Simultaneous Wireguard client and server

It would be great if there were a way to simultaneously have a Wireguard server running on the Gl-inet for external access to the network when travelling. But also have a Wiregaurd client running on the Gl-inet for securing some, or all of the clients on the network.

You should be able to set that up in LuCI - you just need to create two WireGuard-specific interfaces, and set them up in the appropriate client/server configuration.

Note, though, that any such change will most likely bork up the GL interface.

Hmm, I do like the interface. Is there any reason that this couldn’t be done via the interface if the Gl-inet staff were willing?

There’s no technical reason on GL.inet’s side. They could make it happen - but I suppose they’re busy with device support and porting OpenWrt 19.07 right now.

The GL interface is great if you want to be able to do the basic things it’s been designed for. Anything more complex, and the system breaks, since it expects certain things to be the way it’s been hard-coded. These things can be turned dynamic of course, but it’s extra work that’s often not worth the time, as most users will only be using the GL interface anyway.

Let’s go for a concrete example. Your router sets up the local wireless APs on 2.4GHz band (name is hardcoded to wlan0), and 5GHz band (name is hardcoded to wlan1), and a wireless client/STA interface to connect to an uplink router (let’s say it’s called wlan-sta). Then you wander into LuCI, delete all wireless interfaces, and create a STA definition to connect to your router. This STA mode interface then becomes wlan0. You wander back to the GL interface, and bam, it dies - because the status screen itself was expecting wlan0 to be an AP, tried to load its data according to that, and found STA instead, which in turn screws up the UI.

All of this can be avoided by dynamically querying the interfaces (e.g. instead of directly requesting wlan0 for 2.4GHz AP, you could ask uci to get you the first ap type interface on radio0, which is still not a surefire way of getting the exact AP you want, but avoids possible confusions), and of course the same can be applied to WireGuard itself. The question here is simply if it’s worth the investment of time and resources.

Regardless, what you’re asking for is possible - but not on the GL interface, and not without affecting it.

I do it with vanilla openwrt and vpn-policy-routing
I think the vpn-policy-routing might interfere with gl-inets routing. I did say might as I haven’t spent the time configuring it. although I always recommend just getting another router. If you think about the time you will spend getting it to work you will probably be happy you spent the extra $25 on another router.

Hi, I bought an AXT1800 to use as a client. And in the future I will buy another to use as a server.

But at this moment, I’m trying to configure Client and Server in the same device. I have an Ubuntu server in other location to use.
There is something special to be done?
Because it’s not working properly.

I put the global settings to GL Inet services not use VPN.
At VPN policy routing I’m separating between two Vlan, normal and guest, guest don’t use the VPN.
The ports on my main router are open and forwarder correctly.
I also open the ports 51820 and 443 at the Firewall menu of the GL Inet.

The most interest thing is that yesterday after I configure, I test and it was working. But today, when I try to connect to the server at GL Inet device, it stays forever sending the handshake initiation and don’t receive any feedback.

The connection between GL Inet client and Ubuntu server as working fine and it’s on at the moment.

I’m using the DDNS from Glddns and seems to be working properly, I check the DNS propagation to see the IP.
But when at check the DDNS with the DDNS tester at the device menu, it says that is not working.
Also the https access is not working. I forwarder the port on my router.

I’m afraid that is some bug related between the client wireguard and server wireguard forwarding my connection to the client directly instead of authenticate on the device.

I figured out that if I turn off the Wireguard Client on GL Inet, the Wireguard server work properly.
And if the client is ON, seems like the server is sending the connection through the client destination.

Any idea how can I use the other rules there?
Proxy Mode, Route Mode, Customize Routing Rules?

Pls check this post for wireguard server and client simultanous on the router