1) In house 1 I have the isp router, lan connected to the linksys wrt3200acm device flashed with the latest version of DDWRT.
2) In house 2 I have the isp router, lan connected to another linsys wrt3200acm device flashed with the latest version of DDWRT.
3) the devices connected to the isp device of house one, should not be connected to the tunnel
4) the devices connected to the DDWRT router of house1 should be connected to the tunnel
5) the DNS of house 2 is managed by a pihole
6) the DHCP server of the tunneled network is on the isp router of house 2
7) the DHCP server the non tunneled network is on the isp router of house 1
8 ) wireguard server is already setup and works from my mobile using data
Basically the goal is to have some devices in house 1 tunneling the traffic to house 2, so everywhere would house 1 be, nobody will be able to recognise the physical location using network information, as the ip and the dns will always only be related with house 2.
Since I will try to set this up next weekend and I won't have much time to debug, I have a couple of questions regarding the setup.
This is how I am going to setup wireguard:
So these are the questions:
1) does this look correct to you?
2) will killswitch on client work with this setup? I read some stuff about PBR related with killswitch, but I am not going to use PBR, I want to prevent ANY device connected to the DDWRT router in house 1 to send any single package without being connected to the tunnel, like if for any reason the wg server drops.
3) in allowed IP in the server I added the first ip following the guide equal to the value of the client CIDR, but why this mask 32 instead of 24?
4) in allowed IP of the server I added the 2 routers address from house 1,so I'll be able to access both the isp and the ddwrt routers in house 1, is this correct?
5) I read the part about NAS and routing, could you please guys elaborate a bit on the part "In this example we did not enable NAT on the client. If you do want the client to have internet access via the server you have to NAT traffic for the client out of the Servers WAN interface". with my setup on my mobile, NAT is not enabled and I didn't use that part of code, still my internet comes from the server, when I am using data with my mobile, not wifi, and I enable the tunnel, if I go to www.whatismyip.com I see the same IP of my laptop, connected to lan.
Many thanks everybody and sorry for the noob questions, hope the explanation is enough (I spent a serious amount of time drawing the diagram ).
Joined: 18 Mar 2014 Posts: 12873 Location: Netherlands
Posted: Thu Apr 07, 2022 9:13 Post subject:
So many questions so little time
I would not use the pi-Hole to start with as DNS server just use something like 9.9.9.9, if it all works then swap that for the pi-Hole (it should work though as there is a local route upstream to your pi-Hole which takes precedence)
Allowed IP's are wrong it should be 192.168.2.0/24, 192.168.1.0/24 (note the 0)
Killswitch should work, in the client setup guide is shown how to test it, it also works when using PBR.
Regarding internet and no NAT, you have to add the following rule to the "server" side (Administration/Commands Save as Firewall) to allow the clients subnet to NAT out via the WAN:
All clients NAT the traffic so also your Mobile client, that is necessary as you do not know the subnet from the mobile as that is a roaming client. That is why it normally works (by default there is an iptables rule in place to NAT the tunnels traffic (10.4.0.0) out on to the WAN
Story of my life but thank you very much, and I really mean it, for taking the time to help us noob out.
egc wrote:
I would not use the pi-Hole to start with as DNS server just use something like 9.9.9.9, if it all works then swap that for the pi-Hole (it should work though as there is a local route upstream to your pi-Hole which takes precedence)
I am actually quite confident on the pihole as the setup works with my mobile, I don't necessarily see a reason to fail on dd-wrt, anyways I'll surely take this as first debug option to change.
egc wrote:
Allowed IP's are wrong it should be 192.168.2.0/24, 192.168.1.0/24 (note the 0)
Simply brilliant, now it makes much more sense allowing the full network.
egc wrote:
Killswitch should work, in the client setup guide is shown how to test it, it also works when using PBR.
I might have lost this part of the guide, I will take a look at it, thank you.
egc wrote:
Regarding internet and no NAT, you have to add the following rule to the "server" side (Administration/Commands Save as Firewall) to allow the clients subnet to NAT out via the WAN:
All clients NAT the traffic so also your Mobile client, that is necessary as you do not know the subnet from the mobile as that is a roaming client. That is why it normally works (by default there is an iptables rule in place to NAT the tunnels traffic (10.4.0.0) out on to the WAN
I have to admit I'm still struggling to understand the concept here, but this part that on my mobile works as it is defaulted like that, whole on the ddwrt router used as client it might not work due to stuff not defaulted. I'll add this part.
egc wrote:
On the client side as you want to reach the ISP router on the client side from the server side you also have to NAT the traffic of the server side (or set a static route on the ISP router)
Here do you mean
- setting static routes from ISP router 1 to ISP router 2 and from ISP router 1 to ddwrt router 2? So client side to server side
- or setting static routes from ISP router 2 to ISP router 1 and from ISP router 2 to ddwrt router 1? So client side to server side
Also, do you know something about
3) in allowed IP in the server I added the first ip following the guide equal to the value of the client CIDR, but why this mask 32 instead of 24?
Joined: 18 Mar 2014 Posts: 12873 Location: Netherlands
Posted: Thu Apr 07, 2022 18:02 Post subject:
As it is a fairly elaborate setup it is prudent to start with settings you know which will work, hence I advise to start with 9.9.9.9 as DNS, maybe the pi-Hole cannot be reached maybe it does not listen on a particular interface, all things which can go wrong and if a simple setup works then work your way up to more difficult things
Packets coming from the server side going to the client side are also not NATted so those packets have a source of 192.168.4.0/24 if they have a destination of the client sides ISP router i.e. 192.168.1.1 to go out via the clients WAN interface to the ISP router but are not NATted (as only the clients own subnet 192.168.2.0/24 is NAtted.
The packets arrive at the ISP router but that router does not know where 192.168.4.0/24 is.
So you can do two things
1 NAT traffic of subnet 192.168.4.0/24 out via the WAN of the client (as then they will have a source of 192.168.1.101):
iptables -t nat -I POSTROUTING -s 192.168.4.0/24 -o $(get_wanface) -j MASQUERADE
2. Set a static route on the ISP router:
ip route add 192.168.4.0/24 via 192.168.1.101
So that the ISP router knows where to return packets of 192.168.4.0/24 to
In this case the firewall should also allow those incoming packets, so option 1 is the easier one.
I setup everything, internet works in house 1, the ip is the one assigned from ISP2, the main dns is the cloudfare used as base for the PiHole, PiHole (located in house2) recognised and processed the requests coming from house1.
killswitch is on and I "tested" it by changing the values of the allowed IPs and I had no internet, as suggested in the client setup guide.
Unfortunately I tested for dnsleaks at this website whoer.net/dns-leak-test and this website dnsleak.com and I found out that there are dns leaks happening, the first one is always the one from house2, but still I have entries from the isp of house1, the tunnel is leaking.
The same is not happening when I use the tunnel with my android device, so it's surely something in this ddwrt as client setup, any idea?
Ignoring the wan DNS from the setup page just breaks everything.
I had no static dns set, all of them were set to 0.0.0.0 to use the isp router as dns server, so ignoring the wan dns made impossible to resolve the ddns used in the tunnel config.
I now set ignore wan dns and static dns 1 to 1.1.1.1 (cloudfare) and it works. I also checked force dns redirection, even though I doubt it has any effect due to the ignore wan dns checked.
).