Wireguard vpn and correct way of using peers

Hello!,

So I have some difficulty understanding something, I hope somebody can tell me if this configuration is considered 'intended' or that i might break something?

so I have followed this guide by mullvad:
https://mullvad.net/en/help/running-wireguard-router (if you scroll down to the title ' Configure WGInterface settings')

this works perfectly, I also use PBR and have the default gateway option disabled, but now comes my issue.

currently I decided to create another wgclient interface but as a exact copy, this means the reserved ip is the same, aswell for the private and public key, the only difference is the country in the peers section.

my ultimate goal with this is:

wgclient <- as normal vpn connection
wgclient2 <- only for youtube

so far it works, but it makes me very questioning if this is the intended way of doing so :slight_smile: there is not a way to make a peer a seperated interface from wgclient? maybe i've misunderstood the implementation but I thought peers could also act as seperated clients?

my configuration (I stripped the pieces which should be private, please know keys are all equal):

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '2'

config device
	option name 'br-lan'
	option type 'bridge'
	option ipv6 '0'
	option bridge_empty '1'
	option mtu '1500'
	option multicast_to_unicast '0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	list ports 'vx0'

config interface 'lan'
	option device 'br-lan.169'
	option proto 'static'
	option ipaddr '10.234.53.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'wan'
	option device 'eth1.300'
	option proto 'dhcp'
	option delegate '0'
	option classlessroute '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '169'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'
	list ports 'lan5:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '6'
	list ports 'lan3:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '49'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '50'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan4:t'
	list ports 'lan5:t'
	list ports 'vx0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '51'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan4:t'
	list ports 'lan5:t'
	list ports 'vx0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '52'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '53'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config interface 'aria'
	option proto 'static'
	option device 'br-lan.6'
	option defaultroute '0'
	option delegate '0'
	option ipaddr '192.168.99.1'
	option netmask '255.255.255.0'

config interface 'pcnet'
	option proto 'static'
	option device 'br-lan.49'
	option ipaddr '10.34.79.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'

config interface 'wlan0'
	option proto 'static'
	option device 'br-lan.50'
	option ipaddr '10.234.80.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'

config interface 'wlan1'
	option proto 'static'
	option device 'br-lan.51'
	option ipaddr '10.234.81.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'

config interface 'zigbee'
	option proto 'static'
	option device 'br-lan.52'
	option ipaddr '10.33.77.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'

config interface 'wgclient'
	option proto 'wireguard'
	option private_key 'thekey21' # also fictional.
	list addresses '10.64.132.9991/32' # I changed this into a fictional number
	option defaultroute '0'
	option delegate '0'
	option metric '0'
	option classlessroute '0'
	option force_link '1'
	option mtu '1420'

config interface 'wgclient2'
	option proto 'wireguard'
	option private_key 'thekey21' # also fictional.
	list addresses '10.64.132.9991/32' # I changed this into a fictional number
	option defaultroute '0'
	option delegate '0'
	option metric '0'
	option classlessroute '0'
	option force_link '1'
	option mtu '1420'

config wireguard_wgclient
	option description 'Netherlands_nl-ams-wg-001'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<priv>'
	option endpoint_port '3004'
	option persistent_keepalive '0'
	option public_key '<priv>'
	option disabled '1'

config wireguard_wgclient
	option disabled '1'
	option description 'Netherlands_nl-ams-wg-002'
	option public_key '<priv>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<priv>'
	option endpoint_port '3039'

config wireguard_wgclient
	option disabled '1'
	option description 'Netherlands_nl-ams-wg-003'
	option public_key '<priv>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<priv>'
	option endpoint_port '3040'

config wireguard_wgclient
	option description 'Netherlands_nl-ams-wg-004'
	option public_key '<priv>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<priv>'
	option endpoint_port '3113'

config wireguard_wgclient
	option disabled '1'
	option description 'Netherlands_nl-ams-wg-005'
	option public_key '<priv>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<priv>'
	option endpoint_port '3114'

config wireguard_wgclient
	option description 'Netherlands_nl-ams-wg-006'
	option public_key '<priv>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<priv>'
	option endpoint_port '3094'
	option disabled '1'

config wireguard_wgclient
	option description 'Netherlands_nl-ams-wg-101'
	option public_key '<priv>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<priv>'
	option endpoint_port '3019'
	option disabled '1'

