Posted: Mon Mar 31, 2025 18:55 Post subject: [solved] Wireguard Client on 2nd rtr/subnet behind Gtwy rtr
Hello,
I’m having trouble setting up a wireguard client on a 2nd router on a different subnet from my main/gateway router. I suspect this may be an iptables issue (likely an omission on my part) since I’m a network beginner, but I’m not sure and my searches on the forum don't appear (to me atleast) to address my issue.
My wireguard server is running on a VPS (Vultr hosted) and when I connect my router that is running the WG client directly to the internet (as a gateway router), everything works fine over WG. But when I add my primary router to the configuration and move my router that is running WG client to a different subnet, I am no longer able to even get a handshake from the WG server.
I am looking at the sticky DD-WRT Wireguard client setup guide (https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624) and the post about configuring a secondary DD-WRT router for the networking config (https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1265434) but I’m not seeing the fix to my problem. Any pointers to relevant threads or direct feedback based on my configs below would be greatly appreciated. Thanks in advance for any help.
This is a crude network diagram of my config:
RTR B (WG client) <---> RTR A (Gateway) <---> Internet <---> VPS running WG server
Router B
----------------------------
Asus RT-AC5300
DD-WRT v3.0-r58881
WAN port – static ip address 10.1.30.2/24
WAN gateway 10.1.30.1
WAN port physically connected to RTR A LAN port
LAN IP address: 10.1.50.1
LAN & WLAN subnet 10.1.50.0/24
Operating mode: Router (also tried Gateway)
SPI Firewall disabled
firewall rules: none added
Desired Behavior of RTR B: All LAN & WLAN connections funneled through WG
Router A:
-------------------------------
Asus RT-AC3100
DD-WRT v3.0-r58881
WAN port address – DHCP from ISP
LAN IP address: 10.1.30.1/24
LAN & WLAN subnet: 10.1.30.0/24
Operating mode: Gateway
SPI Firewall Enabled
Firewall rules:
iptables –t nat –A POSTROUTING –o ‘get_wanface’ –j MASQUERADE
iptables –I FORWARD –s 10.1.0.0/16 –j ACCEPT
Static route: destination 10.1.50.0/24
Static route: gateway addr 10.1.30.2
Desired Behavior of RTR A: ALL LAN @ WLAN connections sent direct to internet
Last edited by pm8587y on Wed Apr 02, 2025 19:07; edited 1 time in total
Joined: 16 Nov 2015 Posts: 6899 Location: UK, London, just across the river..
Posted: Tue Apr 01, 2025 9:24 Post subject:
59881 was build pulled out, bad build...the next to it is 59887...after build 60121/60137 firewall behaves different last build is 6523 probably new build is coming...
in general WG guide is here ---> https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397 _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 58184 WAP
TP-Link WR1043NDv2 -DD-WRT 61848 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 61915 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x2VLAN,Vanilla
Netgear R7800 --DD-WRT 61915 Gateway/DNSCryptv2,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 61848 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Dynalink DL-WRX36-DDWRT 61745
Broadcom
Netgear R7000 --DD-WRT 61745 Gateway/DNScrypt-proxy2/AD-Block,IPset Firewall,Forced DNS,x4VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
