[K4sum1]

So, my setup is weird. I have Modem -> Router 1 (RT-AC88U) -> Router 2 (WRT1900ACv2). In this setup, I just can't do DHCP on Router 2, the router I want to run Wireguard on. This means it needs to act as a DHCP Forwarder to Router 1. However Wireguard seems to depend on dnsmasq for some reason, and without DHCP (dnsmasq), it just does not work. So I would like to know how do I get Wireguard to work without dnsmasq?

To expand on why my setup is like this, I don't have a cable long enough to go from the Modem directly to Router 2. I could get a cable, but I also want to be able to access devices over LAN that are connected to Router 1 without also needing to connect them to Router 2. For example my NAS is connected to Router 1, and I want to be able to access it from devices connected to Router 2. Connecting Router 2 directly to modem would not allow this afaik.

From my research, the only way to make this setup work is to make Router 2 act as a DHCP Forwarder, and this breaks Wireguard. I tried getting DHCP to work, I tried setting a static IP outside the DHCP range of Router 1 and making it assign IP ranges outside those of Router 1, but it didn't work.

[egc]

[K4sum1]

[egc]

You can setup the router as a Wireless Access Point but you have to carefully follow the instructions:
Wireless Access Point (WAP)

The WireGuard client setup guide has a paragraph about setting this up.

But this setup has a drawback as described there i.e. normal traffic just bypasses the VPN only clients which have their gateway set to this WAP or unbridged interfaces on the WAP (e.g. a VAP (guest wifi) to which you can als add a lan port) are using the VPN.

If you want several clients directly connected to the VPN router using the VPN then it is sometimes easier to set that router up as a normal gateway router on its own subnet, you can use PBR to route directly connected client via the VPN or not.
There is default access by ip address from router 2 to the upstream router 1 and if you can set a static route on router 1 and that should be possible then you can also connect from router 1 to router 2 and its clients, if you opened up the firewall.
But note the access is only by IP address there is no network discovery (although that can be solved by using smcroute and mDNS).

Just take your pick what you want

Of course you can also setup WireGuard on router 1 and use PBR and setup router 2 as WAP that would be the best solution. The AC88U is not so powerful but it should do well over 100 Mb/s running WireGuard, of course you can also swap router1 and 2 so make the WRT1900ACv2 your main router.

N.B. there have been problems reported for the WRT1900 AC v1 where the iptables command is broken, just check with `iptables -vnL` if you have normal output then you are good, if you see "illegal instruction" then upgrade to the latest build from today 62540 it might be solved there

[K4sum1]

I'm not sure how to do that exactly? I want all devices on router to go through the VPN, no exception. I want the kill switch to block any non-VPN traffic to the outside internet always. I would rather no connectivity if the VPN fails for any reason.

If I understand correctly, you're saying if I set the router to another subnet, it's possible I could access devices on Router 1's subnet by tweaking the firewall? I would be fine with that, but idk how to do it.

[egc]

[K4sum1]

Well I configured the router to use a different subnet for itself and DHCP, and I still get no internet. Not even the VPN server connects and it was spamming syslog.

Also why are the later builds so finicky? I've found myself needing to manually power cycle the router when changing settings like this to make the router respond.

[K4sum1]

So if I start the router with Wireguard enabled, it will never connect to the internet. If I disable Wireguard, restart the router, I get internet. I can then turn on Wireguard and it works fine.

How do I fix? (Without manually disabling Wireguard, rebooting, and enabling it)

[egc]

Do not use the vpn yet just reset and make sure the subnet is different.

Check if the iptables command works and disable SFE which also could be problematic

[K4sum1]

Well the subnet is different and I can access devices on Router 1. I enabled ssh to try the iptables command, and well I'm not sure what to do. iptables -h gives me the help, but like how should I test it or is the test to make sure it does anything?

[egc]

If it gives the help you should be fine.

So if you have internet and can access router 1 you can proceed setting up wireguard.

[K4sum1]

Well the thing is Wireguard is already set up, and I still have my issue from before, even without SFE. Wireguard enabled at boot = no internet, even with Wireguard disabled afterwards. Wireguard disabled at boot = internet, even with Wireguard enabled afterwards.

[egc]

Please show the following

Start with Screenshots of WireGuard page (whole page) and Basic Setup page (whole page).
If you use anything other than plain DNSMasq for DNS resolving also report that and add a screenshot of the
Service > Services page.

Show the following commands while WireGuard is active while you reboot so you will not have internet and also after you disabled Wireguard rebooted and enabled wireGuard so that you have internet
show the output of the following commands (CLI, with
telnet/putty) after you attempted to make a connection:

[K4sum1]

Was busy, so only finally getting around to this now. I took the screenshots and sent the commands. I'm not sure if this has configs that I shouldn't send publicly, so I sent you a PM with the screenshots.

Edit: I somehow sent the PM to myself, I don't know how I did that. Now I should have sent it to you.

[egc]