I want to share a WireGuard VPN connection over WiFi in Raspberry pi 3 B+. I connect my RPI with LAN port to internet (Huawei 4G modem router), and I create a WireGuard connection that is already connected (tested ping and traceroute, everything is ok)
But now, I want to share my WireGuard VPN connection over WiFi AP. I already created a WiFi AP (with internal RPI WiFi) and shared the internet, but the internet is already shared from the LAN connection (same bridge).
And I have another problem: the IP address assigned to the WiFi client gets it IP from the Huawei 4G modem route (192.168.8.X), and its default gateway is set to 192.168.8.1 (Huawei 4G modem route IP address).
The wireless interface is not attached to any logical interface, bridged or not.
Your lan interface has protocol dhcp and you also have dhcp server running.
Most likely you'll need to sort the firewall later, but first you need to fix these.
Thanks for your reply
but i only can attache wireless interface to lan interface
my RPI connect to 4G Modem Router with dhcp and take ip from dhcp
and when i attach lan to wireless and connect to wireless as client,
client take ip from dhcp server (4G Modem Router)
what i need to do?
how can i set dhcp server for wireless clients?
how can i attache my wg0 interface to wireless?
Your configuration is not correct.
In interface lan you have IP address and netmask configured, which is used for static. And there is proto dhcp to acquire settings from dhcp, along with peerdns 0 to ignore the nameservers from dhcp.
On top of that you have dhcp server in lan.
Thanks for your reply
but my device (RPI) connect to internet (4G Modem Router) via lan interface
when i set lan interface to dhcp, have i internet on my device?
You can't have two DHCP servers on the LAN. The one in the Pi needs to be turned off so it does not serve wrong information to other LAN devices and cause them to lose Internet access. Leaving the Pi's DHCP server on will have it advertise itself as the gateway to the Internet, though that should be the Huawei main router.
thanks for reply
i change some setting in my RPI, and this is result :
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd53:487f:8b14::/48'
config interface 'lan'
option ifname 'eth0'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option proto 'dhcp'
list dns '178.22.122.100'
list dns '185.51.200.2'
option peerdns '0'
config interface 'wg0'
option proto 'wireguard'
option private_key ''
list addresses '172.16.0.2/32'
list addresses 'fd01:5ca1:ab1e:85d9:85be:fab1:b79a:43f0/128'
config wireguard_wg0 'wgserver'
option public_key ''
option endpoint_host 'engage.cloudflareclient.com'
option endpoint_port '2408'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/1'
list allowed_ips '128.0.0.0/1'
list allowed_ips '::/0'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/128'
list dns '1.1.1.1'
list dns '1.0.0.1'
list dns '2606:4700:4700::1111'
list dns '2606:4700:4700::1001'
config interface 'wifi'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'platform/soc/3f300000.mmc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
option htmode 'VHT80'
config wifi-iface 'wifinet0'
option device 'radio0'
option network 'wifi'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'wifi'
option interface 'wifi'
option start '100'
option limit '150'
option leasetime '12h'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
in this setting i create wifi interface for handle all wifi client
and enable dhcp server on wifi ap
now wifi client take ip from RPI dhcp server
now i only need to setup my wireless to share vpn connection (wg0) to wifi
