OpenWRT Wireguard with Virtual SSIDs Setup.md

OpenWRT dedicated wireless SSID with Wireguard client (kill switch included)

Setup: These steps were performed OpenWRT 23.04.1.

Context: The goal of that manual is to create wireless SSID that will be connected to the Wireguard network as a client. Helpful link - that guide will create a Wireguard interface with kill switch (https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#kill_switch) In other words, that guide will help you create a deidated wireless SSID that will be connected directly to the wireguard.

1. Set up Wireguard on remote server:

   • https://openwrt.org/docs/guide-user/services/vpn/wireguard/automated

2. Configure Router:

   1. System -> Software

      • install modules:

      opkg update
      opkg install wireguard-tools luci-proto-wireguard packages
      

   2. System -> Reboot -> Perform reboot (optioanl)

   3. Create empty bridge

      • Network
      • Devices - Add device configuration
        • Create Devices and check "bring up empty bridge"
        • Name it: wg_br

   4. Network -> Interfaces

      • Setup Wireguard interface:

        • Add new interface
        • Protocol: wireguard VPN
        • Name: wg
        • General
          • Load configuration ->
          • **uncheck "No Host Routes" **
        • Peers
          • Persistent Keep Alive: 25
          • Allowed IPs: 0.0.0.0/0
          • check "Route Allowed IPs"
        • Firewall Settings
          • unspecified (will be done in Firewall chapter)

      • Setup wireguard LAN interface:

        • Add new interface
        • Name: wg_lan
        • Static address
        • Device: wg_br
        • General Settings:
          • IPv4 address: 192.168.2.1 (or a subnet that *isn't your existing one. If you have wireguard network 10.0.5.0/24 or your local network is: 192.168.1.0/24, do not set one of those addresses!)
          • IPv4 netmask: 255.255.255.0
        • Firewall Settings:
          • unspecified (will be done in Firewall chapter)
        • DHCP server:
          • Setup DHCP server
          • Create, Advanced Settings -> Dynamic DHCP checked

   5. Network -> Wireless

      • General Setup
        • The radio you want to create a virtual network on -> Add
        • Set ESSID value
        • Network: wg_lan

   6. Network → Firewall

      NOTE: first create empty zones:

      • wg_fw
      • wg_lan

      then edit rules and do as it is in below table.

      • General Settings -> Zones

      • • Zone	-> Forwardings	Input	Output	Forward	Masquerading	MSS Clamping	Covered networks	Allow forward to destination zones	Allow forward from source zones
          lan	wan + wg_fw	accept	accept	accept	unchecked	unchecked	lan	wan + wan6 + wg_fw	unspecified
          wan	REJECT	reject	accept	reject	checked	checked	wan wan6	unspecified	lan
          wg_fw	REJECT	reject	accept	reject	checked	checked	wg	unspecified	lan + wg_lan
          wg_lan	wg_fw	accept	accept	accept	unchecked	unchecked	wg_lan	wg_fw	unspecified

Configuration output - example

NOTE: The configuration below is based what was describe above, but there is an exception - the device where it was tested, does not have WAN port (Cudy AP3000). Later I will update with configuration with WAN and LAN.

AP without WAN

• /etc/config/network

(...)   
config device
        option type 'bridge'
        option name 'wg_br'
        option bridge_empty '1'

config interface 'wg'
        option proto 'wireguard'
        option private_key 'KMozJ(...)Qm0='
        list addresses '10.0.5.15/32'
        list dns '10.0.5.1'
        list dns '9.9.9.10'

config wireguard_wg
        option description 'Imported peers config'
        option public_key 'Imi(...)3I='
        option preshared_key 'F120q(...)yRIA='
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option persistent_keepalive '25'
        option endpoint_host 'someAddressToChange.duckdns.org'
        option endpoint_port '51820'
        option route_allowed_ips '1'

config interface 'wg_lan'
        option proto 'static'
        option device 'wg_br'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        list dns '9.9.9.10'
        list dns '1.1.1.1'

• /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

(...)

config zone
        option name 'wg_fw'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg'

config zone
        option name 'wg_lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg_lan'

config forwarding
        option src 'lan'
        option dest 'wg_fw'

config forwarding
        option src 'wg_lan'
        option dest 'wg_fw'

• /etc/config/wireless

(...)

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'testssid_wg'
        option encryption 'psk2'
        option key 'test1234test'
        option wnm_sleep_mode '1'
        option bss_transition '1'
        option ieee80211w '1'
        option ocv '0'
        option network 'wg_lan'