1st question:
I have a cluster at home connected to an openWRT client(wrt3200acm) <-> openWRT router(wrt3200acm) <-> comcast business modem (as far as i know it's not static but the IP hasn't changed for weeks.) I am trying to connect my Laptop to the router so i can access the cluster (private cloudish, really proxmox) when I am not at home.
I installed all the Wireguard server packages on router, followed the setup guide step by step for luci and forwarded port 51820 from my modem -> router. nothing.
I set all the zones to connect to all other zones, nothing.
I set port forwarding on modem to point downstream towards VPN interface. nothing
I set static routing to point downstream towards VPN interface. nothing.
I even tried setting the VPN to work on local intranet for testing(in case it was the comcast modem.) nothing.
I put both vpn interfaces (client and laptop) on the same subnet, I listed the allowed IPs I am trying to access(cluster main node ip, clients ip, and client gateway just for good measure) and the vpn interface IPs. nothing
I am obviously missing some important parts to this setup
at the moment my network is:
modem -> router -> client -> cluster
and
laptop/phone -> router -> client -> cluster
that much works, all I needed was a static route on the router.
From what I understand the VPN interface and vpn client interface have their own IPs and then my device routes through that to my local router and the firewall zones on router are supposed to be:
wan <-> vpn <-> lan
does my laptop/phone have the vpn interface ip in the tunnel? I assume so but i dont know for sure.
Then i wiped the whole thing and came here. I've checked the forum and instructions on both the OpenWRT site and the Wireguard site. I have been at this for days.
(kinda embarrassing I'm usually pretty good at this.)
2nd question:
Once i get my laptop/phone to connect to router -> client -> cluster I'm going to get the router to connect to vpn service so all my traffic is tunneled all the time. How would I do this so that I never have to turn the vpn off? If the peer settings are for public IP of modem how do I add the router IP to the same tunnel? I know it's redundant to have a vpn to connect to my local router while at home but I want to just leave it on permanently if possible.
This is my first time messing with VPNs (obviously...)
Will somebody please help me solve this?
The way you are describing this, it sounds like this is a modem+router combo unit. Can you confirm?
Let’s see the configs of both your openwrt devices.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
VPNs have to be tested from outside. During VPN testing the laptop needs a different Internet service to simulate being out in the field. Do not connect it to your home wifi. A common way to do this is to connect the laptop to the hotspot of a smartphone. The phone in turn is connected to LTE not the home wifi.
You probably should set up symmetric routing so there is no NAT in the second router. This will allow the first router, or a laptop tunneled to the first router, to reach cluster IPs directly (if the second router firewall allows it).
confirmed the comcast modem is a modem/router/ap. the openwrt client is the mode that allows a openwrt router to connect to another wifi network. the cluster is in my room and the modem is in the living room so i used a wireless bridge to connect to it.
root@ZephyrNet:~# ubus call system board
{
"kernel": "6.6.93",
"hostname": "ZephyrNet",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT3200ACM",
"board_name": "linksys,wrt3200acm",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.2",
"revision": "r28739-d9340319c6",
"target": "mvebu/cortexa9",
"description": "OpenWrt 24.10.2 r28739-d9340319c6",
"builddate": "1750711236"
}
}
root@ZephyrNet:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'redcated' #I disabled ipv6 anyways
option packet_steering '1'
option steering_flows '128'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ipv6 '0'
config device
option name 'wan'
option macaddr 'redacted'
option ipv6 '0'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option ipv6 '0'
config route
option interface 'lan'
option target '192.168.2.1/24'
option gateway '192.168.1.172'
config route
option interface 'wg0'
option target '192.168.2.1/24'
option gateway '192.168.1.172'
config interface 'wg0'
option proto 'wireguard'
option private_key 'redacted'
option listen_port '51820'
list addresses '192.168.1.255' #IP of interface on router, I think...
config wireguard_wg0
option description 'Phone'
option public_key 'redacted'
option private_key 'redacted'
option preshared_key 'redacted'
option route_allowed_ips '1'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.1.254' #This is the IP for the peer interface right? I assume this is set when I transfer the configuration.
