Connect router with wireguard and share connection over Wifi?

Hello to all people.
Disclaimer : I have limited knowledge ,so any mistakes ,or unknown words , please bare in mind.

Scenario :
I want to connect to my house , from another country and take the specific IP and also share the connection for 1 more person to be able to login from his laptop ,over WIFI.

Steps so far that have been made:
Installed a mini-PC directly to my router , with Ubuntu 20.04 ,and PiVPN + Wireguard.
(Even though it breaks after a restart and needs MASQUERADE ,FORWARD, INPUT to be fixed with pivpn -d , but after that works).

Steps further ?
I have managed to create the configs profile , and went to another place / coffee shop ,and with wireguard client and importing the configs file, i was able to manage and login into the home server and take the IP from there.
(Happy about it).

BUT!

Here is the tricky part, i want to share this connection and broadcast a new SSID , for another laptop to be able to login or phone, but so far didn’t find any solution.

So what router should i buy to do this job ,because i saw GLiNet routers support Wireguard. Will the “Opal (GL-SFT1200) Gigabit Wireless Router | AC1200 | OpenWrt | VPN | IPv6” do the job and be able to be used as a “Access point” that will connect straight to my home server even if i am in another country and be able to share the connection as well over Wifi for other machines to be able to login ?

(at home i have 1gbps upload and public ip , without cgnat or anything, so i am pretty sure that from upload i am covered)

Thanks for anyone that will try and help me out.

By default w/ the GL GUI all connected devices on the Private LAN will use your WireGuard Client connection (per allowed_ips '0.0.0.0/0').

Multiple SSIDs aren’t supported in GL’s GUI by default so it would require some work in LuCI, the web based admin for OpenWrt. It may be far easier to simply allow the Guest SSID to use your WG Client connection as less settings with LuCI would be needed. Would that be sufficiant?

Either way you’ll probably have to install LuCI via GL GUI → System → Advanced Settings.

If you’re looking to maximize WG speed, hold tight until the Flint 2 (MT6000) hits the shelves. 900 Mbps WG. If you’re travelling, look @ the Slate AX (ATX1800) (550 Mbps) or Beryl AX (MT3000) (300 Mbps) if you only need one Ethernet port for the LAN.

First of all thank you so much for the detailed ,explanation . You did more than i asked for

Now, to provide even further details , company laptop is locked from everywhere , we cannot do anything to it ,only connect it to internet via WiFi, but it accepts only the IP of my house because it’s signed on me.

That’s why i want when i will work from another place,to put my router or whatever it’s needed with me, broadcast the wireguard connection of my house and then create a SSID for the “company laptop” to connec to , and have internet.
If you get what i mean ?

No, i just need a “router” that will connect to my home and broadcast a wifi , so 2 laptops can connect through it ,and gain the HOME IP.

I think i explained it as much as i can…

Yeah, I’m picking up on what you’re putting down. I call such scenarios ‘Clandestine Remote Working’ (… even if it’s authorized by your employer). It’s a not uncommon goal for some w/ GL devices.

Okay, so really there’s two goals here:

• WireGuard to/from your ‘home base’ IP
• A custom SSID for Wi-Fi within your Private LAN at the remote location (‘WG Client’ device)
  • I think this could easiest be accomplished by renaming the Guest SSID
    • GL GUI → Wireless → {5/2.4GHz} Guest Wifi → Wi-Fi Name (SSID)

Now, I haven’t finished my coffee quite yet but here’s what yer gonna need:

Home Base Device/Network

• Ensure you’re not behind a CG-NAT (your ISP would know).
• If your ISP provided modem features a ‘bridged mode’ to set the modem as just a modem (eg: no Wi-Fi capabilities), use it. Keep the modem as a modem as other supposed ‘features’ cause more trouble than they’re worth.
• Open a port to forward incoming Internet requests to the default WG connectivity port of 51820 to whatever device IP is going to act as the WG Server.
• Presuming the WG Server device is a GL router, set up
  • Dynamic DNS to map your possibly changing public/Internet IP
    • GL already provides this capability via GL GUI → Application → Dynamic DNS
• Set up either WG Server → WG Client or WG LAN to LAN VPN (Site-2-Site)
  • Follow setup by using the defaults at this point.
  • I prefer the the former for simplicity while the latter may be just as useful.
    • The former can also allow more flexibility for routing specific devices thru the VPN via ‘VPN Polices’ but that’s a bit off topic at this point.

Remote Location Device

• Ensure WG Client uses an endpoint address of the GL GUI’s DDNS and not a IP. You’ll see what I mean in the configuration settings for WG Client.

(At this point I realize I’m just summarizing what’s already in the docs so I’m going to stop. The coffee must be finally kicking in.)

Opal is fine if you’re looking for an inexpensive device. So is mango, probably. If you’re looking for more performance, Slate AX is never wrong, and Beryl AX is slightly more powerful but less versatile.

For WG the Slate AX outperforms Beryl AX (550 v 300 Mbps) per the advertised specs. A 2.5 Gb WAN port on the Beryl AX is pointless for a travel router & all the more less impressive now given the upcoming Flint 2 (MT6000)'s dual 2.5 Gb WAN/LAN ports… & 900 Mbps over WG.

OP said he didn’t have cgnat and had a public IP, so this could be edited down a lot.

But I’m disinclined to help someone get fired.

I know where i get myself into ,and i am fully aware of it. I am not going to point fingers that someone helped me to do it. I need a solution temporary for it, until i will “do” what i have to do . So i am fully aware of it. Thanks for the comment either way .

