I have a spare Asus RT-AC68U router that I want to use as Wireguard server behind my main router, a Netgear RP7960P, which connects to the ISP's cable modem and acts as WiFi AP. I installed openwrt 23.05 on RT-AC68U and set it up as dumb AP following this guide: https://openwrt.org/docs/guide-user/network/wifi/dumbap, connected RT-AC68U to main router LAN-to-LAN, everything is fine, I then installed and configured Wireguard server on the Asus, setup 2 peers, one for an Andriod phone, other for an iPad, both can connect to the server on Asus, but both don't have internet access when connected.
I have tried quite a few things, setting up different firewall rules, even ended up disable the firewall on the RT-AC68U all together but still no luck. A static route to the Wireguard subnet has been added on the main Netgear router, I can even ping the peer when it connects to the server from within the LAN, but the peers can on access the Asus router, not the main router and the rest of the LAN.
BTW, I don't intend to use the RT-AC68U as WiFi AP, so I am ok with Openwrt crippling its WiFi function.
Ok, I removed the HomeVPN ports from "br-lan" device, changed '10.16.8.0/24' to '10.16.8.1/24' under HomeVPN interface, rebooted the router but still the same.
I deleted all the firewall rules and ran '/etc/init.d/firewall disable' previously, I think firewall should not be running in the router, but here is my /etc/config/firewall
This is one way, and is necessary when you have no control of the upstream network. The masqueade makes packets from the road warrior phone to the Internet appear to come from 192.168.158.2 instead of the phone's tunnel IP 10.16.8.X. Then the main router is able to return the Internet's replies to the phone by treating it as a LAN device.
The other way is to make the main router aware of how to return packets to 10.16.8.0. This is done by installing a static route into the main router:
10.16.8.0/24 via 192.168.158.2
I created a "LAN" zone with everything accept, enabled Masquerading on this zone, enabled the firewall, this did the trick, now both my Pixel and iPad as peers can connect to the Wireguard server and have internet access. Thank you so much!
You meant I can add a static route to 10.16.8.0/24 subnet using 192.168.158.2 as gateway in my main router, then I don't have to enable Masquerading on the LAN zone in my Asus Openwrt router? I will try that when I have chance.
Thank you both so much for your help!
Let me share my Asus router config here in case it can help other people who try to do the same or similar thing:
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd02:3084:69f0::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.158.2'
option gateway '192.168.158.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '192.168.158.1'
option delegate '0'
config device
option name 'wan'
option macaddr 'redacted'
config interface 'HomeVPN'
option proto 'wireguard'
option private_key 'redacted'
option listen_port '51820'
option delegate '0'
list dns '192.168.158.1'
list addresses '10.16.8.1/24'
config wireguard_HomeVPN
option description 'Pixel'
option public_key 'redacted'
option private_key 'redacted'
option preshared_key 'redacted'
list allowed_ips '10.16.8.2/32'
option endpoint_host 'redacted'
option route_allowed_ips '1'
option endpoint_port '51820'
config device
option name 'HomeVPN'
option mtu '1500'
config wireguard_HomeVPN
option description 'iPad'
option public_key 'redacted'
option private_key 'redacted'
option preshared_key 'redacted'
list allowed_ips '10.16.8.3/32'
option endpoint_host 'redacted'
option endpoint_port '51820'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'LAN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list network 'lan'
root@OpenWrt:~# wg show
interface: HomeVPN
public key: redacted
private key: (hidden)
listening port: 51820
peer: redacted
preshared key: (hidden)
endpoint: redacted:51820
allowed ips: 10.16.8.3/32
latest handshake: 13 seconds ago
transfer: 1.28 MiB received, 11.04 MiB sent
peer: redacted
preshared key: (hidden)
endpoint: redacted:12658
allowed ips: 10.16.8.2/32
latest handshake: 1 minute, 13 seconds ago
transfer: 3.31 MiB received, 22.45 MiB sent
p.s. The ethernet cable connects to the LAN1 port on the Asus router.
Yes... if your main router supports static routes. Not all consumer routers have this functionality exposed to the user, and ISP routers in particular often don't. But if yours does have the capability, you can add this route (and disable masquerading) and it should work. Masquerading on the lan zone should always work in your scenario, though.
I would recommend removing the endpoint port on the peers. Likewise, on those devices (such as your Pixel), there should be no listen port specified (in the interface section of the configuration of the remote peers themselves).
This next section can be deleted:
The firewall file only has two stanzas (the defaults and the lan zone)... is that the whole file?
All the lines I marked with X should be removed.
Route_allowed_ips is unnecessary on a road-warrior client as long as you have defined the Wireguard interface with a /24 IP. This installs a route to the whole /24 via the Wireguard interface. route_allowed_ips will add an unnecessary /32 route for each peer to the table.
While this line is not needed in the peer config stanzas in general, it required if the user is going to use the QR code option to setup the remote peers (i.e. a phone). Without the private key, the QR code is greyed out.
I deleted all those lines marked 'X' and 'Z' from my server Wireguard config and everything still functions fine. I understand they are needed for generating peer config files, which was already done in my setup.
Hi @psherman, yes my firewall config only has two stanzas, I deleted all of entries when I was working on the issue. This is a dumb AP acting as Wireguard server only behind my main router, I think I don't really need those complicated firewall rules.
If you disable masquerading and install the static route in your main router, you'll need to add the wg network to the lan zone, or create a new zone for the wg network and enable forwarding from the wg zone > lan zone
Is there any advantage of using the static route with masquerading disabled?I would probably run it as it is since the setup works and serves the purpose.
Out of curiosity, how to add wg network to the lan zone? Under 'Network/Devices' tab?
[Edited] I think I understand now that this should be done under firewall configuration, include the wg network as covered networks under the “LAN” zone I setup.
Network > Interfaces > [edit wg network] > Firewall Settings
Or you can just add it as follows by editing the text file:
config zone
option name 'LAN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'HomeVPN'
Note that the above is only valid if you disable masquerading and have the static route in place.
It depends... if you want to be able to see the specific WG peers that are remotely connected to a given device on your lan, you can only see their individual addresses when using the static route method. But otherwise, it usually doesn't matter much.
I am having different issue now after my Wireguard server is working, the opkg commend can no longer connect to the internet, it seems, when ran 'opke update' command, all the download failed, does the firewall mess up my opkg internet access? or something else?
Could be DNS related, from Openwrt cli, I can ping 8.8.8.8, but not google.com, saying it is bad address.
