Linking networks to Wireguard VPN on a third-party server

This article is a continuation of Configuring Routing on a Network with an Unmanaged Router. So we have a home local network, a router from a provider without the possibility of firmware and almost without the possibility of customization. We put the server on the local network. We configure Wireguard VPN on the server and connect two local networks. Another local network – Xiaomi Mi Router 3G with firmware Padavan and established Entware

Basically, there are tons of instructions for setting up Wireguard. But I was confused for a long time by the extra private address range for wireguard. Personally, for a long time I could not understand, and even now I do not understand why it is necessary to assign an address from a private range to each wg device. I can understand why this is needed for one client – he needs some kind of address. But why this is needed to link two different networks is not clear. For specialists, setting up wireguard does not cause any problems at all, but I am not them. By the way, I liked the instructions on the site the most. keenetic – I did everything according to it. Perhaps this article will help someone.


  • Local network –

  • Router –

  • Server on the local network –, ethernet interface – enp1s0

  • Another local network (behind xiaomi mi router) –

  • wireguard device network (private range of IP addresses from which addresses are assigned to wireguard interfaces) –

    • server wireguard address –

    • android client –

    • xiaomi mi router wireguard address –


For everything to work on the local network, it is necessary to add two new routes, which we announce via DHCP, so that traffic to another local network and wireguard device network goes through our server: /etc/dnsmasq.d/dhcp.conf

On a client using DHCP to obtain an IP address and configuration, it should look like this:

# ip route
default via dev enp3s0 proto dhcp metric 100 via dev enp3s0 proto dhcp metric 100 dev enp3s0 proto kernel scope link src metric 100 via dev enp3s0 proto dhcp metric 100

For a Windows client, the routing table can be viewed with the command route print.

We see that traffic for the neighboring LAN ( and wg private interace ( is routed through our server ( Strictly speaking, my wg private interace is, but the subnet is used for other purposes and is also routed through the server, so I wrote one more general rule instead of two.

Wireguard server

We put the wireguard package on the server: sudo apt install wireguard

We generate a pair of keys (public + private) for the server:

cd /etc/wireguard
wg genkey > private-key
wg pubkey > public-key < private-key

We create the configuration /etc/wireguard/wg0.conf

Launching wireguard sudo systemctl start wg-quick@wg0.service

Turn on autorun for wireguard sudo systemctl enable wg-quick@wg0.service

Everything works in ubuntu – wg0 interface is created, routes are created.

You can check the status with the command `wg showconf wg0`,`wg show`, routes with the command`ip route`.

In the router settings we forward wireguard port to our server.

Andoid client

It makes no sense to write again what is already well written before us… We generate keys on the Android client, add the public key from the client to the corresponding section of the wireguard server configuration

Padavan + Entware

Settings files:



For work Entware on the Padavan firmware you need a USB flash drive. How to install entware is written in padavan wiki

We put the wireguard-go package: `opkg install wireguard-go`. In theory, you could use the utility `wg-quick`to configure the interface and router, but for some reason it did not work correctly for me. In principle, wg-quick is a simple bash script, it was possible to figure out what exactly does not work, but I did not try to figure it out.

So we set up the wireguard manually as written on the official site… Create a config file /opt/etc/wireguard/wg0.conf… I commented out the line “Address = …” config wg0.conf from section [Interfaces]… This is because for some reason `wg setconf`did not accept it, well, okay, let’s set up the address manually (with the command ip address add dev wg0

We carry out

wireguard-go wg0
ip address add dev wg0
wg setconf wg0 /opt/etc/wireguard/wg0.conf
ip link set up dev wg0
ip route add dev wg0 src
iptables -t filter -A INPUT -i wg0 -j ACCEPT
iptables -t filter -A FORWARD -i wg0 -j ACCEPT


Route `ip route add dev wg0 src`added itself, so with the handles we add only the route for

Overriding iptables policy by default for INPUT, FORWARD chains of the filter table – my default values ​​were DROP, with them routing from the local network to (to my local network) did not work.

All these commands for starting and stopping the wireguard are saved in /opt/etc/init.d/S50wireguard – should now start automatically when the router starts.

Setting up iptables

After some updates to the router configuration (for example, updating the whitelist / blacklist rules at the mac address – the router’s web interface -> Advanced settings -> Firewall -> MAC Filter), the padavan router resets the iptables rules. So that everything continues to work in the firmware there is a file `/opt/etc/init.d/S10iptables`(softlinkg) ->`/opt/bin/`which is run after config update. We enter all the iptables rules into it – I have rules for wireguard and rules that I configured for transparent use of tor on the local network that you configured according to this instruction.

Accessing the router from a VPN

Since we cannot configure the routing table on an uncontrolled router of our main network, we cannot access it directly from the VPN either. To get web access to the router, you can add nginx reverse proxy configuration… You can put it on any host from the main local network – but it is logical to put it on the server. For example on the port 8081… The link to the configuration file must be added to the directory /etc/nginx/sites-enabled – usually the settings file itself is placed in /etc/nginx/sites-available/ and in sites-enabled create a symbolic link`ln -s /etc/nginx/sites-available/local ./`.

Reload the nginx configuration on the server: `sudo systemctl reload nginx`.

The router is now available at ``.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *