Use OpenWrt and WireGuard to Connect Two Remote LANs over the Internet

Thu, 14 Apr 2022 00:00:00 +0000

WireGuard can be used on OpenWrt routers to connect two LANs in different locations. After configuration, devices on both sides can access each other as if they were connected through a private routed network.

This is useful for home labs, NAS access, remote monitoring, backup synchronization and small office interconnection.

Basic Topology

Assume there are two sites:

1
2
3

Site A LAN: 192.168.1.0/24
Site B LAN: 192.168.2.0/24
WireGuard tunnel: 10.10.10.0/24

Each OpenWrt router runs WireGuard. One side can act as the peer with a public endpoint, or both sides can connect through a reachable server.

Install WireGuard

On OpenWrt, install the required packages:

1
2

opkg update
opkg install wireguard-tools luci-proto-wireguard

After installation, the LuCI web interface can configure WireGuard interfaces.

Create Keys

Generate private and public keys for each side:

`1`	`wg genkey \| tee privatekey \| wg pubkey > publickey`

Keep private keys secret. Exchange only public keys between the two routers.

Configure The Tunnel

Create a WireGuard interface on each router, for example wg0.

Example tunnel addresses:

1
2

Site A wg0: 10.10.10.1/24
Site B wg0: 10.10.10.2/24

For Site A, add Site B as a peer and set allowed IPs to:

1
2

10.10.10.2/32
192.168.2.0/24

For Site B, add Site A as a peer and set allowed IPs to:

1
2

10.10.10.1/32
192.168.1.0/24

These routes tell each router which remote subnet should go through the WireGuard tunnel.

Firewall And Routing

Create or assign a firewall zone for the WireGuard interface. Allow forwarding between LAN and WireGuard zones according to your policy.

At minimum, each side needs:

LAN to WireGuard forwarding;
WireGuard to LAN forwarding;
UDP port open for WireGuard on the side with a public endpoint;
correct allowed IPs for the remote subnet.

If NAT is not required, routed access is cleaner. Each LAN should know that the other LAN is reachable through the WireGuard router.

Test Connectivity

After both sides are configured, test the tunnel address first:

1
2

ping 10.10.10.1
ping 10.10.10.2

Then test a host in the remote LAN:

`1`	`ping 192.168.2.1`

If tunnel IPs work but LAN hosts fail, check firewall forwarding and remote subnet routes.

Summary

OpenWrt plus WireGuard is a lightweight way to connect two remote LANs. The important points are key exchange, tunnel addresses, allowed IPs, firewall forwarding and correct routing between the two LAN segments.

Remote-Network on KnightLi Blog