config wireguard_wgclient
	option description 'Netherlands_nl-ams-wg-102'
	option public_key '<priv>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<priv>'
	option endpoint_port '3041'
	option disabled '1'

config wireguard_wgclient
	option disabled '1'
	option description 'Netherlands_nl-ams-wg-103'
	option public_key '<priv>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<priv>'
	option endpoint_port '3048'

config wireguard_wgclient
	option description 'Netherlands_nl-ams-wg-104'
	option public_key '<priv>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<priv>'
	option endpoint_port '3095'
	option disabled '1'

config wireguard_wgclient
	option disabled '1'
	option description 'Netherlands_nl-ams-wg-201'
	option public_key '<priv>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<priv>'
	option endpoint_port '3507'

config wireguard_wgclient
	option description 'Netherlands_nl-ams-wg-202'
	option public_key '<priv>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<priv>'
	option endpoint_port '3508'
	option disabled '1'

config wireguard_wgclient
	option description 'Netherlands_nl-ams-wg-203'
	option public_key '<priv>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<priv>'
	option endpoint_port '3509'
	option disabled '1'

config interface 'wgserver'
	option proto 'wireguard'
	option private_key '<priv>'
	option listen_port '<priv>'
	list addresses '10.6.7.1/24'
	option defaultroute '0'

config wireguard_wgserver
	option description 'MT3000'
	option public_key '<priv>'
	option private_key '<priv>'
	option endpoint_host '<priv>'
	option endpoint_port '<priv>'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	option preshared_key '<priv>'

config interface 'tvnet'
	option proto 'static'
	option device 'br-lan.53'
	option ipaddr '172.22.33.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '91'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config interface 'fakeisp'
	option proto 'static'
	option device 'br-lan.91'
	option ipaddr '10.10.10.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '23'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config interface 'iptv'
	option proto 'static'
	option device 'br-lan.23'
	option ipaddr '192.168.196.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'

config interface 'wifivpn'
	option proto 'wireguard'
	option private_key '<priv>'
	option listen_port '51820'
	list addresses '10.39.95.1/24'
	option delegate '0'
	option defaultroute '0'
	option mtu '1384'

config wireguard_wifivpn
	option description 'poco-x6-pro'
	option public_key '<priv>'
	option private_key '<priv>'
	option endpoint_host '10.234.80.1'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '10.39.95.2/32'
	option preshared_key '<priv>'

config wireguard_wifivpn
	option description 'ayaneo'
	option public_key '<priv>'
	option private_key '<priv>'
	option endpoint_host '10.234.80.1'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '10.39.95.3/32'

config device
	option name 'wifivpn'
	option multicast '1'

config interface 'vx0'
	option proto 'vxlan'
	option peeraddr '10.6.7.2'
	option ipaddr '10.6.7.1'
	option tunlink 'wgserver'
	option delegate '0'
	option vid '4066'

config device
	option name 'eth0'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '178'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan4:t'
	list ports 'lan5:t'

config interface 'aqaranet'
	option proto 'static'
	option device 'br-lan.178'
	option ipaddr '10.233.10.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'

config interface 'hwnet'
	option proto 'static'
	option device 'br-lan.179'
	option ipaddr '10.182.32.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '179'

config bridge-vlan
	option device 'br-lan'
	option vlan '90'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan4:t'
	list ports 'lan5:t'
	list ports 'vx0:t'

config interface 'aya'
	option proto 'static'
	option device 'br-lan.90'
	option ipaddr '10.87.62.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'

config wireguard_wgclient2
	option description 'al-tia-wg-001'
	option public_key '<priv>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<priv>'
	option endpoint_port '3155'

config wireguard_wgclient2
	option disabled '1'
	option description 'al-tia-wg-002'
	option public_key '<priv>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '<priv>'
	option endpoint_port '3212'

its about the interface wgclient and wgclient2.

You can have many wg interfaces and an interface can have many peers.
You can have many interfaces enabled because you have default routing disabled (which is actually not necessary as you do not route the allowed ips)

In your case only one peer per interface can be enabled because of the overlapping allowed ips

So looks good to me :slight_smile:

P.S. it is not needed to redact private ip addresses because well they are private

1 Like

Ah that makes sense thanks :smile::+1:

1 Like