Wireguard two OpenWrt routers as a ethernet cable

Cuco · September 23, 2019, 1:22pm

Hi, im trying to remove 2 wifi antennas doing a ptp transparent bridge between 2 sites. Now we have access to a ftth 600/600 connection in the "park" site, so we want to remove the radios and use 2 openwrt ruters as a transparent bridge.

im having problems getting this working. The problem is clients from park router not able to reach lan on the "Hotel" (server) site. They are going to internet with the "hotel" public ip, so tunnel seems fine. But no lan ping.

sorry for my english and mi limited network skills

here is the hotel server config:

/etc/config/network

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.254.0'
        option ip6assign '60'
        option _orig_ifname 'eth0'
        option _orig_bridge 'true'
        option ifname 'eth2 eth1 eth3'
        option ipaddr '192.168.206.254'

config interface 'wan'
        option ifname 'eth0.6'
        option proto 'pppoe'
        option username 'xx@xx'
        option password 'xx'
        option ipv6 '1'
        option mtu '1492'

config interface 'wan6'
        option proto 'dhcpv6'
        option ifname 'eth0.6'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxxx'
        option listen_port '51820'
        list addresses '172.16.29.1/24'

config wireguard_wg0
        option public_key 'xxxx'
        option route_allowed_ips '1'
        list allowed_ips '172.16.29.1/24'
        option persistent_keepalive '25'
        option description 'park'

/etc/config/firewall

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '51820'
        option dest_ip '192.168.206.254'
        option dest_port '51820'
        option name 'wirewart'

park configuration:

/etc/config/network

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.254.0'
        option ip6assign '60'
        option _orig_ifname 'eth0'
        option _orig_bridge 'true'
        option ifname 'eth1'
        option ipaddr '192.168.206.3'

config interface 'wan'
        option ifname 'eth0.6'
        option proto 'pppoe'
        option username 'xx@xx'
        option password 'xx'
        option ipv6 '1'
        option mtu '1492'

config interface 'wan6'
        option proto 'dhcpv6'
        option ifname 'eth0.6'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxxx'
        option listen_port '51820'
        list addresses '172.16.29.2/24'

config wireguard_wg0
        option public_key 'xxxxxx'
        option route_allowed_ips '0'
        option persistent_keepalive '25'
        option description 'hotel'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '213.xx.79.xx'
        option endpoint_port '51820'

/etc/config/firewall

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 wg0'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp udp'
        option dest_port '51820'
        option name 'wireward'

can you help me?

best regards,

jeff · September 23, 2019, 2:16pm

From what I understand, and you should confirm as I'm hardly a WireGuard expert, WireGuard is only a point-to-point routed solution.

Assuming that is true, something like a GRE L2 tunnel (running on a WireGuard-encapsulated
or otherwise encrypted link) would be one way to provide a point-to-point "virtual wire" over the link.

Tangential config comment -- the _orig_* options are legacy cruft from the way LuCI used to manage changes.

Cuco · September 23, 2019, 2:31pm

Ohh really? didnt know this. So i must use a different lan subnet on the client side, so no dhcp over the wireguard tunnel, and so on. This is going to be a pain for me. Thank you anyway.

edit: thinking a bit about this, i dont need broadcast, just want client "park" pcs to work with same subnet on the other side, i dont care about l2, just tying to get the same results as 2 wifi ptp with minimal configuration.

eduperez · September 23, 2019, 2:36pm

I've used GRE tunnels over a wireless connection, and it wasn't any pain at all; be brave, I am sure you can do this!

jeff · September 23, 2019, 3:06pm

You don't need to change your existing subnet addressing. You can use the WireGuard end-point addresses (172.16.0.1 and 172.16.0.2, as an example) as the end points of the GRE tunnel. The GRE portals would be bridged to the appropriate network segments. VLAN notation can be used to bridge multiple subnets from the same router.

The one "gotcha" is that L2 tunnels "can't" handle fragmentation back to the originating host, just to the encapsulating interface's host. As a result, careful consideration of the MTU of the various segments is needed. The GRE tunnel needs to handle 1500 MTU, so its "carrier" needs a slightly larger MTU. Similarly, there is overhead from WireGuard encapsulation for which an increased MTU on its carrier can help with reducing fragmentation performed by WireGuard itself. There have been some issues in the past with increased MTU and ath10k/ath10k-CT drivers. I haven't evaluated the latest drivers and firmware to see if wireless MTU can be reliably increased. It may be that WireGuard can manage the fragmentation at that level without changing the wireless MTU.

system · October 3, 2019, 3:06pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.