Wireguard two Interfaces

Hey Guys,

I have a Wireguard VPN setup. There basically all the traffic goes through. Now I need to host a Wireguard server on the same interface. Its for VoWifi.

So how can I accomplish this ?

Please tell me if you need any further information.

I can't connect to the new VPN interface I created.

I followed this guide, but the Wireguard VPN is self hosted.

2 Likes

It'd be helpful if you posted the current contents of your /etc/config/network file. Remove any sensitive details such as keys or public IPs. Some more details about the new connection you want to set up would be helpful. What is at the other end of the tunnel? What traffic needs to pass along it?

I don't understand desires configuration, but I recommend to study Policy-Based-Routing.

This guide is to configure a WG client that connects to the AzireVPN server.

For setting up your WG server in OpenWrt follow this guide.

@krazeh
@ulmwind I have my openwrt router connected to my Wireguard vpn. Now I need to be able to connect to that router. I want to connect to my router over the routers wan ip address. I want to use that for VoWifi when I'm abroad.

	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXX'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.100.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'
	list dns '192.168.100.1'
	option peerdns '0'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	list dns '::1'
	option peerdns '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'XX'
	list addresses '10.200.200.6/32'
	list addresses 'XX'
	option listen_port '51820'

config wireguard_wg0
	option route_allowed_ips '1'
	option endpoint_host 'XXX'
	option endpoint_port '51820'
	option persistent_keepalive '21'
	option public_key 'XXX'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'

If I try to follow this guide for example : https://www.reddit.com/r/openwrt/comments/bahhua/openwrt_wireguard_vpn_server_tutorial/

I'm not able to connect. Could it be that I can't reach it over my routers wan ip because all gets therew my Wireguard vpn tunnel ? Where I connected to as a "client" (or peer or whatever the right wg terminology is)

So I assume your current VPN is working? All your local traffic goes out through your VPN provider (AzireVPN?)?

You need to create a new peer on the existing interface for your new connection. What is it you're going to be connecting on the other end? Have you already set up wireguard on that device?

Please, give output of ifconfig wg0

First - Do you know the IP of the remote Wireguard tunnel, or will the remote device be on a dynamically assigned IP?

@krazeh Yes my Vpn is working and yes all my traffic is going through my VPN.
On the other end I'm going to connect a phone. I also setup the phone already.

@ulmwind There you go :

wg0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
       inet addr:10.200.200.6  P-t-P:10.200.200.6  Mask:255.255.255.255
       inet6 addr: XXXX:301:ff06::1/128 Scope:Global
       UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
       RX packets:98161 errors:0 dropped:0 overruns:0 frame:0
       TX packets:83683 errors:0 dropped:0 overruns:0 carrier:0
       collisions:0 txqueuelen:1000 
       RX bytes:103723840 (98.9 MiB)  TX bytes:18776760 (17.9 MiB)

@lleachii My Openwrt devices I want to connect to has got a fixed ip from my ISP not behind nat.

Is it possible to have my Openwrt Router connected to that VPN but also offer a "server" that I can connect to ? @all

  • Then you would make a route for that /32 IP to use WAN

Can you post your config for the phone? Have you tried setting up a new peer config for the phone on the existing Wireguard interface on your router?

So it is IP of wg-client. Now you want to start server, am I right? Or do you want to setup access via IP 10.200.200.6 from wg-server?

10.200.200.6 is the ip I use to connect to my VPN. "allowed ip"
How can I add another peer to the config ? 10.200.200.6/32 is allowed so I couldn't just make up another ip because there is no ip left in range.

And yes I want. to start a server now. How can I start a server while also maintaining connectivity to the other server ?

I think, there is principal problem with multiple server and client in WireGuard, because it uses UDP, and it couldn't be tracked as TCP. I don't understand your issue concerning allowed IPs.

Wireguards are peers, so there is no "server" and "client"... So right now you have a wireguard peer that peers with your Azire... which is fine...

next you set up on your OpenWrt router another wireguard peer, listening on a different port and you open up INPUT to your OpenWrt router on that port...

next, I assume you have a travel router or phone or some such thing that plans to use wireguard to connect to your home router. Great...

I'll call the two devices "home router" and "travel router" but please substitute phone or whatever the remote device is called.

On the travel router, put the public key of the home router and the static peer address and port of the home router, and put allowed ips of 0.0.0.0/0 (you presumably need to reach the whole internet to send your VOIP packets...)

On the home router, put the public key of the travel router, and the port on which to listen. Open up the firewall for INPUT for that listen port on the home router.

Now you just need to figure out routing. But to do that we need to understand more about which devices you plan to connect to. Most likely you simply put say 10.123.123.1/32 on your new peer interface on the home router and 10.123.123.2/32 on the travel router... and voila.

Multiple interfaces need different ports, but each interface can have multiple peers all on the same port. There's no need for a separate interface here, just a new peer on the existing interface.

1 Like

I think it makes much more sense for the remote device to be on a separate network with separate addresses, especially because you have no control over address assignment in Azires network

Well yes it does, but that can still be done by adding it as a new peer to the existing interface.

@dlakelan Thank you for you reply. I tried to setup another peer on the same wg interface. My VPN Provider is not azier. I hosted it myself. I just followed their guide to get It setup on my router.
It didn't work. Then it wouldn't connect to the VPN anymore.
@krazeh

I now setup a wg connection on a different interface. Wich I can connect fine while I`m on wifi. Endpoint is 192.168.100.1 - local ip of my router. However if I put the ip of my Wan (public facing ip) I cannot connect. Any ideas for troubleshooting ?
Also the my public ip doesn't seem to be pingable - why ? ICMP Requests are allowed.

Can you set it up like this again, then post the content of /etc/config/network.

I assume you gave the new interface a different port? Did you add a new rule to the firewall?