Enabling Wireguard on a Router Behind CGNAT

Netia disabled my public IP. It’s a problem for me, because I no longer can host a VPN server no my router. My first response to this was enabling back Tailscale on the router. I was happy for 1 whole night, because in the morning I saw the battery on my phone. Yep. Tailscale battery usage is atrocious.

So I decided to use the little networking knowledge I have and set up a router as a Wireguard “client” (sidenote: I’m using quotes because there is no such thing as server and clients in Wireguard: only peers) which will connect to the VPS, which will act as a VPN server/router. All the other clients will also connect to this VPS and will happily talk to each other.

This took me a day. My biggest mistake was starting with a “wg-easy” service, which currently goes through a rewrite and has very lacking documentation. I hoped for QR codes for ease of configuration on the phones. Conclusion: there’s nothing easy about wg-easy. It was a total defeat. I tried to use it as a rootless podman (which should work if all kernel modules were loaded prior to running the container), then rootfull podman, but the damn thing didn’t want to update iptables rules! In rootfull mode at least it did update the NAT table, but nothing else. Why? Who knows.

After wl-easy I made the right choice and configured bare metal Wireguard. It took yet another few hours and I almost went crazy because at some point I tried to configure the same public key for the [Interface] and [Peer] sections on my phone and wondered why it went silent. Then it started working (yay!) and stopped working after the reboot (boo!). Turns out my wl-easy experiments temporarily enabled IPv4 forwarding at some point.

Actual Configuration

I have GL.iNet router and there are many different opinions on “how to configure routing rules for VPN client”. I didn’t understand what are these magical “routing rules” because GL.iNet does a really poor job explaining it. In short: these exactly the same routes which you see with ip route command. For VPN configuration they will be assigned to wgclient device. Route to your LAN subnet (e.g. 192.168.1.0/24) are quietly discarded. And most important: don’t configure them. Just select “Auto Detect”, which will use your Wireguard configuration (otherwise you’d configure these routes twice, which is unnecessary). The only important bits is enabling “Remote Access LAN” switch and disbling “IP Masquerading” switch.

VPS

On VPS we need to configure:

  1. Wireguard configuration on, let’s say, subnet 10.8.0.0/24 and port 51820
  2. iptables rules which allow connection on this port (-I INPUT...)
  3. enable packet forwarding
  4. enable IP Masquerading (sidenote: IP Masquerading is the algorithm behind Network Address Translation (NAT): ) on the internal subnet used by Wireguard.

This mostly boils down to the following Wireguard configuration, let’s call it /etc/wireguard/wg0.conf:

# Server                                                                                                                                                                                               
[Interface]
PrivateKey = <redacted>
Address = 10.8.0.1/24
ListenPort = 51820
MTU = 1420
PostUp = iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
PostUp = iptables -I INPUT -p udp -m udp --dport 51820 -j ACCEPT
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
PostDown = iptables -D INPUT -p udp -m udp --dport 51820 -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -o %i -j ACCEPT

# router
[Peer]
PublicKey = <router-pubkey>
AllowedIPs = 10.8.0.2/32, 192.168.1.0/24

# phone
[Peer]
PublicKey = <phone-pubkey>
AllowedIPs = 10.8.0.3/32

This tells Wireguard that it should route packets with destination IP in IP range 192.168.1.0/24 to the router (peer identified by such and such public key).

On top of that, to enable packet forwarding make sure that /etc/sysctl.conf has the following parameter uncommented:

net.ipv4.ip_forward=1

Save, start with wg-quick up wg0, enable with something like systemct enable wg-quick@wg0.service. Verify connections with bare wg command, which also has some stats about transferred data.

Router

The only quirk about router’s configuration is its AllowedIPs. It should point to the VPN subnet (10.8..0.0/24) and not to the native LAN subnet (192.168.0.0/16), because we don’t want to route local traffic through VPN (that would be a waste).

I like setting PersistentKeepalive, even though official docs say that it’s not necessary in most cases, because I feel a little bit safer that my router will try to reconnect to VPS after its reboot (it happens from time to time).

[Interface]
Address = 10.8.0.2/24
PrivateKey = <redacted>
DNS = 1.1.1.1
MTU = 1420

[Peer]
AllowedIPs = 10.8.0.0/24
Endpoint = <vpn-ip-or-domain>:51820
PersistentKeepalive = 25
PublicKey = <vps-pubkey>

Router Clients (Phone, Laptop)

Other clients basically copy server’s [Peer] configuration. They should know that traffic to 192.168.1.0/24 should be routed via Wireguard:

[Interface]
Address = 10.8.0.3/24
PrivateKey = <redacted>
DNS = 1.1.1.1
MTU = 1420

[Peer]
AllowedIPs = 10.8.0.0/24, 192.168.1.0/24
Endpoint = <vpn-ip-or-domain>:51820
PersistentKeepalive = 25
PublicKey = <vps-pubkey>

Missing Parts

The only thing’s missing is generating peers configuration and transfering it via QR code. I’d rather generate it, together with private and public keys for all peers (including VPS), because it’s too easy to make mistakes while juggling private and public keys. I haven’t found a program which would satisfy me (I liked this part of wg-easy), so I’ll have to create one. Starting NOW.