Replace OpenVPN client with Wireguard

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Replace OpenVPN client with Wireguard

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Replace OpenVPN client with Wireguard
Replace OpenVPN client with Wireguard
2023-07-02 06:55:04 - last edited 2023-07-02 07:02:41
Tags: #VPN #Routing / Wireguard
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: 1.3.0

Hi,

 

I have an ER7206 with the following setup:
Port 1: WAN connected to internet with VDSL (VLAN 4094)
Port 2: WAN/LAN1 (using as WAN) connected to internet with fibre (VLAN 4093)

Port 3: empty

Port 4: VLAN 2 with wireless AP for Subnet 10.0.2.0/24
Port 5: VLAN 1 with wireless AP for Subnet 10.0.1.0/24

 

I am using VLAN 2 with a permanent VPN connection to NordVPN (connecting with OpenVPN Client).

In the OpenVPN client configuration I define 10.0.2.0/24 as the local network with the result that every client connected to VLAN 2 is automatically connecting to Internet through the NordVPN server configured in the OpenVPN client.

 

All clients connected to VLAN 1 are not using VPN but go straight to WAN and/or WAN/LAN1 (depending on load balancing and link backup settings).

 

I would like to replace OpenVPN with Wireguard for performance reasons (performance is a multiple of OpenVPN performance).

I managed to connect to NordVPN with Wireguard and all traffic is being tunneled to the configured NordVPN server. Success!

 

Unfortunately though, it is ALL traffic from ALL subnets that goes directly through the VPN tunnel.

 

This leads me to the following questions:

Is there a way to only tunnel traffic coming from VLAN 2 through Wireguard?

If not can we expect a feature "Local Network" as it exists for OpenVPN also for Wireguard in a future release?

 

Also, it is. not possible to select the WAN interface for Wireguard.

Does that mean it is routed randomly through either WAN? How do I find out which one? Is it maybe even loadbalanced through both if loadbalancing is activated?

 

Sorry if these are stupid questions. My networking know-how is somewhat limited.

 

Thank you very much for your support.

 

BigPat

 

 

  0      
  0      
#1
Options
6 Reply
Re:Replace OpenVPN client with Wireguard
2023-07-03 06:39:00

  @BigPat 

how do you config "allowed IP" in the peer settings?

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#2
Options
Re:Replace OpenVPN client with Wireguard
2023-07-03 18:42:51

Hi  @Tedd404

My Setting for allowed IPs is 0.0.0.0/0.

 

Reason is that I want all destinations to go through the wg tunnel. But not for all hosts (only hosts on VLAN2).

 

As far as I understand here are several issues with the current wireguard implementation (not related to my problem, though):
- can only configure one allowed IP per Peer

- can't configure DNS for Interface

- VPN tunnels are not available as interfaces for routing purposes

 

Thank you for your support.

 

BigPat

 

 

  0  
  0  
#3
Options
Re:Replace OpenVPN client with Wireguard
2023-07-10 00:34:54

  @BigPat 

I'm noticing the same limitations with a very similar setup. I want only a single VLAN from my ER7206 to connect to an outside Wireguard server, but it doesn't seem possible right now.

 

Additionally, it seems you can't even set a domain name for the peer Endpoint (which works on all of my other devices). The auto-generated config made by my peer provides a FQDN since it has a dynamic IP:

 

 

But the controller only accepts IPs in the Endpoint field, and won't let me save it when the endpoint is a domain:

Let's hope these features get addressed in an upcoming update!

  0  
  0  
#4
Options
Re:Replace OpenVPN client with Wireguard
2023-07-16 23:46:38 - last edited 2023-07-16 23:47:30

  @SirTomOfAto 

 

I agree. It would be nice to have some more configuration features for wireguard.

The speed difference compared to OpenVPN is huge and the configuration is super simple.

 

I noticed that OpenVPN creates interfaces in the background (tun0 for the client, tun_server0 for the server) and automatically creates entries in the routing table.

I like this, because it takes away the complexity of routing from the user. On the other side, it would be nice to have more flexibility when it comes to routing.

 

Wireguard does not create any interfaces (or they are not visible in the routing table).

 

I also like how tp-link adds new features with every firmware update. I guess there is hope for one of the future releases.

 

Fingers crossed.

 

BigPat

  0  
  0  
#5
Options
Re:Replace OpenVPN client with Wireguard
2023-08-05 02:08:36

  @BigPat 

 

I am also encountering an issue where I would like to apply my WireGuard client to a specific VLAN. Currently, the entire network traffic is being routed through the VPN tunnel, which is not my intention. I'm struggling to configure the "Allowed IPs" to approve only a specific subnet. If I don't enter 0.0.0.0/0, the entire connection seems to be disrupted.

 

Do you have any tips or suggestions?

Alternatively, I would appreciate a feature similar to the one in OpenVPN, where you can select LANs to apply the VPN to.

  0  
  0  
#6
Options
Re:Replace OpenVPN client with Wireguard
2023-08-07 01:53:54

  @ikheetjeff 

 

Hi, 

 

I am not a network pro, nor do I understand more than the absolute basics of wireguard. This as a big disclaimer to the 'wisdom' that follows:

 

But my understanding is that in "Allowed Address" you can specify which destination addresses will be routed through the wireguard tunnel.

This is very useful in a context where you want to connect two remote subnets but isn't that much if you want to browse the internet trough a VPN provider like NordVPN or stream protected content from another country.

 

I understand that a possible solution to this could be by adding routing rules in the Transmission section of the TP-Link router. The OpenVPN client seems to do this automatically. Unfortunately the wireguard one doesn't. Also it doesn't provide the flexibility to do this manually, since the tunnel can not be selected as an interface in the WAN dropdown.

 

Not sure what the best solution would be to this but at the moment it doesn't seem to be possible on the TP-Link Omada routers.

Let's see what future upgrades bring.

 

Best,

 

BigPat

  0  
  0  
#7
Options