Wireguard Tunnel in Tunnel

I have 3 sites running Raspberry Pi’s/OpenWRT and WireGuard. Site 1 is the “Server” and Site’s 2 and 3 are peers configured to route all traffic back to Site 1 and exit to the Internet via Site 1’s WAN. Let’s call this call the “outer tunnel” on 10.0.100.0/24. Site 2 and Site 3 can both connect to Site 1 and all internet traffic exits through Site 1’s connection as desired. With all sites connected, Site 2 can access Site 3; specifically, LuCI via a web browser and the UCI via a terminal. All of this works.

I am now attempting to setup an “inner tunnel” on 10.0.102.0/24 between Site 2 and Site 3 and route a client (10.0.102.2) connected to Site 2 through the inner tunnel and out Site 3’s WAN. I have Site 3 setup as the inner tunnel’s WireGuard “Server” and Site 2 setup as the peer. I am getting Rx/Tx on the inner tunnel when I activate the connection between Site 2 and Site 3. The problem is that I cannot get the Internet traffic to exit Site 3’s WAN. It either goes nowhere OR exits to the Internet via Site 1’s WAN.

I have tried the Routes/Rules as recommended in several other posts to no avail. I feel like I am really close, but am a novice and this stuff and am effectively stabbing in the dark at this point. Any help that can be offered would be greatly appreciated.

I do have Ip-Full installed as suggested in other posts on similar topics as well. I have not installed PBR yet as most posts I reviewed suggested that because I'm just looking to have a single IP be routed PBR would be unnecessary overhead.

I’m including Network and Firewall configs and a route -n dump for Site 3 as I think this is where the issue is.

SITE 3 - /etc/config# route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 WG51820
10.0.100.0      0.0.0.0         255.255.255.0   U     0      0        0 WG51820
10.0.102.0      0.0.0.0         255.255.255.0   U     0      0        0 WG51821
10.0.102.2      0.0.0.0         255.255.255.255 UH    0      0        0 WG51821
10.7.7.0        0.0.0.0         255.255.255.0   U     0      0        0 br-lan
x.x.x.x		    0.0.0.0         255.255.252.0   U     0      0        0 eth0		SITE 3 WAN 
x.x.x.x		    x.x.x.x		    255.255.255.255 UGH   0      0        0 eth0..		SITE 1 WAN 
SITE 3 - /etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdac:9252:9892::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'dummy0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.7.7.1'
        option netmask '255.255.255.0'

config interface 'wan'
        option proto 'dhcp'
        option peerdns '0'
        option device 'eth0'
        list dns '1.1.1.1'
        list dns '8.8.8.8'

config interface 'wwan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '8.8.8.8'

----------THIS IS FOR SITE 1 (Outer Tunnel)-----------
config interface 'WG51820'
        option proto 'wireguard'
        option private_key ''
        option listen_port '51820'
        list addresses '10.0.100.4/32'
        list dns '1.1.1.1'

config wireguard_WG51820
        option description 'SVR-WG51820'
        option public_key ''
        option preshared_key ''
        option endpoint_host ''
        option endpoint_port '51820'
        option route_allowed_ips '1'
        list allowed_ips '10.0.100.0/24'
        list allowed_ips '0.0.0.0/0'

----------THIS IS FOR SITE 2 (Inner Tunnel)-----------
config interface 'WG51821'
        option proto 'wireguard'
        option private_key ''
        option auto '0'
        list addresses '10.0.102.1/24'
        option listen_port '51821'

config wireguard_WG51821
        option description 'WG-SC-51821'
        option public_key '='
        option private_key ''
        option preshared_key ''
        list allowed_ips '10.0.102.2/32'
        option route_allowed_ips '1'
        option endpoint_port '51821'
        option endpoint_host '10.0.100.4'

config route
        option interface 'wan'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option table '2'
        option metric '100'
        option gateway '0.0.0.0'

config rule
        option src '10.0.102.2/32'
        option priority '2'
        option lookup '2'
        option out 'WG51820'

SITE 3 - cat firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'rvwireguard'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'WG51821'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wwan'

---Standard Rules unmodified and trimmed down for posting---
        option name 'Allow-DHCP-Renew'
        option name 'Allow-Ping'
        option name 'Allow-IGMP'
        option name 'Allow-DHCPv6'
        option name 'Allow-MLD'
        option name 'Allow-ICMPv6-Input'
        option name 'Allow-ICMPv6-Forward'
        option name 'Allow-IPSec-ESP'
        option name 'Allow-ISAKMP'
---Standard Rules unmodified and trimmed down for posting---

config zone
        option name 'wireguard'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'WG123'
        list network 'WG51820'

config forwarding
        option src 'lan'
        option dest 'wireguard'

config rule
        option name 'Allow-WG-Peer-2-Peer'
        list proto 'tcp'
        option src 'wireguard'
        option dest_port '80 22'
        option target 'ACCEPT'
        list src_ip '10.0.100.3'
        list src_ip '10.0.100.2'

config rule
        option name 'Allow-RV-WIreguard'
        list proto 'udp'
        option src 'wireguard'
        option dest_port '51821'
        option target 'ACCEPT'

config forwarding
        option src 'rvwireguard'
        option dest 'wan'

config rule
        option name 'Allow-WGR'
        option src 'rvwireguard'
        option dest 'wireguard'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config nat
        option name 'Test Nat'
        option src 'wan'
        option src_ip '10.0.102.2'
        option target 'MASQUERADE'
        option family 'ipv4'
        list proto 'all'
        option enabled '0'

