This article is a continuation of Configuring Routing on a Network with an Unmanaged Router. So we have a home local network, a router from a provider without the possibility of firmware and almost without the possibility of customization. We put the server on the local network. We configure Wireguard VPN on the server and connect two local networks. Another local network – Xiaomi Mi Router 3G with firmware Padavan and established Entware…
Basically, there are tons of instructions for setting up Wireguard. But I was confused for a long time by the extra private address range for wireguard. Personally, for a long time I could not understand, and even now I do not understand why it is necessary to assign an address from a private range to each wg device. I can understand why this is needed for one client – he needs some kind of address. But why this is needed to link two different networks is not clear. For specialists, setting up wireguard does not cause any problems at all, but I am not them. By the way, I liked the instructions on the site the most. keenetic – I did everything according to it. Perhaps this article will help someone.
Local network – 192.168.2.0/24
Router – 192.168.2.1
Server on the local network – 192.168.2.4, ethernet interface – enp1s0
Another local network (behind xiaomi mi router) – 192.168.3.0/24
wireguard device network (private range of IP addresses from which addresses are assigned to wireguard interfaces) – 10.253.1.0/24
server wireguard address – 10.253.1.2
android client – 10.253.1.10
xiaomi mi router wireguard address – 10.253.1.3
For everything to work on the local network, it is necessary to add two new routes, which we announce via DHCP, so that traffic to another local network and wireguard device network goes through our server: /etc/dnsmasq.d/dhcp.conf
On a client using DHCP to obtain an IP address and configuration, it should look like this:
# ip route
default via 192.168.2.1 dev enp3s0 proto dhcp metric 100
10.252.0.0/14 via 192.168.2.4 dev enp3s0 proto dhcp metric 100
192.168.2.0/24 dev enp3s0 proto kernel scope link src 192.168.2.30 metric 100
192.168.3.0/24 via 192.168.2.4 dev enp3s0 proto dhcp metric 100
For a Windows client, the routing table can be viewed with the command
We see that traffic for the neighboring LAN (192.168.3.0/24) and wg private interace (10.252.0.0/14) is routed through our server (192.168.2.4). Strictly speaking, my wg private interace is 10.253.1.0/24, but the 10.254.0.0/16 subnet is used for other purposes and is also routed through the server, so I wrote one more general rule instead of two.
We put the wireguard package on the server:
sudo apt install wireguard…
We generate a pair of keys (public + private) for the server:
wg genkey > private-key
wg pubkey > public-key < private-key
We create the configuration /etc/wireguard/wg0.conf
sudo systemctl start firstname.lastname@example.org…
Turn on autorun for wireguard
sudo systemctl enable email@example.com…
Everything works in ubuntu – wg0 interface is created, routes are created.
You can check the status with the command `
wg showconf wg0`,`
wg show`, routes with the command`
In the router settings we forward wireguard port to our server.
It makes no sense to write again what is already well written before us… We generate keys on the Android client, add the public key from the client to the corresponding section of the wireguard server configuration…
Padavan + Entware
We put the wireguard-go package: `
opkg install wireguard-go`. In theory, you could use the utility `
wg-quick`to configure the interface and router, but for some reason it did not work correctly for me. In principle, wg-quick is a simple bash script, it was possible to figure out what exactly does not work, but I did not try to figure it out.
So we set up the wireguard manually as written on the official site… Create a config file /opt/etc/wireguard/wg0.conf… I commented out the line “Address = …” config wg0.conf from section [Interfaces]… This is because for some reason `
wg setconf`did not accept it, well, okay, let’s set up the address manually (with the command
ip address add dev wg0 10.253.1.3/24).
We carry out
ip address add dev wg0 10.253.1.3/24
wg setconf wg0 /opt/etc/wireguard/wg0.conf
ip link set up dev wg0
ip route add 192.168.2.0/24 dev wg0 src 192.168.3.1
iptables -t filter -A INPUT -i wg0 -j ACCEPT
iptables -t filter -A FORWARD -i wg0 -j ACCEPT
ip route add 10.253.1.0/24 dev wg0 src 10.253.1.3`added itself, so with the handles we add only the route for
Overriding iptables policy by default for INPUT, FORWARD chains of the filter table – my default values were DROP, with them routing from the local network 192.168.2.0/24 to 192.168.3.0/24 (to my local network) did not work.
All these commands for starting and stopping the wireguard are saved in /opt/etc/init.d/S50wireguard – should now start automatically when the router starts.
Setting up iptables
After some updates to the router configuration (for example, updating the whitelist / blacklist rules at the mac address – the router’s web interface -> Advanced settings -> Firewall -> MAC Filter), the padavan router resets the iptables rules. So that everything continues to work in the firmware there is a file `/opt/etc/init.d/S10iptables`(softlinkg) ->`/opt/bin/update_iptables.sh`which is run after config update. We enter all the iptables rules into it – I have rules for wireguard and rules that I configured for transparent use of tor on the local network that you configured according to this instruction.
Accessing the router from a VPN
Since we cannot configure the routing table on an uncontrolled router of our main network, we cannot access it directly from the VPN either. To get web access to the router, you can add nginx reverse proxy configuration… You can put it on any host from the main local network – but it is logical to put it on the server. For example on the port 8081… The link to the configuration file must be added to the directory
/etc/nginx/sites-enabled – usually the settings file itself is placed in
/etc/nginx/sites-available/ and in
sites-enabled create a symbolic link`
ln -s /etc/nginx/sites-available/local ./`.
Reload the nginx configuration on the server: `
sudo systemctl reload nginx`.
The router is now available at `