'
	option route_allowed_ips '1'
	list allowed_ips '192.168.33.50/32'
	list allowed_ips '10.50.0.0/16'

If I set peers like you wrote then I would have:

Site42 (changes to link81)

config interface 'wg0'
	option proto 'wireguard'
	option private_key '...'
	list addresses '192.168.33.42/24'
	list addresses '10.42.224.1/24'

config wireguard_wg0 'link50'
	option public_key '...'
	option route_allowed_ips '1'
	list allowed_ips '192.168.33.50/32'
	list allowed_ips '10.50.0.0/16'

config wireguard_wg0 'link81'
	option public_key '...'
	option route_allowed_ips '1'
	list allowed_ips '0.0.0.0/0' # Change from '192.168.33.81/32'
	list allowed_ips '::/0'      # Change from '10.81.0.0/16'

Site50 (changes to link81)

config interface 'wg0'
	option proto 'wireguard'
	option private_key '...'
	list addresses '192.168.33.50/24'
	list addresses '10.50.224.1/24'

config wireguard_wg0 'link42'
	option public_key '...'
	option route_allowed_ips '1'
	list allowed_ips '192.168.33.42/32'
	list allowed_ips '10.42.0.0/16'

config wireguard_wg0 'link81'
	option public_key '...'
	option route_allowed_ips '1'
	list allowed_ips '0.0.0.0/0' # Change from '192.168.33.81/32'
	list allowed_ips '::/0'      # Change from '10.81.0.0/16'

Site81 (no changes)

config interface 'wg0'
	option proto 'wireguard'
	option private_key '...'
	list addresses '192.168.33.81/24'
	list addresses '10.81.224.1/24'

config wireguard_wg0 'link42'
	option public_key '...'
	option route_allowed_ips '1'
	list allowed_ips '192.168.33.42/32'
	list allowed_ips '10.42.0.0/16'

config wireguard_wg0 'link50'
	option public_key '...'
	option route_allowed_ips '1'
	list allowed_ips '192.168.33.50/32'
	list allowed_ips '10.50.0.0/16'

If this is the setup for Site42/Site50 -> Site81, I don't understand how to make equivalent routes for Site42/Site81 -> Site50 and Site50/Site81 -> Site42? Effectively how to route traffic from specific interface in SiteXX through any other SiteYY?

There's a couple of routing rules created above to lookup the VPN table:

  • When the destination matches 10.0.0.0/8 that covers all VPN subnets.
  • When the source interface matches lan99.

If the traffic reaches the VPN table, then the internal VPN routing applies:

  • Route smaller subnets to the respective peers.
  • Route other destinations matching 0.0.0.0/0 to the peer link81.

I apologise for the late reply!

The problem with

Is that when traffic reaches VPN table I still want route to other destinations based on the source. So lan99 should route destinations matching 0.0.0.0/0 to the peer link81, that's ok, but lan95 (for example) should route destinations matching 0.0.0.0/0 to the peer link51 if you get what I mean? Every site has lanXX interface that should route 0.0.0.0/0 to designated wireguard peer.

1 Like

I'm afraid WireGuard supports only destination-based internal routing.
So, source-based routing to matching destinations requires a separate tunnel.