Wireguard Server with forward?

I want to replace a simple RaspberryPi setup running Wireguard Server on my home network using GLiNet AR300M, (and not using as a router), when connected it allows an external (and internal, really whatever client connects to wireguard) connections to reach the home network lan, and then also reach the internet via forward.

The main primary home router is a plain ordinary router, not GLiNet or any type VPN setup there.

Port Forward (home router), to GLiNet AR300M with Wireguard Server all working

Using bridge mode, as a client the GLiNet AR300M is able to obtain DHCP from the home router, I’m able to SSH and ping local network as well as reach the internet on the AR300M itself.

From the internet I’m able to connect to the GLiNet AR300M Wireguard Server (still running despite not being shown in the device admin pages). I can successfully connect, start a session, exchange keys, forward all traffic and ping the AR300M itself.

However, the zone, firewall, and routes are not set to forward traffic, thus I’m not able to reach other devices on the home network and not able to reach the home router for internet, probably just how bridge mode is configured, with wan / lan / vpn / accept / forward / reject rules, not set to forward traffic in this manner, and need to be adjusted for this. As again, using SSH I can log into the device and reach the local network and internet, but Wireguard traffic is not set to foward (stock settings)

Much like the RaspberryPi, as a client on the network, it’s just a matter of configuration, I’ve got the luci interface enabled, SSH to config files, but have not yet been able to add the right settings.

The usual WG server approach adds ‘PostUp’ setting:
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;

I’ve looked at the zone/firewall, and allowed traffic, but still missing something. Running OpenWRT, and not much different setup than the RaspberryPi, this should work.

Posting this, as other may know which specific config entries or firewall settings to adjust, thanks.

Can you leave the AR300M in router mode?

Not to reach the main network, Wireguard is configured to reach the subnet of the router, and not to forward traffic to the gateway / internet. Unless there is rule to also forward traffic to the gateway, in which case router versus bridge mode might not matter, however in my case bridge mode would make more sense being client on the parent routers subnet.

I would ask the GLiNet add an VPN option, to allow forwarding traffic to the gateway, which would add the necessary route and firewall adjustments. It’s certainly possible with the right changes, I thought someone might be able to confirm how to make the changes in this forum? Or perhaps someone from GLiNet support would be able to outline the required adjustments.

I understang what you want to do.

Techncially vpn should also work in bridge mode.

But in bridge mode the router’s firewall is changed a lot from router mode.

When you use vpn (server or client) I suggest you just use router mode and let the router manage the firewall.

So this indeed works, which solves one part, being remote and wanting to route traffic from ‘home’ network to the internet. My hope was to also reach peer network as well, which I had working using raspberry pi as a client only, with wireguard installed. In router mode however, the peer network becomes a parent network and not accessible. So my request would be to add another network ‘mode’ really with routing options to match.

Marked comment as solution – even thought it’s not the solution for the original question, which is how to adjust firewall and route to allow wireguard to work as a client in bridge mode instead of router mode … so doesn’t really work as desired (yet or maybe ever).