Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save danpawlik/071923098db6eb6a755d4e248d28a6ba to your computer and use it in GitHub Desktop.
Save danpawlik/071923098db6eb6a755d4e248d28a6ba to your computer and use it in GitHub Desktop.

OpenWRT dedicated wireless SSID with Wireguard client (kill switch included)

Setup: These steps were performed OpenWRT 23.04.1.

Context: The goal of that manual is to create wireless SSID that will be connected to the Wireguard network as a client. Helpful link - that guide will create a Wireguard interface with kill switch (https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#kill_switch) In other words, that guide will help you create a deidated wireless SSID that will be connected directly to the wireguard.

  1. Set up Wireguard on remote server:
  2. Configure Router:
    1. System -> Software
      • install modules:
      opkg update
      opkg install wireguard-tools luci-proto-wireguard packages
      
    2. System -> Reboot -> Perform reboot (optioanl)
    3. Create empty bridge
      • Network
      • Devices - Add device configuration
        • Create Devices and check "bring up empty bridge"
        • Name it: wg_br
    4. Network -> Interfaces
      • Setup Wireguard interface:

        • Add new interface
        • Protocol: wireguard VPN
        • Name: wg
        • General
          • Load configuration ->
          • **uncheck "No Host Routes" **
        • Peers
          • Persistent Keep Alive: 25
          • Allowed IPs: 0.0.0.0/0
          • check "Route Allowed IPs"
        • Firewall Settings
          • unspecified (will be done in Firewall chapter)
      • Setup wireguard LAN interface:

        • Add new interface
        • Name: wg_lan
        • Static address
        • Device: wg_br
        • General Settings:
          • IPv4 address: 192.168.2.1 (or a subnet that *isn't your existing one. If you have wireguard network 10.0.5.0/24 or your local network is: 192.168.1.0/24, do not set one of those addresses!)
          • IPv4 netmask: 255.255.255.0
        • Firewall Settings:
          • unspecified (will be done in Firewall chapter)
        • DHCP server:
          • Setup DHCP server
          • Create, Advanced Settings -> Dynamic DHCP checked
    5. Network -> Wireless
      • General Setup
        • The radio you want to create a virtual network on -> Add
        • Set ESSID value
        • Network: wg_lan
    6. Network → Firewall

      NOTE: first create empty zones:

      • wg_fw
      • wg_lan

      then edit rules and do as it is in below table.

      • General Settings -> Zones

        • Zone -> Forwardings Input Output Forward Masquerading MSS Clamping Covered networks Allow forward to destination zones Allow forward from source zones
          lan wan + wg_fw accept accept accept unchecked unchecked lan wan + wan6 + wg_fw unspecified
          wan REJECT reject accept reject checked checked wan wan6 unspecified lan
          wg_fw REJECT reject accept reject checked checked wg unspecified lan + wg_lan
          wg_lan wg_fw accept accept accept unchecked unchecked wg_lan wg_fw unspecified
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment