Setup: These steps were performed OpenWRT 19.07.3.
Context: The goal of this is to set up a virtual network where clients can switch from 1 network with a wireguard VPN connection to another without a VPN connection easily. VPN termination is to the router as opposed to the client. This may be useful for setups such as on insecure networks, while still wanting the ability to switch between the 2 at your leisure.
-
-
-
install modules:
-
luci-app-wireguard
-
luci-app-vpn-policy-routing
-
vpn-policy-routing
-
iptables-mod-physdev
-
kmod-br-netfilter
-
kmod-ipt-physdev
-
-
-
-
General Setup
-
The radio you want to create a virtual network on -> Add
-
Set ESSID value, attach to a new network "wglan"
-
-
Wireless Security
-
set Encryption and Key values
-
repeat 3.1 + 3.2 if you want a SSID for your other radio (ex. 2.4GHz + 5GHz)
-
-
-
-
Setup Wireguard interface:
-
Add new interface (WGINT)
-
General
-
Name: WGINT
-
Protocol: WireGuard VPN
-
Check "Bring up on boot"
-
Set Private Key
-
Set IP Addresses
-
-
Firewall Settings
- Create/Assign firewall-zone: wgzone
-
Peers
-
Set Description, Public Key, Preshared Key, Allowed IPs
-
Uncheck Route Allowed IPs
-
Fill out Endpoint Host, Endpoint Port
-
Set
Persistent Keep Aliveto25if you want to enable automatic reconnect viawireguard-tools wireguard_watchdogscript)
-
-
-
Setup VLAN
-
Add new interface (WGLAN)
-
General Settings:
-
Protocol: Static address
-
If you have a 2.4GHz + 5GHz network to bridge:
-
Bridge interfaces: Checked
-
Interface: Check your 2 wireless networks (wglan)
-
-
IPv4 address: 192.168.2.1 (or a subnet that isn't your existing one)
-
IPv4 netmask: 255.255.255.0
-
-
Physical Settings
-
Bridge interfaces: checked
-
Interface: wlan0-1, wlan1-1
-
-
Firewall Settings:
- Create/Assign firewall zone: wglanzone
-
DHCP server:
- Create, Advanced Settings -> Dynamic DHCP checked
-
-
-
-
General Settings -> Zones
-
-
Zone -> Forwardings Input Output Forward Masquerading MSS Clamping Allow forward to destination zones Allow forward from source zones lan wan accept accept accept unchecked unchecked wan + wan6 wglanzone wan REJECT reject accept reject checked checked unspecified lan + wgzone wgzone wan + wglanzone accept accept reject checked checked wan + wan6 + wglanzone wglanzone wglanzone wgzone + lan accept accept reject unchecked unchecked lan + wgzone wgzone
-
-
Traffic Rules -> Add
-
Name: DHCP
-
Protocol: TCP + UDP
-
Source zone: wglanzone
-
Destination zone: Device (input)
-
Action: accept
-
-
Name: DNS
-
Protocol: UDP
-
Source zone: wglanzone
-
Destination zone: Device (input)
-
Action: accept
-
-
-
-
-
Policies
-
name: wgpolicy
-
local addresses/devices: 192.168.2.1/24
-
interface: WGINT
-
-
Configuration
- Enable + Start
-
-
ssh root@openwrt.lan -
echo '* * * * * /usr/bin/wireguard_watchdog' >> /etc/crontabs/root
-
Notes:
- I originally did not want a subnet. Based on trial/error and many hours of attempts, VPN Policy Routing does not support "wlan0-1" as a supported field under "Local addresses/devices" and I am unable to route the SSID directly to the Wireguard interface. Unfortunately this means I have to set up a subnet and DHCP instead.