I want to route traffic from cellphone connected to WG Server running of GL.inet router to GL.inet WG client connected to a remote WG server (on opensense). I tried to follow a previous thread but the UI seems to have changed.
The upstream opnsense router has the ip 172.17.1.1 and its WG server is on 10.1.17.1/24. The GLinet WG server is on 10.0.0.1/24 and its ip is 192.168.8.1. The mobile client 10.0.0.2 is unable to ping opnsense router 172.17.1.1.
Here is WG output on the GLinet router,
root@GL-MT3000:~# wg show
interface: wgclient
public key: lXpnpLab_redacted
private key: (hidden)
listening port: 33240
fwmark: 0x8000
peer: ByRy8iBBU_redacted
endpoint: opnsense_blah.com:51821
allowed ips: 0.0.0.0/0
latest handshake: 54 seconds ago
transfer: 26.39 MiB received, 2.00 MiB sent
persistent keepalive: every 25 seconds
interface: wgserver
public key: +LvU4oMi_redacted
private key: (hidden)
listening port: 51820
fwmark: 0x8000
peer: 8TPTPWm_redacted
endpoint: cellhone_public_ip:24917
allowed ips: 10.0.0.2/32
latest handshake: 27 seconds ago
transfer: 873.80 KiB received, 873.66 KiB sent
ip route
root@GL-MT3000:~# ip route
default via 99.16.100.1 dev eth0 proto static src 99.16.111.156 metric 10
10.0.0.0/24 dev wgserver proto kernel scope link src 10.0.0.1
99.16.100.0/23 dev eth0 proto static scope link metric 10
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1
(I would like to ask a question here, why don’t let your phone connect to the opsense router directly through WG VPN?)
The thread you have attached is a different case, and there are some routers to establish VPN, WG server is GL router A, WG clients are GL router B + C + ..., that case is for access of different LANs like, from router A to B, or between router B + C.
To answer your question. The connection between the phone and WG server is quicker than phone and opnsense. This is because the phone and WG server in 1 region while the opnsense is another region.
With cascading option everything is getting routed to the upstream wg client. My connection has become very slow.
I don't want that. Instead I only want the subnet 172.17.1.1/24 to get routed to the upstream wgclient everything else should go via the wgserver through default route.
# ip route
default via wan_redacted dev eth0 proto static src wan_redacted metric 10
10.0.0.0/24 dev wgserver proto kernel scope link src 10.0.0.1
wan_redacted/23 dev eth0 proto static scope link metric 10
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1
Unfortunately, i am still unable to ping upstream opnsense router,
~ $ ping 172.17.1.1
PING 172.17.1.1 (172.17.1.1) 56(84) bytes of data.
From 10.0.0.1: icmp_seq=1 Destination Port Unreachable
From 10.0.0.1: icmp_seq=2 Destination Port Unreachable
From 10.0.0.1: icmp_seq=3 Destination Port Unreachable
From 10.0.0.1: icmp_seq=4 Destination Port Unreachable
I could not figure out how to get the GL wireguard VPN config and had to install luci-proto-wiregaurd
This is gets really complicated in a hurry depending on what you are trying to do.
Once you chain routers you are designing an Intranet.
Each wg hub needs two subnets; a subnet for its local network and a subnet for its wg hub.
Your wgGL need its own subnet and then one IP from the wgPF subnet.
The phone needs one ip from the wgGL subnet.
That means the assigned IPs on wgGL should have a (say) /24 and a /32 for its one IP on the wgPF hub.
(You can skip these wg subnets but then the wg hubs cannot "talk" to each other which breaks DNS forwarding and dynamic routing protocols.)
You need to get the Allowed IPs correct for step of the chain.
Generally large subnets sent uplink (toward wgPF) and smaller ones sent downlink (towards the phone).
