Posted: Tue Jan 17, 2023 13:20 Post subject: [SOLVED]Add a second Wireguard tunnel to access LAN remotely
Hi!
I have a NetGear R7000 (DD-WRT 51288) with a WireGuard tunnel setup to my VPN provider (no other changes to the network). I would like to add a second WireGuard tunnel to be able to access my local network remotely.
I went through the Wireguard advanced guide and I believe page 20 (One Server, One client Two Tunnels, Policy Based Routing, https://forum.dd-wrt.com/phpBB2/download.php?id=46090) matches my situation best. Is this correct?
Last edited by JMuller on Tue Jan 17, 2023 13:28; edited 1 time in total
have a look at the tutorial here
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322206 _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Tue Jan 17, 2023 15:36 Post subject:
That documentation is a bit outdated
One Server, One client Two Tunnels, Policy Based Routing
This setup describes one tunnel setup to a commercial VPN provider and one tunnel setup as a server so that you can access your network from the internet.
First tunnel
Set this tunnel up like a standard WireGuard client using the WireGuard Client setup guide
Test the tunnel.
Second tunnel
Set this tunnel up as a standard WireGuard server using the WireGuard server setup guide.
Disable the first tunnel (no worries your settings are retained ) and test if you can reach your server Wireguard server.
Note: the Listen Port of both tunnels should be different
Policy Based routing
The problem with both tunnels active is that traffic coming in via the WAN with destination your WG server will be routed out via the WG client to your VPN provider and the firewall will not allow that.
So we have to use Policy Based Routing on the WG client to make sure traffic for the WG server is going out via the WAN.
Depending on your needs you can choose:
Source Routing (PBR): Routed Selected sources via the VPN
Under Selected sources you can just enter your whole network e.g. 192.168.1.0/24
Source for PBR: <subnet>
See for some explanation the WG Client setup guide
One Server, One client Two Tunnels, Policy Based Routing
This setup describes one tunnel setup to a commercial VPN provider and one tunnel setup as a server so that you can access your network from the internet.
First tunnel
Set this tunnel up like a standard WireGuard client using the WireGuard Client setup guide
Test the tunnel.
...
Thank you so much for this, I will give it a try soon. Even outdated, these guides have been really nice to learn about what is possible to do.
One Server, One client Two Tunnels, Policy Based Routing
This setup describes one tunnel setup to a commercial VPN provider and one tunnel setup as a server so that you can access your network from the internet.
First tunnel
Set this tunnel up like a standard WireGuard client using the WireGuard Client setup guide
Test the tunnel.
Second tunnel
Set this tunnel up as a standard WireGuard server using the WireGuard server setup guide.
Disable the first tunnel (no worries your settings are retained ) and test if you can reach your server Wireguard server.
Note: the Listen Port of both tunnels should be different
Policy Based routing
The problem with both tunnels active is that traffic coming in via the WAN with destination your WG server will be routed out via the WG client to your VPN provider and the firewall will not allow that.
So we have to use Policy Based Routing on the WG client to make sure traffic for the WG server is going out via the WAN.
Depending on your needs you can choose:
Source Routing (PBR): Routed Selected sources via the VPN
Under Selected sources you can just enter your whole network e.g. 192.168.1.0/24
Source for PBR: <subnet>
See for some explanation the WG Client setup guide
Alternatively you can only route the port of the WG server via the WAN:
Source Routing (PBR): Routed Selected sources via the WAN
Source for PBR: sport <Listen-port-of-WG-server>
I followed your instructions, both here and in the Wireguard Server guide. This is my setup:
1. Telekom modem with DDNS (No-IP) configured. I've also configured a forwarding of port 51810 to the DD WRT router downstream.
2. The DD WRT router running the Wireguard tunnel (as showcased in the screenshots)
3. My phone (connected to a 4G network) running a Wireguard client
The connection seems to be established (I can see the endpoint in the DD WRT UI), however I cannot seem to ping anything in my LAN (I've tried 10.4.0.1, 192.168.3.1). How do I actually contact my LAN devices once the tunnel is running? Do I need to set up further port forwardings?
It looks like you have your phone setup in both tunnels.
The phone should only be setup in the Server tunnel.
Please show screenshots of the whole tunnel pages.
Edit or if this is just the server tunnel then you have setup the PBR on the wrong tunnel.
PBR should be on the client tunnel
Indeed, I setup the PBR on the server tunnel, my bad. I've changed it (I've uploaded screenshots in case anyone is looking at this thread to reproduce this later), I can now ping devices on my LAN from my phone, and the client tunnel seems to still be working fine. Never thought I'd see the moment where I could have such a setup, so thank you very much.
One thing was worrying me with the PBR, probably because I don't quite understand what it does. I've set up your second option on the client (route the port of the WG server via the WAN). This means that Wireguard connections to the server tunnel are directed to the WAN instead of my VPN provider? Or are they directed to the client VPN tunnel? Is there a risk of my public IP leaking?
Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Thu Jan 26, 2023 20:04 Post subject:
Great to here you made it work.
You are right that the way you have setup everything is going via the clients vpn tunnel except traffic with source port 51810 which is traffic from your wg server.
Traffic from the server is going in via the WAN and thus also has to go out via the WAN.
About leaks, always Check with ipleak.net or similar websites.