OpenWRT + Wireguard (RPi4)

My new, unrewarding hobby of router tinkering continues. This time setting up a Wireguard tunnel between my two houses. I want my two LANs and to talk to each other transparently via a VPN tunnel. I’d gotten this sorta working between Linux boxes inside the two LANs before but the routing never quite worked. Running a VPN tunnel directly on the router is one reason I’m now trying to set up this RPi4 with OpenWRT.

Long story short, it was very easy to get my OpenWRT router connecting as a client to a working Wireguard server on my other LAN’s Linux box. I can’t fully test this because I don’t have Wireguard setup on the other side’s router yet. But the tunnel seems to be working at least somewhat.

Note to self: my Ubiquiti router at the other house is set up to not answer pings. Ping is not a good test! Ssh is though.

Once again the OpenWRT docs for Wireguard are very good. The basics tell you how to install it including a LuCI interface and this client guide has some extra good info.

It boils down to the same way you set up Wireguard anywhere. Generate a key pair, configure the server to accept the new OpenWRT public key, configure the OpenWRT client to connect to the server and its public key, and you’ve got the tunnel up. It helps to log into the OpenWRT command line and run “wg show” and the like manually, but LuCI actually has a full UI for configuring and monitoring. Note that when you add the interface there’s a Wireguard-specific “Peers” tab you need to configure.

The one big gotcha is the “No Host Routes” option (aka nohostroute) as discussed here; it’s in Interfaces / General Settings. Without this OpenWRT will add a route specifically for the host endpoint specifically on one interface. This interacts poorly with a multi-WAN setup like mwan3. Setting nohostroute tells OpenWRT to not set an explicit route. There’s some concern that if you then configure all traffic on the router to go through the VPN link then Wireguard itself will try to also talk to the Wireguard server via the Wireguard interface, causing some sort of loop or recursion. Not a problem in my case.

In the Peers settings I went ahead and explicitly included Allowed IPs of (my VPN endpoint subnet) and (the LAN at the other end of the VPN). I’m not sure that’s necessary.

I’m confused about what to put in the Firewall Settings for the wireguard interface. This 2018 guide suggests creating a new zone and configuring rules for it. But then it says “This step is probably optional (you could just add the interface to the lan zone)” and I think that’s probably correct; in general I want to treat the other size of this VPN tunnel as part of my LAN. I definitely don’t want masquerading/NAT for it! I can’t really test this properly until I have a router on the other side set up doing Wireguard. I don’t understand modern Linux firewall rules very well.

All of this is complex and at the edge of my patience for dealing with stuff. OpenWRT and Wireguard are very powerful and flexible tools. More than once I found myself wishing there was some hand-holding simplification for me, a “just press this button to make it work” thing. But then I don’t know how common goals like mine are.