[SOLVED]Add a second Wireguard tunnel to access LAN remotely

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
JMuller
DD-WRT Novice


Joined: 06 Jan 2022
Posts: 18

PostPosted: Tue Jan 17, 2023 13:20    Post subject: [SOLVED]Add a second Wireguard tunnel to access LAN remotely Reply with quote
Hi!

I have a NetGear R7000 (DD-WRT 51288) with a WireGuard tunnel setup to my VPN provider (no other changes to the network). I would like to add a second WireGuard tunnel to be able to access my local network remotely.

I went through the Wireguard advanced guide and I believe page 20 (One Server, One client Two Tunnels, Policy Based Routing, https://forum.dd-wrt.com/phpBB2/download.php?id=46090) matches my situation best. Is this correct?


Last edited by JMuller on Tue Jan 17, 2023 13:28; edited 1 time in total
Sponsor
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 704
Location: Earth

PostPosted: Tue Jan 17, 2023 13:26    Post subject: Reply with quote
have a look at the tutorial here
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322206

_________________
Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.

No one can build you the bridge on which you, and only you, must cross the river of life!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Jan 17, 2023 15:36    Post subject: Reply with quote
That documentation is a bit outdated Sad

One Server, One client Two Tunnels, Policy Based Routing

This setup describes one tunnel setup to a commercial VPN provider and one tunnel setup as a server so that you can access your network from the internet.

First tunnel
Set this tunnel up like a standard WireGuard client using the WireGuard Client setup guide
Test the tunnel.

Second tunnel
Set this tunnel up as a standard WireGuard server using the WireGuard server setup guide.
Disable the first tunnel (no worries your settings are retained ) and test if you can reach your server Wireguard server.

Note: the Listen Port of both tunnels should be different

Policy Based routing
The problem with both tunnels active is that traffic coming in via the WAN with destination your WG server will be routed out via the WG client to your VPN provider and the firewall will not allow that.

So we have to use Policy Based Routing on the WG client to make sure traffic for the WG server is going out via the WAN.

Depending on your needs you can choose:
Source Routing (PBR): Routed Selected sources via the VPN
Under Selected sources you can just enter your whole network e.g. 192.168.1.0/24
Source for PBR: <subnet>
See for some explanation the WG Client setup guide

Alternatively you can only route the port of the WG server via the WAN:
Source Routing (PBR): Routed Selected sources via the WAN
Source for PBR: sport <Listen-port-of-WG-server>

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
JMuller
DD-WRT Novice


Joined: 06 Jan 2022
Posts: 18

PostPosted: Tue Jan 17, 2023 20:38    Post subject: Reply with quote
egc wrote:
That documentation is a bit outdated Sad

One Server, One client Two Tunnels, Policy Based Routing

This setup describes one tunnel setup to a commercial VPN provider and one tunnel setup as a server so that you can access your network from the internet.

First tunnel
Set this tunnel up like a standard WireGuard client using the WireGuard Client setup guide
Test the tunnel.

...


Thank you so much for this, I will give it a try soon. Even outdated, these guides have been really nice to learn about what is possible to do.
JMuller
DD-WRT Novice


Joined: 06 Jan 2022
Posts: 18

PostPosted: Wed Jan 25, 2023 17:48    Post subject: Reply with quote
egc wrote:
That documentation is a bit outdated Sad

One Server, One client Two Tunnels, Policy Based Routing

This setup describes one tunnel setup to a commercial VPN provider and one tunnel setup as a server so that you can access your network from the internet.

First tunnel
Set this tunnel up like a standard WireGuard client using the WireGuard Client setup guide
Test the tunnel.

Second tunnel
Set this tunnel up as a standard WireGuard server using the WireGuard server setup guide.
Disable the first tunnel (no worries your settings are retained ) and test if you can reach your server Wireguard server.

Note: the Listen Port of both tunnels should be different

Policy Based routing
The problem with both tunnels active is that traffic coming in via the WAN with destination your WG server will be routed out via the WG client to your VPN provider and the firewall will not allow that.

So we have to use Policy Based Routing on the WG client to make sure traffic for the WG server is going out via the WAN.

Depending on your needs you can choose:
Source Routing (PBR): Routed Selected sources via the VPN
Under Selected sources you can just enter your whole network e.g. 192.168.1.0/24
Source for PBR: <subnet>
See for some explanation the WG Client setup guide

Alternatively you can only route the port of the WG server via the WAN:
Source Routing (PBR): Routed Selected sources via the WAN
Source for PBR: sport <Listen-port-of-WG-server>


I followed your instructions, both here and in the Wireguard Server guide. This is my setup:

1. Telekom modem with DDNS (No-IP) configured. I've also configured a forwarding of port 51810 to the DD WRT router downstream.
2. The DD WRT router running the Wireguard tunnel (as showcased in the screenshots)
3. My phone (connected to a 4G network) running a Wireguard client

The connection seems to be established (I can see the endpoint in the DD WRT UI), however I cannot seem to ping anything in my LAN (I've tried 10.4.0.1, 192.168.3.1). How do I actually contact my LAN devices once the tunnel is running? Do I need to set up further port forwardings?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Jan 25, 2023 18:01    Post subject: Reply with quote
It looks like you have your phone setup in both tunnels.

The phone should only be setup in the Server tunnel.

Please show screenshots of the whole tunnel pages.

Edit or if this is just the server tunnel then you have setup the PBR on the wrong tunnel.

PBR should be on the client tunnel

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
JMuller
DD-WRT Novice


Joined: 06 Jan 2022
Posts: 18

PostPosted: Thu Jan 26, 2023 19:11    Post subject: Reply with quote
egc wrote:
It looks like you have your phone setup in both tunnels.

The phone should only be setup in the Server tunnel.

Please show screenshots of the whole tunnel pages.

Edit or if this is just the server tunnel then you have setup the PBR on the wrong tunnel.

PBR should be on the client tunnel


Indeed, I setup the PBR on the server tunnel, my bad. I've changed it (I've uploaded screenshots in case anyone is looking at this thread to reproduce this later), I can now ping devices on my LAN from my phone, and the client tunnel seems to still be working fine. Never thought I'd see the moment where I could have such a setup, so thank you very much.

One thing was worrying me with the PBR, probably because I don't quite understand what it does. I've set up your second option on the client (route the port of the WG server via the WAN). This means that Wireguard connections to the server tunnel are directed to the WAN instead of my VPN provider? Or are they directed to the client VPN tunnel? Is there a risk of my public IP leaking?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Thu Jan 26, 2023 20:04    Post subject: Reply with quote
Great to here you made it work.

You are right that the way you have setup everything is going via the clients vpn tunnel except traffic with source port 51810 which is traffic from your wg server.
Traffic from the server is going in via the WAN and thus also has to go out via the WAN.

About leaks, always Check with ipleak.net or similar websites.

Furthermore to make sure, you can enable the killswitch on the wg *client* for extra security.
This adds a firewall rule to prevent traffic going out of the WAN making an exception for port 51820 of course.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum