Wireguard site to site to allow access to CGNAT network

I've read lots of forum posts here but have been unable to set up a wireguard site to site connection between my home network (which sits behind CGNAT) and a VM on a VPC. The aim is for the VPC to be able to directly connect to any machine on my home network. I'm hoping someone can help me, if indeed it is possible. Although I have an understanding of simple networking, I don't have any knowledge of routes etc.

Here's how I have things setup currently:

Home network

  • Router which is the gateway - 192.168.1.1
  • OpenWRT - 192.168.1.2 and also 10.222.0.2 on WG0 interface. As this isn't a gateway, I have taken the LAN and WG0 out of any firewall zone
  • Other machines - all on 192.168.1.x subnet

VPC

  • VM running Ubuntu - Internal IP: 10.142.0.3, 10.222.0.1 on wg0 interace
  • Also running rinetd to forward TCP and UDP ports. I thought I could use IPTables to do this but wasn't able to get this to work

With this setup, I am able to forward ports from the VM to my OpenWRT over the wireguard connection. For any services running on OpenWRT, this works very well. I have also installed TCPProxy on my OpenWRT to forward ports on to other machines on the network but this seems inefficient.

Desired outcome
I'd like the VM to be able to forward packets directly to any machine on my home network if possible. At the same time, I would want the machines on my internal network to access the internet not through the Wireguard connection. Does this make sense and is it achievable?

Thanks for any help!

Here are the config files I have:

VM wg0.conf

[Interface]
Address = 10.222.0.1/24
ListenPort = 51820
PrivateKey = {removed}

[Peer]
PublicKey = {removed}

AllowedIPs = 10.222.0.2/32

PersistentKeepalive = 25

OpenWRT wg0

config interface 'wg0'
	option proto 'wireguard'
	option private_key {removed}
	list addresses '10.222.0.2/32'

config wireguard_wg0 'wgserver'
	option public_key {removed}
	option endpoint_host {fqdn}
	option endpoint_port '51820'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '10.222.0.0/24'

OpenWRT lan

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	option ipaddr '192.168.1.2'
	list dns '192.168.1.1'
	option metric '100'
	option ifname 'eth0.1'
  • On the router add a static route to 10.222.0.0/24 via 192.168.1.2.
  • On the VM add a static route to 192.168.1.0/24 via 10.222.0.2.
  • On the VM change AllowedIPs = 10.222.0.2/32, 192.168.1.0/24.
  • Disable masquerading for the WG interface on both server and client.
1 Like

Thanks for this but I've been unable to get it to work.

I'm unable to add a route to my router so I added the route to the PC (Windows 10) to which I want to route traffic - I'm not sure if that would suffice. I implemented the route on the VM side as well as added the additional setting to tge VM wireguard config. I wasn't sure how to disable masquerading but on the VM, it's a clean install and I haven't installed IPTables before so does this mean it's disabled? I wasn't sure how to disable masquerading on the OpenWRT.

One thing I am able to do now is ping 192.168.1.2 (the OpenWRT IP) from VM. But any other IP in the subnet can't be pinged. I'm also unable to ping 10.222.0.1 from my machine I added the route to.

1 Like
  • Assign the WG interface to the trusted firewall zone on OpenWrt.
  • Allow pings from outside the local subnet on the PC.
  • Post runtime configs from the OpenWrt and VM:
wg show; ip a; ip r; iptables-save
1 Like

Thanks for the continued help. Here's the various outputs.

VM

wg show
interface: wg0
  public key: {removed}
  private key: (hidden)
  listening port: 51820

peer: {removed}
  endpoint: {removed}:41426
  allowed ips: 10.222.0.2/32, 192.168.1.0/24
  latest handshake: 34 seconds ago
  transfer: 65.94 KiB received, 51.57 KiB sent
  persistent keepalive: every 25 seconds
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc fq_codel state UP group default qlen 1000
    link/ether 42:01:0a:8e:00:03 brd ff:ff:ff:ff:ff:ff
    inet 10.142.0.3/32 scope global dynamic ens4
       valid_lft 2927sec preferred_lft 2927sec
    inet6 fe80::4001:aff:fe8e:3/64 scope link
       valid_lft forever preferred_lft forever
14: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1380 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.222.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever
ip r
default via 10.142.0.1 dev ens4 proto dhcp src 10.142.0.3 metric 100
10.142.0.1 dev ens4 proto dhcp scope link src 10.142.0.3 metric 100
10.222.0.0/24 dev wg0 proto kernel scope link src 10.222.0.1
192.168.1.0/24 via 10.222.0.2 dev wg0

