Wireguard tunnel on Seperate SSID

Installing and Using OpenWrt
1

Hello Guys!

I'm getting my feet wet again with OpenWRT. I am working on a project for my community. We have long trails between our backyards with 0 cell phone coverage. A couple times a year someone will have an emergency on the trail. The homes have pretty good internet speeds, including our community center. So I would like to bring a directional WiFi AP to each of the homes. It will cover their section of the trail. It will expand their own WiFi network over their backyard but also have the Community WiFi network tunneled back using Wireguard and BATMAN (for DHCP over VPN). Here is a quick block sketch:

OutdoorWRT Diagram
OutdoorWRT Diagram3001×1688 245 KB

I am working on this bit by bit. My issue currently is something in my head just can't click about IP routes and firewall settings. I haven't configured BATMAN yet so I am getting the IP address from locally. But I have Community WiFi running and it is handing out IP addresses. I have wireguard working and it is handshaking with the remote server. Problem is, of course, I can't get the Wifi to go anywhere. I've done this a few times where all traffic goes over wireguard. But I am not sure where the link is broken.

networks

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdce:87b8:6a5d::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.200.1'

config interface 'wwan'
	option proto 'static'
	option ipaddr '192.168.100.21'
	option broadcast '192.168.100.255'
	list dns '1.1.1.1'
	list dns '8.8.8.8'
	option gateway '192.168.100.254'
	option netmask '255.255.255.0'

config device
	option name 'wlan0'

config interface 'HomeRelayWifi'
	option proto 'none'

config interface 'HomeRelayINT'
	option proto 'relay'
	option ipaddr '192.168.100.21'
	list network 'HomeRelayWifi'
	list network 'lan'
	list network 'wwan'

config device
	option type 'bridge'
	option name 'WG-BR'
	option bridge_empty '1'

config interface 'WG_INT'
	option proto 'static'
	option device 'WG-BR'
	option ipaddr '192.168.51.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '8.8.8.8'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxx='
	option listen_port '51820'
	list addresses '10.13.13.4'
	option peerdns '0'
	list dns '10.13.13.1'

config wireguard_wg0
	option description 'Imported peer configuration'
	option public_key 'xxxx='
	option preshared_key 'xxxxx='
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '~Public IP~'
	option endpoint_port '51820'
	option persistent_keepalive '10'
	option route_allowed_ips '1'

config rule
	option in 'WG_INT'
	option out 'wg0'
	option src '192.168.51.0/24'
	option disabled '1'

Firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wwan'
	list network 'HomeRelayWifi'

config zone
	option name 'WGWiFiFW'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'WG_INT'
	option input 'ACCEPT'
	option output 'ACCEPT'

config rule
	option name 'WG-DHCP'
	list proto 'udp'
	option src 'WGWiFiFW'
	option dest_port '67'
	option target 'ACCEPT'

config zone
	option name 'WG_FW'
	option output 'ACCEPT'
	list network 'wg0'
	option masq '1'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
	option src 'WGWiFiFW'
	option dest 'WG_FW'

(PBR is installed but I haven't made any changes)

Wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/ahb/18100000.wmac'
	option band '2g'
	option htmode 'HT20'
	option channel 'auto'
	option cell_density '0'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'sta'
	option network 'wwan'
	option ssid '~Home WiFi~'
	option encryption 'none'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'HomeRelayWifi'
	option encryption 'none'
	option network 'HomeRelayWifi'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'CommunityWiFi'
	option encryption 'none'
	option network 'WG_INT'

interface: wg0
  public key: xxxx=
  private key: (hidden)
  listening port: 51820

peer: xxxxx=
  preshared key: (hidden)
  endpoint: ~Public IP~:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 41 seconds ago
  transfer: 2.07 KiB received, 12.57 KiB sent
  persistent keepalive: every 10 seconds

any insight on where I am borking this would be helpful. Also bonus points if you could give me a heads up on GRETAP-BATMAN-Wireguard integration.

2

First and Last Bump.

3

I'm unfamiliar with BATMAN, but you should look into IP rules and routing tables, similar to what's described here.

4

@HikingJennifer hey, so the issue what you have is, that none wireless can reach the Internet or just CommunityWiFi?

If the second, there was a good explaination on Reddit done by @zekica (I think you created that manual, right?) how to create a Wireless SSID that will be connected to the Wireguard client network interface and send the traffic through that interface.