[SOLVED]Wireguard setup on 2nd router as WAP

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
newnews
DD-WRT User


Joined: 14 Feb 2010
Posts: 86
PostPosted: Sun Feb 07, 2021 4:54    Post subject: [SOLVED]Wireguard setup on 2nd router as WAP Reply with quote
Hi,

I want to setup wireguard vpn server at 2nd router Linksys E2000. The main router connects to internet and the 2nd router connects to main using wired connection as network repeater. DHCP/firewal is off on 2nd router. What I did:
1. installed latest build 45690
2. enable tunnel/wireguard and configured, see attached snapshot
3. in main router, setup port forwarding 51820 to the 2nd router and open 51820 in the firewall.
4. scan QR code on wireguard app in android phone
5. change the endpoint address in android phone to my home public ip address.

However, when I enabled wireguard vpn on my phone, I am not able to connect to home route. Log shows it does not receive handshake signal.

Anything incorrect in the setup? Thanks
Back to top View user's profile Send private message
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12917
Location: Netherlands
PostPosted: Sun Feb 07, 2021 14:11    Post subject: Reply with quote
As this question is not router specific it can better be dealt with in the Advanced Networking forum (I will transfer this)

To get the best out of DDWRT and the forum read the forum guidelines with helpful pointers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

It looks like you have setup this router as a WAP (Wireless Access Point).
Make sure you have setup correctly , WAN disabled, DHCP off and Local IP and Gateway set to the primary router. https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point

WireGuard has several guides which apply to your situation, the Server setup guide and the Advanced Setup guide which has a paragraph about using WG on a WAP.
See:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
which is a sticky in the Advanced Networking forum

Some key points:
Setup as a server e.g. disable CVE mitigation (although when implementing the next point you can actually leave it on but that is for the extreme advanced setup guide Smile )
Add to the WAP (Administration/Commands, save as Firewall):
Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

(Alternatively set a static route on the primary router)
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Last edited by egc on Tue Feb 09, 2021 12:00; edited 1 time in total
Back to top View user's profile Send private message
newnews
DD-WRT User


Joined: 14 Feb 2010
Posts: 86
PostPosted: Tue Feb 09, 2021 11:34    Post subject: Reply with quote
Hi egc:

Thanks for your prompt reply. I have firewall turned off on 2nd router. Do I still need to add the command to firewall? or is this rule to be installed on main router?

B/R
Back to top View user's profile Send private message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12917
Location: Netherlands
PostPosted: Tue Feb 09, 2021 12:04    Post subject: Reply with quote
You have to add this rule on your WAP so that the traffic coming out of the WG server is NATted onto the local subnet so that it can reach your primary router and back.

This is an universal rule which is needed on a WAP if you deal with other subnets on the WAP like an unbridged VAP or a WG server Smile
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top View user's profile Send private message
newnews
DD-WRT User


Joined: 14 Feb 2010
Posts: 86
PostPosted: Sun Feb 14, 2021 8:45    Post subject: Reply with quote
egc wrote:
You have to add this rule on your WAP so that the traffic coming out of the WG server is NATted onto the local subnet so that it can reach your primary router and back.

This is an universal rule which is needed on a WAP if you deal with other subnets on the WAP like an unbridged VAP or a WG server Smile

Thank you. It is working now
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum