Setup: These steps were performed OpenWRT 23.04.1.
Context: The goal of that manual is to create wireless SSID that will be connected to the Wireguard network as a client. Helpful link - that guide will create a Wireguard interface with kill switch (https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#kill_switch) In other words, that guide will help you create a deidated wireless SSID that will be connected directly to the wireguard.
-
-
- install modules:
opkg update opkg install wireguard-tools luci-proto-wireguard packages
-
- Network
- Devices
- Add device configuration
- Create Devices and check "bring up empty bridge"
- Name it: wg_br
-
-
Setup Wireguard interface:
- Add new interface
- Protocol: wireguard VPN
- Name: wg
- General
- Load configuration ->
- **uncheck "No Host Routes" **
- Peers
- Persistent Keep Alive: 25
- Allowed IPs: 0.0.0.0/0
- check "Route Allowed IPs"
- Firewall Settings
- unspecified (will be done in Firewall chapter)
-
Setup wireguard LAN interface:
- Add new interface
- Name: wg_lan
- Static address
- Device: wg_br
- General Settings:
- IPv4 address: 192.168.2.1 (or a subnet that *isn't your existing one. If you have wireguard network 10.0.5.0/24 or your local network is: 192.168.1.0/24, do not set one of those addresses!)
- IPv4 netmask: 255.255.255.0
- Firewall Settings:
- unspecified (will be done in Firewall chapter)
- DHCP server:
- Setup DHCP server
- Create, Advanced Settings -> Dynamic DHCP checked
-
-
- General Setup
- The radio you want to create a virtual network on -> Add
- Set ESSID value
- Network: wg_lan
- General Setup
-
NOTE: first create empty zones:
- wg_fw
- wg_lan
then edit rules and do as it is in below table.
-
General Settings -> Zones
-
-
Zone -> Forwardings Input Output Forward Masquerading MSS Clamping Covered networks Allow forward to destination zones Allow forward from source zones lan wan + wg_fw accept accept accept unchecked unchecked lan wan + wan6 + wg_fw unspecified wan REJECT reject accept reject checked checked wan wan6 unspecified lan wg_fw REJECT reject accept reject checked checked wg unspecified lan + wg_lan wg_lan wg_fw accept accept accept unchecked unchecked wg_lan wg_fw unspecified
-
-