Did I understand correctly that you would like to set up a tunnel between site 2 and site 3 over the existing tunnel via site 1?
Is there no option to set up a direct tunnel between site 2 and site 3?

My setup does the latter: I have a server that acts as my main wireguard peer where mobile clients and sites 1 and 2 connect to. This works, but all traffic flows via the main peer. So in order to speed up the traffic between sites 1 and 2, there is another tunnel to directly connect site 1 and site 2.

Is this somewhat related to your desired setup? What my setup does not include is tunneling all traffice via one of the WAN interfaces.

Yes, I am attempting to set up a tunnel between site 2 & 3 over the existing tunnel via site 1...a spoke and hub model. Direct connection of Site 2 to Site 3 is not an option as I do not have control of the edge routers at sites 2 and 3, so I would not be able to setup a port forward for inbound traffic.

It sounds like you have connectivity between sites 2 and 3 already over the existing ('outer') tunnel? Is that correct?

Yes, site 2 can connect to site 3 via the “outer” tunnel. From site 2 I can access site 3’s LuCI interface via a browser and SSH into a console.

The ‘inner’ tunnel shows Rx and Tx packets and I can access Site 3’s LuCI interface via its 10.0.102.x address.

I just can’t get the Internet traffic to route out Site 3’s WAN connection

Does site 3 have a public IP address?

It does have a public IP

Well I'm not sure why you've added the inner tunnel. If you can make changes to the 3 RPis then you can pass the required traffic over the existing tunnel. It's just a matter of the correct routes (and maybe slightly altering the allowedIPs at site 1).

1 Like

If I don’t need the inner tunnel can you please explain how I make Site 2’s internet traffic route thru the ‘outer’ tunnel to Site 3 and then exit on Site 3’s internet connection? Sorry I’m a novice at this.

Logically it made sense to me to have the ‘inner’ tunnel essentially do the reverse of the outer tunnel for specific clients

Thanks for your help!!

If site 3 has a public IP, why not simply connect from site 2 to site 3 directly? If you want to use site 3's wan IP as your apparent IP, it is far more efficient to connect directly than to go through site 1.

If you need access to site 1, you could simply ensure that site 1 and 3 are connected to each other, and then site 2 can reach site 1 via site 3, and can use site 3's wan without the need for an 'inner tunnel'

I may be wrong but I assume for site 2 to connect directly to site 3, one of them would need to accept inbound connections and thus require port forwarding at the edge router. I do not control the edge routers for site 2 or 3 thus the hub and spoke approach.

Where is the WireGuard endpoint within the context of site 3? Is it in the edge, or is it behind it? Is the edge configured with any open ports or port forwards, or is it closed for inbound connections and only allows an outbound connection?

Site 3’s edge can probably be best likened to a Wifi hotspot. Site 3 is essentially a travel router grabbing an IP from the hotspot and establishing the WireGuard tunnel to Site 1. This would be the “outer” tunnel.

I hope this makes sense.

yes, that makes sense.

Next question -- do you really need the inner tunnel (i.e. true tunnel within the tunnel), or is this fundamentally a question about routing?

It can be solved with routing, but with the intermediary site (and traffic from sites 2 and 3 using that site's WAN for internet access) it likely means adjusting the allowedIPs at site 1 to include 0.0.0.0/0 (at least to site 3) and manually creating the required routes. Tricky to get right for a novice.

The main objective is to be able to route some traffic out site 3’s WAN and some out Site 1’s. If I can do that without the ‘inner’ tunnel that would be great.

After getting everything working to send traffic out Site 1’s connection it just made sense to me to have a second tunnel to make traffic go out Site 3

What defines the difference between what egresses from each site?

I could set it to a specific IP. So I could have two peer configs on Site 2 to connect to Site 1, each assigning a specific IP. Depending on which egress point I want I could select the appropriate peer to connect to Site 1

Maybe I didn't ask the question properly...

what is the criteria that you have in mind that would say "this traffic should egress via site 1's wan, and this other traffic should go by site 3's wan."

For example (just making silly stuff up):

  • Netflix should go via site 1's wan
  • facebook should go via site 3's wan.

Or any other criteria you might have in mind.

Alternatively, is the egress path selection supposed to be automatic, or would you be changing this manually on your own terms?

We can go with manual switching. So if a profile 1 is active all traffic goes out Site 1 and if profile 2 is active then all traffic goes out site 3