OpenWRT

wg show
interface: wg0
  public key: {removed}
  private key: (hidden)
  listening port: 41426

peer: {removed}
  endpoint: {removed}:51820
  allowed ips: 10.222.0.0/24
  latest handshake: 25 seconds ago
  transfer: 47.62 KiB received, 66.43 KiB sent
  persistent keepalive: every 25 seconds
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 532
    link/ether c0:56:27:5f:cc:47 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c256:27ff:fe5f:cc47/64 scope link
       valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 532
    link/ether c2:56:27:5f:cc:47 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c056:27ff:fe5f:cc47/64 scope link
       valid_lft forever preferred_lft forever
5: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:25:9c:13:80:33 brd ff:ff:ff:ff:ff:ff
6: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:25:9c:13:80:32 brd ff:ff:ff:ff:ff:ff
10: br-lan: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether c2:56:27:5f:cc:47 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd29:6fc4:7272::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::c056:27ff:fe5f:cc47/64 scope link
       valid_lft forever preferred_lft forever
11: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether c2:56:27:5f:cc:47 brd ff:ff:ff:ff:ff:ff
12: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether c0:56:27:5f:cc:47 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c256:27ff:fe5f:cc47/64 scope link
       valid_lft forever preferred_lft forever
18: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.222.0.2/32 brd 255.255.255.255 scope global wg0
       valid_lft forever preferred_lft forever
ip r
default via 192.168.1.1 dev br-lan proto static metric 100
10.222.0.0/24 dev wg0 proto static scope link
{external ip of VM} via 192.168.1.1 dev br-lan proto static metric 100
192.168.1.0/24 dev br-lan proto static scope link metric 100

(A route was automatically added when I added the 192.168.1.0/24 to the wg0 allowed IPs. I removed it and added the route manually as suggested having already checked to see if it worked first).

iptables-save
# Generated by iptables-save v1.8.3 on Thu Oct  1 21:33:49 2020
*nat
:PREROUTING ACCEPT [36067:11580651]
:INPUT ACCEPT [319:41283]
:OUTPUT ACCEPT [2960:229811]
:POSTROUTING ACCEPT [2960:229811]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Oct  1 21:33:49 2020
# Generated by iptables-save v1.8.3 on Thu Oct  1 21:33:49 2020
*mangle
:PREROUTING ACCEPT [77051:19331880]
:INPUT ACCEPT [41302:7792472]
:FORWARD ACCEPT [46:3672]
:OUTPUT ACCEPT [47858:48126380]
:POSTROUTING ACCEPT [47858:48126380]
COMMIT
# Completed on Thu Oct  1 21:33:49 2020
# Generated by iptables-save v1.8.3 on Thu Oct  1 21:33:49 2020
*filter
:INPUT ACCEPT [4142:657585]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1339:93552]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Thu Oct  1 21:33:49 2020
1 Like

Copy-paste to OpenWrt:

uci set firewall.@defaults[0].forward="ACCEPT"
uci add_list firewall.@zone[0].network="lan"
uci add_list firewall.@zone[0].network="wg0"
uci commit firewall
/etc/init.d/firewall restart

uci del_list network.wg0.addresses="10.222.0.2/32"
uci add_list network.wg0.addresses="10.222.0.2/24"
uci commit network
/etc/init.d/network restart
1 Like

Amazing - it worked! Thank you so much. I really appreciate it.

Now I've just got to understand the changes...!

1 Like

Better use the automatic route if it works for you.

The firewall default forward policy was REJECT and the interfaces weren't assigned to any zone.

1 Like

I wonder if you could help with a further problem I'm facing.

With the current set up outlined above, I am able to connect externally to Softether running on my OpenWRT.

Because I want to be able to route to some devices where I can't manually specify a static route and because my router doesn't allow me to define static routes, I thought I'd try the following:

  • Switch off the DHCP server on my router
  • Enable DHCP on OpenWRT and get it to set each device's gateway to 192.168.1.2 (the IP of OpenWRT

This appeared to work well. I was able to ping each device on my network from the VM in the VPC.

However, I am now unable to connect to Softether on the Openwrt. Because I can see the sessions being started in the Softether admin interface, I don't think it's a problem with ports, especially as it worked before I changed DHCP settings. So I think it's failing because the DHCP server isn't assigning an IP to a device connected on Softether.

I realise this might be a Softether question and so in the wrong place but is there a DHCP option I'm missing that needs changing?

Here is the output from uci show dhcp:

dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].sequential_ip='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='10'
dhcp.lan.leasetime='24h'
dhcp.lan.limit='150'
dhcp.lan.dhcp_option='6,8.8.8.8,8.8.4.4' '3,192.168.1.2'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.@host[0]=host
dhcp.@host[0].mac='{removed}'
dhcp.@host[0].name='Desktop'
dhcp.@host[0].dns='1'
dhcp.@host[0].ip='192.168.1.5'
dhcp.@host[0].leasetime='9999h'

Thanks again for all the help so far.

OpenWrt sends its own IP as default gateway in DHCP lease by default, thus an explicit option seems to be redundant.
Unfortunately I'm not familiar enough with SoftEther VPN, so It's best to open a new thread.

1 Like

OK, will start a new thread.

Unless I'm misunderstanding, one can specify a different gateway in OpenWRT's DHCP and it appeared to work as expected:

dhcp.lan.dhcp_option='3,192.168.1.2'

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.