I have a WG server and a client connected to it. Devices connected from client are able to route traffic through server but I am looking to make a device connected to my server use the client as gateway.
Please guide
1 Like
- WG client:
- VPN Dashboard - turn on “Allow Remote Access LAN”
- WG server:
- VPN Dashboard - Route Rule
Add a route rule for traffic to the wgclient LAN via the wg client tunnel IP. Please note the red notes.
- Then toggle wg server(off and on).
Thanks much for ur response hansome.
My WG_server IP is 192.168.77.1 and from my devices, I am now able to ping WG_client IP 192.168.8.1 and open it in browser from WGserver router. Can you now guide me on how to route one of the devices connected to 192.168.77.1 to use 192.168.8.1 as gateway? Thanks in advance
I assume your PC has IP 192.168.77.100(wg server network), and you want to set 192.168.8.1(wg client network) as PC gateway. But gateway should be the same subnet with clients, so I think that’s not possible.
Why do you need that?
Though 192.168.8.1 is my WGclient, I want some devices to use that ISP instead of ISP on 192.168.77.1. Can it be done with manual routing for those specific devices?
Swaping wgclient and wgserver should fit your requierment.
That is what I initially thought but some devices on the client side also have same requirement. would be great if we can make this work.
I used OpenVPN in P2P mode earlier with MWAN3 routing traffic based on device but that’s not very efficient.
Interesting setup. I’ll investigate it later.
Do you have a reference tutorial to configure this?
Hi Handsome, can we review this over a call?
I want to run a server in a remote location but ISP there is not offering public IP. All my clients have public IP so I can forward a port on client site router and make server connections to the client.
I'm able to make it work with a new wireguard interface but not through main UI because whatever has no option for endpoint in server mode. This will need a minor enhancement but would be great feature if you can quickly implement
Happy to explain in detail over a call
We can start a remote desktop session to check the topology and your requirement.
I am EST timezone. please let me know your good time.
Here is an overview
WG Server-No public IP/endpoints
WG Clients-Have end points so can port forward from main router
Right now, I am using this interface on server and as you can see server is connecting to my 2 clients
On server
config interface 'WG_HYD'
option proto 'wireguard'
option private_key ''
option listen_port ''
list addresses '10.0.66.1/24'
option nohostroute '1'
config wireguard_WG_HYD
option description 'MK_GL'
option public_key ''
option private_key ''
list allowed_ips '10.0.66.2/32'
option persistent_keepalive '25'
option endpoint_host ''
option endpoint_port ''
config wireguard_WG_HYD
option description 'DS_US_GL'
option public_key ''
option private_key ''
list allowed_ips '10.0.66.3/32'
option persistent_keepalive '25'
option endpoint_host ''
option endpoint_port ''
Client side is this interface included as WAN firewall
config interface 'WG_HYD'
option proto 'wireguard'
option private_key ''
option listen_port ''
option metric '50'
list addresses '10.0.66.2/32'
option nohostroute '1'
On the client side LAN, I have 2 interfaces and I use mwan3 to route whole subnet traffic to the above WG_HYD interface.
Right now I am not using nginx based UI because there is no option in Wireguard server to give endpoints.
You're at UTC-4, I'm at UTC+8. Let me first prepare a setting similar to your configuration.
Dear @hansome,
As I'm trying to understand the concept of "WireGuard Server Route Rule" based on the example you provided, could you please clarify what other options are available besides "global" for the "Scope" field? What does "Metric" do?
I'm not sure if my question will be helpful for my goal, as I was recently directed to a documentation by @admon VPN Dashboard - GL.iNet Router Docs 4, which I'm finding a bit challenging to understand.
Could you kindly confirm if my goal, as described in this forum post Wireguard VPN - Subnet Remote LAN Restriction - #3 by moonstruck, is achievable?
Thank you for your support!
Scope field can be "global" or "link". When "Gateway" is specified, scope will be "global" automatically, otherwise "link".
For wireguard server, the gateway is needed to add its value to allowed ips which can be viewed
by run command on server side.
wg
ip route
For OpenVPN server, both link or global will work because it has no setting of allowed ip.
Metric belongs to ip route, which comes into play if there are several target networks to match.
the lower one is preferred.
I am trying to do the same, but these instructions are not working for me. Here is my current config:
VPN Server
VPN Cascading - On
IP of connected device - 10.0.0.2
VPN Client
Remote Access LAN - On
IP Masquerading - On
MTU - 142
Customized Routing Rules
Client Virtual IP - 10.2.0.2
I think I have followed the instructions exactly, but the device connected via WG-server still cannot access the internet. What am I doing wrong?
These are two different subnets. Set your WG 'server' to 10.0.0.1/24 .The client would be 10.0.0.2/32. If I'm mistaken in your intent please draw a topology & note the expected flow, IPs, VPN tunnels/IPs.
Is 'Device connected by router's WG server' to be a client device coming in from the WAN/Internet into your router/LAN or is it already apart of your LAN like the 'Device connected direct to router via Wi-Fi/ethernet'? You should really put all device host names, IPs, including the VPN ones, on your diagram. Here's an (non-VPN) example:
If it is to come into your LAN via the WG server you're looking to set up on the router
- a 'WG Client' (Proton VPN)
- a 'WG Server'
- enable 'VPN Cascading'
- set the routes as shown above by @hansome
This assumes you are not using firmware version 4.8.x. That version has different steps. Instead of using 'VPN Cascading' there is 'Policy Mode' & WG Server -> Route Rules.
Verison 4.8.x:
Yes, “Device connected by router's WG server” is coming in via WAN/Internet into the router. It is not inside the LAN. I have set up the router (running latest 4.7 stable) to what I think matches hansome’s settings, but Device A, the one connected to the WG Server via the internet is unable to access the LAN or the internet as soon as the server route rule is set.
