I set up as the way is suggested however internet runs thru router one no Wireguard. Or I wind up with no internet at all on Wireguard vpn router. I’m not sure how to setup the advanced routing as it is incomplete with an * on gateway. (Even though I tried 192.168.1.1 and 192.168.1.2)
Does anyone have or know of a tutorial for 2 routers one factory, the other DDWRT with Wireguard VPN? Or is there an easier way to have two routers share the same network with one pushing Wireguard vpn and the other going straight to internet?
You did not state your build, to give the best possible support we always need your build number, there are builds with known problems and maybe you are running one of those
In the wiki there are three setup guides mentioned, the advanced setup guide has a paragraph about running WireGuard on a WAP.
The guides can also be found as sticky in the advanced networking forum.
I’m getting confused. I tried following the DDWRT Wireguard advanced setup.
What I have:
Primary router (192,168.1.1) Netgear r7450 running stock
DDWRT3200 (192.168.1.5) wan disables and DHCP disabled
Lan to Lan connection
Because I had the Wireguard working on the 3200 already according to keepsolid, I didn’t need to set up server. Right?
I’m getting confused on what to put where gateway wise, policy based routing, advanced routing as well as setting a static route on the primary router.
Is there a simple “put this here” type of tutorial for 2 routers Sharing same network, one dd wrt with Wireguard to use vpn on everything connected to that router while still maintaining being on the same network?
The reason I’m doing this is because I have an amazon recast that only works with my firesticks only when they are on the same network. I want to be able to use this item for the firesticks whether they are on vpn or not. so I’m just trying to Utilize the recast box no matter which router I’m on. If there’s a better/easier way to accomplish this, I’m all ears!
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Tue Nov 10, 2020 8:50 Post subject:
Ok so at least we know you are wanting to setup a client to KeepSolid
First start with the client setup guide and follow that for the basic settings, fortunately the client setup guide is made using KeepSolid so that should be easy.
Then head over to the Advanced setup guide, chapter WireGuard on a WAP, section Client on a WAP (page 6).
You already have done the basic setup so scroll down to page 7 and just add the two rules as described.
This rule:
is basically always needed when using a WAP not only for WireGuard but also for other things (I know, you can also set static routes etc and a simple WAP does not need it)
The other rule:
Code:
route add -host $(nvram get oet1_rem0) gw $(nvram get lan_gateway) dev $(get_wanface)
is necessary because WireGuard is not so smart to detect it is not running on a gateway (well actually the code to do that is already in place but the busy developer has not activated it yet)
With these two rules you should get connected to KeepSolid (might need a reboot)
Then the next step is to tell your LAN clients to use the WAP as their default gateway.
As your main router is not running DDWRT you should manually set the clients Gateway to point to the WAP if they are wired.
For wireless clients connected to the WAP it is easy, if you make an unbridged VAP then that will by default use the WG tunnel.
So when using wireless you can easily switch.
Using the normal wifi on the WAP will route via your normal network and switching to an unbridged VAP on the WAP (love this alliteration) will route via the WG tunnel/Keepsolid.
I restarted and this is what I have so far following the guide:
Nighthawk 7450 primary router 192.168.1.1
Wrt3200 wap 192.168.1.2, DHCP disabled and connection type disabled.
Gateway and dns set to 192.168.1.1
Assign lan port switch enabled, ntp disabled, Advanced routing set to router, DNSMasq disabled, security firewall filter multicast checked only and disabled spi firewall disabled, admin Mgt routing disabled, password protection enabled
LAN connection from primary to WAN on wrt3200 ( Assign WAN Port to Switch is enabled)
Rebooted router and internet is orange on the 3200
My client setup was already working for the Wireguard and was working prior to trying all this so I thought no need to review that part.
I pasted the two codes in admin and hit save firewall.
Rebooted router.
Not sure what to do with this as per this recommendation:
“For wireless clients connected to the WAP it is easy, if you make an unbridged VAP then that will by default use the WG tunnel.“
What to do with orange internet light (thought that meant IP conflict) and how to setup unbridged VAP
Any help would be greatly appreciated. I feel I’m almost there, just missing something
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Wed Nov 11, 2020 9:01 Post subject:
bhill21 wrote:
I restarted and this is what I have so far following the guide:
Nighthawk 7450 primary router 192.168.1.1
Wrt3200 wap 192.168.1.2, DHCP disabled and connection type disabled.
Gateway and dns set to 192.168.1.1
Assign lan port switch enabled, ntp disabled, Advanced routing set to router, DNSMasq disabled, security firewall filter multicast checked only and disabled spi firewall disabled, admin Mgt routing disabled, password protection enabled
LAN connection from primary to WAN on wrt3200 ( Assign WAN Port to Switch is enabled)
Rebooted router and internet is orange on the 3200
My client setup was already working for the Wireguard and was working prior to trying all this so I thought no need to review that part.
I pasted the two codes in admin and hit save firewall.
Rebooted router.
Not sure what to do with this as per this recommendation:
“For wireless clients connected to the WAP it is easy, if you make an unbridged VAP then that will by default use the WG tunnel.“
What to do with orange internet light (thought that meant IP conflict) and how to setup unbridged VAP
Any help would be greatly appreciated. I feel I’m almost there, just missing something
Thanks
First never disable ntp some processes like VPN's must have the correct time (I do not recall disabling ntp is anywhere in the wiki)
I always advice to leave the router in Gateway mode some processes do need the NAT.
I would just leave the SPI on, it will disable because you have disabled the WAN but if you forget it when switching the WAN on again you are vulnerable.
These last two points are not important
About the orange light I can not tell, it could well be that the router has no gateway so that is normal in your setup.