root@ZephyrNet:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config forwarding
option src 'wan'
option dest 'lan'
config zone
option name 'WireguardVPN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wg0'
config forwarding
option src 'WireguardVPN'
option dest 'lan'
config forwarding
option src 'WireguardVPN'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'WireguardVPN'
config rule
option src 'wan'
option name 'WireGuard-incoming'
option family 'ipv4'
list proto 'udp'
option dest_port '51820'
option target 'ACCEPT'
config rule
option src 'WireguardVPN'
option dest 'lan'
option name 'WireGuard-lan'
option target 'ACCEPT'
option family 'ipv4'
I am using my phone to test.
I will look up symmetric routing. At the moment I'm pretty sure my cluster is under triple NAT. might be good to remove a layer.
I have room mates so they use the ISP modem/router wifi. The ISP modem/router IP is 10.1.10.1, the router IP is 192.168.1.1, and the client's IP is 192.168.2.1
My WRT router is plugged in via a 6' cat8 ethernet cable. 2.5Gbps(modem) port to the 1Gbps(WRT router) WAN port. Everything is behind the WRT router. My laptop/phone connect via wifi to the WRT router and the WRT client connects via wifi to the WRT router (wireless bridge). The cluster is connected to the client via 4 more 6' cat8 ethernet cables (there is 4 nodes at the moment) 1Gbps ethernet to the 1Gbps LAN ports on the WRT client.
I know with a full router behind the ISP modem/router I'll have double NAT, but I need my own network and can't screw with my roommates Internet by using bridge mode or something. I have access to the ISP modem/router config though so I can static route and forward ports and all.
However I am not sure on how to remove NAT from the WRT client. DHCP on client is also an issue. I am looking into how to remove NAT and forward DHCP to WRT router if i can. However at the moment the sub-netting with static IPs is working.
but if I can VPN to the router and access the cluster subnet then that will work for me.
Laptop/phone -> router -> cluster
Thank You!
I did that and tinkered with allowed IPs and it all works now. Must of been having the interface on the 192.168.1.x subnet that was hanging me up. Thank you for clarifying the IP situation. Now i get that there is the main server interface IP, the peers interface IP, then once into the page with the QR code there is the Allowed IPs for what I am connecting to. Guess the peer is the gate keeper for that part.
These are my sanitized settings for my working configuration for anyone reading this later.
root@ZephyrNet:~# ubus call system board
{
"kernel": "6.6.93",
"hostname": "ZephyrNet",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT3200ACM",
"board_name": "linksys,wrt3200acm",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.2",
"revision": "r28739-d9340319c6",
"target": "mvebu/cortexa9",
"description": "OpenWrt 24.10.2 r28739-d9340319c6",
"builddate": "1750711236"
}
}
root@ZephyrNet:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'redacted'
option packet_steering '1'
option steering_flows '128'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ipv6 '0'
config device
option name 'wan'
option macaddr 'redacted'
option ipv6 '0'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option ipv6 '0'
config route
option interface 'lan'
option target '192.168.2.1/24'
option gateway '192.168.1.172'
config interface 'wg0'
option proto 'wireguard'
option private_key 'redacted'
option listen_port '51820'
list addresses '192.168.255.1'
config wireguard_wg0
option description 'Phone'
option public_key 'redacted'
option private_key 'redacted'
option preshared_key 'redacted'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '192.168.255.2/32'
config wireguard_wg0
option description 'Laptop'
option public_key 'redacted'
option private_key 'redacted'
option preshared_key 'redacted'
list allowed_ips '192.168.255.3/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
root@ZephyrNet:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config forwarding
option src 'wan'
option dest 'lan'
config zone
option name 'WireguardVPN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
list network 'wg0'
config forwarding
option src 'WireguardVPN'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'WireguardVPN'
config rule
option src 'wan'
option name 'WireGuard-incoming'
option family 'ipv4'
list proto 'udp'
option dest_port '51820'
option target 'ACCEPT'
I'm so stoked, I just ran a speed test on a VM from across the internet! This is officially the best setup I've ever had.
[Solved]
