Wireguard two Interfaces

Yes, I can't set it up again on the same interface. The only thing I was not sure about setting up, was with ip's.


What should I put there ?

From my understanding, here are the ips I allowed on the other peer (my wg server) so I add another ip here, from the new peer lets say, it fails. If I delete that new ip (that my server of course doesn't know about) it works

Yes, I did assign a different port and I did add a new rule to firewall to allow it.

You don't have to touch that page on your existing interface. It's just the peer page you are interested in.

How have you set up the device you want to connect from remotely? IP address etc? Ideally post the Wireguard config for that device.

This is the peer I connect to :


Endpoint and keys are set - I just cut them out.

And this is the peer I setup to connect to with my phone:


Keys are set - cut out. Endpoint is not set, because there is none as of my understanding

Output of /etc/config/Network:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXX'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.100.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'
	list dns '192.168.100.1'
	option peerdns '0'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	list dns '::1'
	option peerdns '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'XXX'
	option listen_port '51820'
	list addresses '10.200.200.6/32'
	list addresses 'XXX/128'

config wireguard_wg0
	option route_allowed_ips '1'
	option endpoint_host 'XXX'
	option endpoint_port '51820'
	option persistent_keepalive '21'
	option public_key 'XXX'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'

config wireguard_wg0
	option public_key 'XXX'
	option description 'VoWifi'
	list allowed_ips '10.14.0.3/32'
	option route_allowed_ips '1'
	option persistent_keepalive '21'

And what's the config on your phone?


There you go :slight_smile:

So that works, but if you put your WAN IP it will no longer connect?

What's on the other end of your existing working connection? What does that have for the endpoint in it's config?

No that didn't ever work. It works when I put it on a different interface and I assign it to firewall zone lan. Any other zone - no chance to get it to work. And it doesn't work when I add the peer to the existing interface.

On the other end of my existing connection there is no endpoint.

wg0 has one peer - it connects to my server on an public ip.
My server on the other end has no endpoint set, cause it is the endpoint.

Let me make sure I understood correctly:

  • You've got a remote server with a public IP. You've installed WireGuard on it.
  • Your router is configured as a WG peer of your remote server.
  • You would like to configure another WG interface on your router - to which your phone would connect to. The purpose of this is to use some services outside your country.

Is the above correct?

config wireguard_wg0
	option route_allowed_ips '1'
        ....
        list allowed_ips '0.0.0.0/0'

^ This part of your config means the router will forward everything to the remote server. No surprise your router's WAN is not reachable. There are a couple of ways to make this work - some are easier than others. It all depends on what are you using the remote server VPN for?

Option 1 - if you use the remote server to host something like nextcloud, pihole, or some other services that you'd want to be not-accessible to the internet an only to your WG peers - then this will make things pretty simple.

Option 2 - you still want your router at home to forward all of your traffic to the remote WG server, except for when your phone is connected to the 2nd WG interface on your router. You want your phone's internet access to be via your router's WAN interface. This one is a trickier option.

Let me know which one and if it's the 1st option - I will be able to help right away. 2nd option would need some more work, and like someone above mentioned - policy based routing would be a good choice.

First, thank you for your reply @SirToffski.
Yes, all of your three assumptions are indeed true.

Oh men, I should have thought about that. This might also be the reason why my public facing wan IP is not pingable :triumph:

To the options: Yes I have some other serivices installed on that server. I have a dockerized setup of pihole, unbound and Wireguard - wich makes browsing web much more pleasant I think.

What changes are required to get option one working ?
I also got VPN Policy/Bypass installed because there are some services that need to connect directly through my wan ip.

I think this all comes down to network numbering and routing. Part of the issue is that this is a policy thing, we don't know what you want to have happen...

Btw I strongly recommend you abandon ipv4 for your private network stuff and just use ipv6 ULA only, it will make your life easier!

@dlakelan Yeah, I'd love to ditch ipv4 in favor for ipv6. The thing is, my ISP doesn't provide native ipv6. So I use my VPN to get a /64 routed to my home network. I might abuse the ULA field, I pasted the /64 I route via wg there. So all my devices will get a /128 handed out via DHCP.

And also one question about having ipv6 only in my network. How can devices then reach out to an ipv4 website ? Ipv4 and ipv6 are incompatible on the wire, aren't they ? So, will I loose ipv4 connectivity if I only hand out ipv6s's ?

Use a squid proxy on the vps. Then it's the only thing doing ipv4.

Don't do that, get a ULA generated again and route that around your network. You can subnet it for different parts of your internal network. Ipv6 it's totally normal to have multiple networks

Could you explain that a little further ? I never looked into squid. How would the setup look ?

I thought that it is total abuse of that field. But how would I then hand out ipv6's routed through my wg ?

All your home devices set your VPS as their proxy using a name that resolves to the ULA of your VPS. like http://myproxy.lan:3128 The VPS runs squid listening on port 3128. Whenever a device wants an http or https resource it connects to the VPS, which fetches the resource. If the VPS has both ipv6 and v4 then it can reach all the things.

Depending on your usage you might still need a ipv4 network and have the VPS masquerade it, but you can at least use the ipv6 portion of your network for all the infrastructure.

Just put that ip range on your LAN as static address. You don't need any addresses on the wireguard tunnel itself. Just use some routing rules on the VPS to route that prefix over the wg tunnel

UPD:
here's the running config on the router and VPS.
should give you a good idea how to do this
https://gist.github.com/SirToffski/5502cd558d855cc36e9dfb00628b708d

Yes I've got a similar retup! Here's a diagram.

Your solution is:
Let's say wg0 subnet (for remote server) is 10.100.200.0/28. Put this range for the allowed IPs on your router wg0 interface and check "Create routes for allowed IPs". Create a separate FW zone for wg0 interface - and make it similar to the WAN zone, including MASQUERADING. This way all our outboud traffic to the server will have the source IP of the router's wg0 interface.

Then another network/interface wg1 10.200.200.0/28 is where your phone will connect to, Also make a separate FW zone for it and configure that zone similar to your LAN zone.

Also - if you use remote server for outbound and pihole - I found it's actally easier to make that remote server a peer of the WG server hosted on the router. In that case the wg config on your remote server would be like this:

[Interface]
Address = 10.200.200.12
PrivateKey = key_goes_here
DNS = whatever_DNS_you_want

[Peer]
PublicKey = Key_goes_here
Endpoint = Your_router's_public_IP
AllowedIPs = 10.200.200.0/28,192.168.2.0/24,192.168.1.0/24
PersistentKeepalive = 21

and on your router the peer for the remote server can be like this:

config wireguard_wg0
	option persistent_keepalive '21'
	option public_key 'key_goes_here'
	option route_allowed_ips '1'
	list allowed_ips '10.200.200.12/32'

My setup: [EDIT... this was my setup about 4 days ago. Now the VPS is a part of wg0 (yellow) zone. I find it’s easier because you don’t have to open any ports to the internet on the VPS that way. And the setup is simpler too]

1 Like

@SirToffski Thank you for you detailed explanation. I'll give that a try tomorrow and come back to you.