Hey thanks for the comment man and the “suggestions” but i didn’t have time to login today , i already bought the “Slate Plus (GL-A1300)” which had a discount and free shipping in my country , so i am waiting for it

@bring.fringe18
Jeesus christ.
You made all this , just for me ,thanks a lot man .That’s the “strong” side of joining a community .So for sure i will support further the community .
I bought today ,this : Slate Plus (GL-A1300)

To tell you the truth i am not behing CG-NAT full public, and i have already done all the rest of the steps with VM just to try it out.

As i said in the 1st post , i managed to connect my phone and share the connection (data) from phone but with wireguard enabled and the company laptop took the IP of the home and NOT the data phone (cellular IP).
So for sure that way it works.

I don’t know with the router i have ordered if i will manage to put the router as a Client ,and then the router will share the wIFI with the laptop , so it can have the specific IP…i am in the middle of that because i still have problem with the pivpn -d that i cant figure out the command line…

So i will wait and post an update ,when i will receive the new router.

Plus i will read everything you attached…

You shouldn’t have much trouble there. Your employer should ultimately see your ‘home base’ IP. That’s handled by your chosen ‘VPN Policy’ I alluded to.

Once you get your Slate Plus, there’ll be the option within the GL GUI → VPN Dashboard → VPN Client → Global Proxy to force all connected device MACs thru the VPN. Set a ‘kill switch’ via Global Options.

ipleak.net is a very handy website to test/confirm results.

I’d update the firmware before setup & deploying. See the bottom of the Slate Plus’s product page, firmware &/or GL GUI → System → Upgrade.

@bring.fringe18

Okay , good to know as well. I didn’t know that i can force all connections to be from router itself.
That’s great!
About my employer and my IP that is the point, in the end i will be able to achieve with this employer or the next one the digital nomad, fully . But for now, i have some other troubles due to Summer, and not giving easily vacations not even for weekends, if you been there you will understand , so i just want to steam off a little bit … i am just doing a discussion now … I’m also sure that i’m not the only one out there as you said in the “remote work” .

Now, about the ipleak.net will be fully tested.
I saw also this site that you said to me / thread topic :
Building a Site-2-Site network manually using two GL.iNet routers(SDK 4.X)

Which i believe it’s great as well ,in the future i can buy another router, and put it in the 2nd internet line i have so i can use 1 or the other and have fully redudancy .

I get it; you’re doing ‘recon’ right now. Heh; what you do w/ your tech is your business. That said be aware I’m not sure how the S2S HOW-TO preforms when it comes to VPN Policies. I’ve not used that particular guide as the WG Server → WG Client defaults are rather straightforward IMO.

I’d really keep an eye out for the the Flint 2 in your case though another Slate Plus as the WG Server wouldn’t be a bad choice. Out of the box these GL devices support ‘Multi-WAN’ (GL GUI → Network). You can set Failover or Load Balancing.

Granted you could probably do this all through your existing tech stack but I think you’ll first enjoy, then become spoiled by all the work GL did in their GL GUI… nevermind the raw power provided by OpenWrt Linux’s LuCI admin web interface & the CLI via SSH.

He did; I try writing responses keeping in mind others may stumble upon this thread in the future that may not be aware of such potential roadblock(s).

OP already presents the technical aptitude to set up such a scenario; I’m just cutting out some required research time. He can roll the bones as he sees fit.

@bring.fringe18

Yeah , i was just making an extra comment on the reason that i will use it for .Of course i understand what i am doing.

On the other hand, about what you said. I already saved the “Flint 2” just in case for future use But for the time being, i believe i am covered (as soon as i receive the router) and finally make it work

@bring.fringe18 You are a legend.

I managed to make it happen ,thank for you the tools instructions , discussions everything .It works like a charm tried it in many different places, even though i get really limited speed, at least my IP is shown as i 'm at home, and nothing is shown. All my devices are working and i can access them without any problem.

The only situation is that i have as i said Upload 1gbps , optic fibre, and whenever i am i can’t take more than 20-30mbps (download) even though my gl-inet router supports up to 170mbps (with ethernet cable plugged in the device) . (Wireguard also …) but the limit is really down in 20-30mbps (upload download).

You have any hints on that ?

Updated the lastest firmware also .

I’m writing all this presuming Ethernet as the sole connectivity/cabling for all connected devices. Adding Wi-Fi can only complicate things for the negative.

• So your ‘home base’ IP is capable of 1 Gpbs download and upload?
  • If so what kind of WG performance do you get going Ubuntu miniPC → WG Client on your PC?
    • Try no WG running on GL device to have it act as a plain ol’router
    • Try directly connecting miniPC to your PC if able (most, if not all network cards support auto-sensing for crossover but you’ll still need to set static IPs)
    • I am curious to know if the miniPC may be the chokepoint
• Do you have a VPN Provider that supports WG you can test? Eg: Surfshark gives me WG at near line rate (minus 5 Mbps).

That’s all I got until the caffeine takes effect.

@bring.fringe18

Yes, i am tried all those.
No , the miniPC cannot be the bottleneck , because it’s too “good” for what it has to do , sole purpose to have the pivpn + ubuntu 20.04 , on a nvme 16gb ram etc.

Yes, itself alone , can get 1gbps down /1gbps up.

Yes, my ISP provides 1gbps down and 1gbps up as well.

To tell you the truth i don’t have any other service for vpn like nordvpn etc. that’s only it.

It doesn’t even make difference if i plug it via ethernet. i mean , ethernet cable > my router glient >and glinet router straight ethernet to wan port of another ISP router in another house. So even though it takes the IP and all good, the speed is really limited.

I opened a ticket with GL-INET and hope for the best.

Do post the outcome, please. I’d be quite interested to know what happened.