OpenWRT Wireguard with Virtual SSIDs Setup

Setup: These steps were performed OpenWRT 19.07.3.

Context: The goal of this is to set up a virtual network where clients can switch from 1 network with a wireguard VPN connection to another without a VPN connection easily. VPN termination is to the router as opposed to the client. This may be useful for setups such as on insecure networks, while still wanting the ability to switch between the 2 at your leisure.

Set up Wireguard on remote server:
- GitHub - angristan/wireguard-install: WireGuard VPN installer for Linux servers

Configure Router:

System -> Software
- install modules:
  - luci-app-wireguard
  - luci-app-vpn-policy-routing
  - vpn-policy-routing
  - iptables-mod-physdev
  - kmod-br-netfilter
  - kmod-ipt-physdev
System -> Reboot -> Perform reboot (required)
Network -> Wireless
- General Setup
  - The radio you want to create a virtual network on -> Add
  - Set ESSID value, attach to a new network "wglan"
- Wireless Security
  - set Encryption and Key values
  - repeat 3.1 + 3.2 if you want a SSID for your other radio (ex. 2.4GHz + 5GHz)
Network -> Interfaces
- Setup Wireguard interface:
  - Add new interface (WGINT)
  - General
    - Name: WGINT
    - Protocol: WireGuard VPN
    - Check "Bring up on boot"
    - Set Private Key
    - Set IP Addresses
  - Firewall Settings
    - Create/Assign firewall-zone: wgzone
  - Peers
    - Set Description, Public Key, Preshared Key, Allowed IPs
    - Uncheck Route Allowed IPs
    - Fill out Endpoint Host, Endpoint Port
    - Set Persistent Keep Alive to 25 if you want to enable automatic reconnect via wireguard-tools wireguard_watchdog script)
      - wireguard-tools: add wireguard_watchdog script · openwrt/openwrt@20c4819 · GitHub
- Setup VLAN
  - Add new interface (WGLAN)
  - General Settings:
    - Protocol: Static address
    - If you have a 2.4GHz + 5GHz network to bridge:
      - Bridge interfaces: Checked
      - Interface: Check your 2 wireless networks (wglan)
    - IPv4 address: 192.168.2.1 (or a subnet that isn't your existing one)
    - IPv4 netmask: 255.255.255.0
  - Physical Settings
    - Bridge interfaces: checked
    - Interface: wlan0-1, wlan1-1
  - Firewall Settings:
    - Create/Assign firewall zone: wglanzone
  - DHCP server:
    - Create, Advanced Settings -> Dynamic DHCP checked

Network → Firewall

General Settings -> Zones

Zone	-> Forwardings	Input	Output	Forward	Masquerading	MSS Clamping	Allow forward to destination zones	Allow forward from source zones
lan	wan	accept	accept	accept	unchecked	unchecked	wan + wan6	wglanzone
wan	REJECT	reject	accept	reject	checked	checked	unspecified	lan + wgzone
wgzone	wan + wglanzone	accept	accept	reject	checked	checked	wan + wan6 + wglanzone	wglanzone
wglanzone	wgzone + lan	accept	accept	reject	unchecked	unchecked	lan + wgzone	wgzone

Traffic Rules -> Add
- Name: DHCP
  - Protocol: TCP + UDP
  - Source zone: wglanzone
  - Destination zone: Device (input)
  - Action: accept
- Name: DNS
  - Protocol: UDP
  - Source zone: wglanzone
  - Destination zone: Device (input)
  - Action: accept

VPN -> VPN Policy Routing
- Policies
  - name: wgpolicy
  - local addresses/devices: 192.168.2.1/24
  - interface: WGINT
- Configuration
  - Enable + Start
Configure wireguard_watchdog

ssh [email protected]
echo '* * * * * /usr/bin/wireguard_watchdog' >> /etc/crontabs/root

Notes:

I originally did not want a subnet. Based on trial/error and many hours of attempts, VPN Policy Routing does not support "wlan0-1" as a supported field under "Local addresses/devices" and I am unable to route the SSID directly to the Wireguard interface. Unfortunately this means I have to set up a subnet and DHCP instead.

Snuupy/OpenWRT Wireguard with Virtual SSIDs Setup.md

OpenWRT Wireguard with Virtual SSIDs Setup

Set up Wireguard on remote server:

Configure Router:

System -> Software

System -> Reboot -> Perform reboot (required)

Network -> Wireless

Network -> Interfaces

Network → Firewall

VPN -> VPN Policy Routing

Configure wireguard_watchdog