My VPN provider has a limit to how many concurrent connections I can have, and a workaround I’ve been using is to run the Wireguard client as a daemon (wg-quick@my-wg-config) and a Squid proxy on my home server, and point my local devices to the HTTP proxy port, which will route the traffic through the Wireguard connection. However, this has broken randomly multiple times in the past few months, where it will randomly decide to just not allow the server to connect to ANY internet address while the Wireguard connection is active, and no amount of network or routing table configuration changes fixes it. The Squid proxy works fine as far as I can tell, it’s just the Wireguard connection that’s failing, which doesn’t even allow a ping to an internet address from the server’s terminal (which doesn’t go through the proxy). The only way I’ve been able to fix it is to completely reinstall the OS on the server and reconfigure everything from scratch, which is annoying and also only works until it randomly decides to break again. This makes me think I’m doing something wrong.
Is there a more “proper” or widely supported way of routing internet traffic on local devices through a single Wireguard connection? Everything I could read online says running Wireguard with an HTTP proxy server is the way to do it, but it clearly isn’t very reliable or my computer is just defective in some weird intermittent way? The server is running Fedora Server 43. I’ve also checked for SELinux denials but there are none.
I’m aware of wireproxy but it uses a SOCKS5 proxy which is not as widely supported as an HTTP proxy and a lot of my devices (mainly phones) won’t be able to access it. Also I’d like the server itself to also use the VPN, not just the devices on the proxy.
Does anyone have more experience with this and can give some advice?
You need a router or a proxy. A proxy would be annoying, so a router is preferred.
If you don’t have control of your edge router, just get a cheap Pi-type device, install OpenWRT, setup your VPN connections, then create a route on your network to point at this new device for whatever you need it for.
If you simply want to use it at-will for certain things, you can put a proxy on it.
As to your other issues, it sounds like your WG connection is just dropping, in which case it won’t automatically reconnect by default. OpenWRT has plugins that can monitor that and reconnect when it drops, or you can script it pretty quickly as well.
Can I just set its IP address as the default gateway on my devices instead of the main router and expect it to forward everything to the main router through the VPN? Or is there a more complicated setup procedure to get the two routers talking properly?
I briefly tried to make my server a default gateway in the past but couldn’t get it to work, and I’m generally not super experienced with networking. But that was on a general non-router OS. Does OpenWrt do the gateway and routing/forwarding configuration by itself more than a general Linux OS?
The default gateway for the new device needs to be your existing router in order to get to the internet. Then when you create a new WG connection, you ensure all traffic that gets passed to this new device forwards through the Wire guard tunnel.
PC > WG-router > existing-router > internet
Ok, so if my main router is on 192.168.1.1 and my new OpenWrt router I plan on connecting to VPN is 192.168.1.2, I should set the OpenWrt router’s gateway to 192.168.1.1, set any devices I want on the VPN to use gateway 192.168.1.2, and any devices I don’t want on the VPN should stay on 192.168.1.1, right?
Would devices on the VPN still be able to access the local network and devices that have 192.168.1.1 as their gateway? I assume it would only route internet bound traffic and the OpenWRT router would be able to just pass through local network traffic the same way as the main router?
Also, would the OpenWrt router be able to deal with the main router handling DHCP if I configure it to give it a static IP? Will it just know what devices it’s talking to when the main router assigns them their dynamic IPs?
Sorry for all the noob questions, networking is not one of my strengths.
Pretty much got it. Any other static routes you setup will be static to the new router only, but otherwise that’s pretty much it. Devices with static IPs don’t participate in DHCP, so it won’t cause a conflict. Just make sure DHCP is disabled on the new device.
Thank you!
I have two routers set up like this. The untrusted ISP router is plugged into the wall with untrusted devices (e.g., work laptops, guest devices) connected to it. Its IP is 192.168.20.1 and untrusted devices use that IP as gateway.
Then there’s a trusted router that trusted devices connect to with IP 192.168.1.1. I have it connected to the untrusted router’s wifi as WAN but you could also just connect its physical WAN port to an untrusted router LAN port. Trusted devices uses 192.168.1.1 as their gateway and the trusted router tunnels all connections over the untrusted router to the VPN provider.
Only the trusted router needs Wireguard. The trusted devices think they are just on a regular LAN, which keeps their configuration simpler.
You will need to set up IP masquerading.