Wireguard without double NAT

Hello,

I am attempting to figure out a way to configure wireguard between my MV-1000(WG server) and a e750(WG client) routers. It appears that the GL firmware changes the way wireguard is run as opposed to standard linux host. I would like my remote network to be routed over the tunnel while internet destined traffic is only NAT’d on the public IP of my WAN interface of the MV-1000.

Has anyone been able to successfully get this to work between GL INET routers? It would be nice if this was an option we were able to configure through the GL GUI.

As far as I know there’re no GUI option to turn off NAT on WireGuard connection. We have to manually edit /etc/config/wireguard to add “option masq ‘0’”. See the example below:

config peers 'wg_peer_XXX'
    option name 'XXXX'
    option private_key '....'
    option end_point 'XXX.XXX.XXX.XXX:XXXX'
    option public_key '...'
    option allowed_ips '...'
    option masq '0'

The GL firmware seems to change how Wireguard is configured on the routers. The syntax and configuration locations are different from how all the resources on the internet show it configured, which is why I am running into issues.

/etc/config# cat wireguard

config proxy
        option main_server 'nil'
        option enable '0'

:/etc/config# cat wireguard_server

config servers
        option local_port '51820'
        option private_key 'key'
        option public_key 'key'
        option local_ip '10.0.0.1'
        option access 'ACCEPT'

        option enable '1'
       
config peers 'wg_peer_3977'
        option name 'name'
        option client_key 'key'
        option private_key 'key'
        option client_ip '10.0.0.2/32'

The goodcloud site to site tunnel looks like it would almost work to accomplish this, but there is no way to add a default route to one end. You can only add /24s unfortunately and it will not accept 0.0.0.0/0.

Sorry for my misunderstanding. The solution above is for the client side.

As for the server side, it appears you need to edit /etc/rc.d/S99wireguard_server manually to turn off NAT.

I cannot fully understand what you want to achieve.

On the wireguard client side (E750), E750 has to work in router mode, i.e. has NAT.

If you want to only have one NAT in the server side, you need to have vpn bridge. Unfortunately this does not work for wireguard. It can be done for Openvpn.

But when you mention S2S, seems my understanding above is not correct.