Forward traffic from WG Server to WG client

Hello,

I want to route traffic from cellphone connected to WG Server running of GL.inet router to GL.inet WG client connected to a remote WG server (on opensense). I tried to follow a previous thread but the UI seems to have changed.

Here are the relevant screenshots,

The upstream opnsense router has the ip 172.17.1.1 and its WG server is on 10.1.17.1/24. The GLinet WG server is on 10.0.0.1/24 and its ip is 192.168.8.1. The mobile client 10.0.0.2 is unable to ping opnsense router 172.17.1.1.

Here is WG output on the GLinet router,

root@GL-MT3000:~# wg show
interface: wgclient
  public key: lXpnpLab_redacted
  private key: (hidden)
  listening port: 33240
  fwmark: 0x8000

peer: ByRy8iBBU_redacted
  endpoint: opnsense_blah.com:51821
  allowed ips: 0.0.0.0/0
  latest handshake: 54 seconds ago
  transfer: 26.39 MiB received, 2.00 MiB sent
  persistent keepalive: every 25 seconds

interface: wgserver
  public key: +LvU4oMi_redacted
  private key: (hidden)
  listening port: 51820
  fwmark: 0x8000

peer: 8TPTPWm_redacted
  endpoint: cellhone_public_ip:24917
  allowed ips: 10.0.0.2/32
  latest handshake: 27 seconds ago
  transfer: 873.80 KiB received, 873.66 KiB sent

ip route

root@GL-MT3000:~# ip route
default via 99.16.100.1 dev eth0 proto static src 99.16.111.156 metric 10 
10.0.0.0/24 dev wgserver proto kernel scope link src 10.0.0.1 
99.16.100.0/23 dev eth0 proto static scope link metric 10 
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1

I guess GL.inet doesnt use PBR under the hood.

Hello,

Yes, there is not PBR in GL firmware.

I would like to double confirm your requirement, is this the network topology?

Phone WG client > GL Router WG server + GL Router WG client > opnsense router

You want to access the opsense router on your phone, right?
If yes, try enabling the VPN Cascading.

(I would like to ask a question here, why don’t let your phone connect to the opsense router directly through WG VPN?)

The thread you have attached is a different case, and there are some routers to establish VPN, WG server is GL router A, WG clients are GL router B + C + ..., that case is for access of different LANs like, from router A to B, or between router B + C.

Thank you, VPN cascading did the trick.

To answer your question. The connection between the phone and WG server is quicker than phone and opnsense. This is because the phone and WG server in 1 region while the opnsense is another region.

1 Like

With cascading option everything is getting routed to the upstream wg client. My connection has become very slow.

I don't want that. Instead I only want the subnet 172.17.1.1/24 to get routed to the upstream wgclient everything else should go via the wgserver through default route.

You may have to add a static route.

Is that using the luci interface? I don't find any option in the glinet interface.

What interface do I need to pick?

Based on your topology, you can toggle of the VPN Cascading and manually add static route on the server router.

The interface may select the exit of this route, like be the wgserver (which can access the interface of 172.17.1.1).

The following doesnt work,

I can see the network definition is added,

$ cat /etc/config/network 
config route
        option gateway '10.1.17.7'
        option netmask '255.255.255.0'
        option target '172.17.1.0'
        option interface 'wgserver'

But routes dont show this,

# ip route
default via wan_redacted dev eth0 proto static src wan_redacted metric 10 
10.0.0.0/24 dev wgserver proto kernel scope link src 10.0.0.1 
wan_redacted/23 dev eth0 proto static scope link metric 10 
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1 

Is this the correct way to add static ip?

Sorry :face_in_clouds:

The wgserver (connected external client) on this router, needs to access the wgclient (to access 172.17.1.0/24), right?

Please try to select the interface wgclient in static routes.

I setup like the following,

Unfortunately, i am still unable to ping upstream opnsense router,

~ $ ping 172.17.1.1
PING 172.17.1.1 (172.17.1.1) 56(84) bytes of data.
From 10.0.0.1: icmp_seq=1 Destination Port Unreachable
From 10.0.0.1: icmp_seq=2 Destination Port Unreachable
From 10.0.0.1: icmp_seq=3 Destination Port Unreachable
From 10.0.0.1: icmp_seq=4 Destination Port Unreachable

I could not figure out how to get the GL wireguard VPN config and had to install luci-proto-wiregaurd
This is gets really complicated in a hurry depending on what you are trying to do.

Once you chain routers you are designing an Intranet.

Each wg hub needs two subnets; a subnet for its local network and a subnet for its wg hub.
Your wgGL need its own subnet and then one IP from the wgPF subnet.
The phone needs one ip from the wgGL subnet.

That means the assigned IPs on wgGL should have a (say) /24 and a /32 for its one IP on the wgPF hub.
(You can skip these wg subnets but then the wg hubs cannot "talk" to each other which breaks DNS forwarding and dynamic routing protocols.)

You need to get the Allowed IPs correct for step of the chain.
Generally large subnets sent uplink (toward wgPF) and smaller ones sent downlink (towards the phone).

Please share the router with us through GoodCloud, let us try to check.

Please let me know the router MAC address and login Web UI password in PM.