The first thing to check is if you are connected and if there is traffic in both directions so check the status window (refresh with F5)
If you are connected and traffic is flowing then set the gateway of your client to the WAP so in client you have to manually configure the network settings.
If your client is working this way we will deal with the unbridged wifi
If you are connected and traffic is flowing then set the gateway of your client to the WAP so in client you have to manually configure the network settings.
Traffic was flowing. Not vpn but flowing. With orange light on.
How do you accomplish above manually configure network settings?
Huh? I don’t understand why would it depend on the client? I thought the router was the client and I just connect to it for the Wireguard vpn already established on it. I’m confused.
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Wed Nov 11, 2020 20:01 Post subject:
A WAP is not a client it acts just as a switch to your main router so you are actually directly connected to your main router.
The only exception is an unbridged VAP because it is unbridged, traffic will travel via the router and WireGuard will route that traffic.
It is of course possible to use VLANS for your clients connected by wire to also route via the router and WireGuard a VLAN and VAP can be combined on a separate bridge.
Thanks again. Yikes, this is advance! I’m too deep to turn back now. Lol.
So as it stands now, I have 2 routers on the same network with one running Wireguard vpn so all clients connected to it some kind of way, goes thru the vpn. I believe, waiting for you to correct me, I basically need a VAP (like a guest account) that gets routing instructions to use the vpn right? I’m just trying to get the process understood.
So, as to whats next? Create a VAP and assign the vpn to it? I don’t know how to properly set up a VAP If that’s what’s next.
Also, I only need Wi-Fi for the Wireguard. No Etherne.
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Thu Nov 12, 2020 6:28 Post subject:
If you do not need ethernet then it is simple.
Your normal radio/wifi/AP will not use the VPN, an unbridged VAP (Virtual Access Points) always will (you do not need things like Policy Based Routing) so you do not need anything on the client but can switch between normal AP and VAP to route via the tunnel or via WAN
There are Wiki's search for Guest Wifi or Virtual Access Points, but I attach my notes also there is a paragraph about a VAP on a WAP but the most important rule mentioned there is the one you already have.
In my notes also references which are worthwhile reading
I followed the doc and unfortunately no internet connection.
Main router 192.168.1.1
3200 192.168.1.2, connected lan to wan, created VAP with ap isolation and net isolation disabled and unbridged. I tried putting in ip 192.168.1.2 thinking it needed router 2’s ip and no internet. I then saw where in the doc it says use a different subnet for VAP so I used 192.168.2.1 and still no internet connection. I rebooted between each change as recommended. And I set the DHCPd on ath0.1 also with a reboot.
Not sure what to do next and still the internet light on 3200 is orange
fresh install of r44048 back to factory settings and input everything from scratch. The problem was I kept reverting back to my backup as starting point and there may have been something conflicting in it!
VAP on WAP working with wireguard as the VPN using your docs and tutorials.
1 problem (not really for me but curious) the internet light on the 3200 is still orange despite successful setup. Any ideas?
I also tried to setup a 2nd VAP (my 2.4ghz) in the same fashion however, it is pointing to router 1. I gave it an ip of 192.168.3.1
Also, I cannot communicate with the Amazon Recast which is on the main router when connected to the VAP. I tried switching it to bridged as stated in the doc but that points it back to main router and no VPN.
Perhaps I need to explain if not clear. Amazon recast is a over the air DVR that allows me to use the DVR and obtain all OTA channels to eash of my 5 firesticks as long as they are on the same network. The recast is connected to the network via wifi (currently on the 5ghz main router). I want to be able to have the recast be seen by both networks/routers. This is because sometimes, the firestick will choose either router and if it is not on the same network nothing plays.
If there is another way to get this amazon recast to be seen between both routers, point me in the right direction.
if you can help me sort out why it is not being seen would be great!! If we can get the 2nd VAP as well I would be a very happy camper!
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Fri Nov 13, 2020 7:41 Post subject:
bhill21 wrote:
Solved! Sort of
fresh install of r44048 back to factory settings and input everything from scratch. The problem was I kept reverting back to my backup as starting point and there may have been something conflicting in it!
VAP on WAP working with wireguard as the VPN using your docs and tutorials.
1 problem (not really for me but curious) the internet light on the 3200 is still orange despite successful setup. Any ideas?
I also tried to setup a 2nd VAP (my 2.4ghz) in the same fashion however, it is pointing to router 1. I gave it an ip of 192.168.3.1
Also, I cannot communicate with the Amazon Recast which is on the main router when connected to the VAP. I tried switching it to bridged as stated in the doc but that points it back to main router and no VPN.
Perhaps I need to explain if not clear. Amazon recast is a over the air DVR that allows me to use the DVR and obtain all OTA channels to eash of my 5 firesticks as long as they are on the same network. The recast is connected to the network via wifi (currently on the 5ghz main router). I want to be able to have the recast be seen by both networks/routers. This is because sometimes, the firestick will choose either router and if it is not on the same network nothing plays.
If there is another way to get this amazon recast to be seen between both routers, point me in the right direction.
if you can help me sort out why it is not being seen would be great!! If we can get the 2nd VAP as well I would be a very happy camper!
Great you solved it.
the Internet light is probably connected to your WAN and a WAP has its WAN disabled so I guess that is normal behaviour.
No experience with amazon recast but I suppose it only works when on the same network and an unbridged VAP is by definition on another network.
So there is no easy way out.
You can just connect your clients to the main network and set the gateway manually like discussed earlier then the clients are on the same network and by using the gateway set to the WAP the VPN.
Or consider switching routers so that you can run the VPN from your main router (and then use Policy Based Routing)
