Hello,
I want to be able to access my NAS connected to my OpenWrt router via the LAN of WireGuard.
Since I don't have a public IP, I want to pass through a VPS I have.
Also, when I'm using Internet at home via the OpenWrt router, I'd like to not route all connection through the VPS while still being able to connect back to the NAS from outside anytime.
Is this possible? I included a schematic of what I want to achieve.
xxx xxx x x x x x
x x x xx xxx
xx xxxx x
x x x
x x
x x
x x
x x
xxx x
x xxx xx
x xx
x xxx x
x xxx
x +---------+ x
x | |
x | | x
+----------------->| VPS |<-------------------+ x
xx | | | | x
xx | +---------+ | x
x|x xx | x
| x | x
| xx | x
| x xxxx x |x
| x xx |
| x x xxx |
| x x x x xx x |
| Internet |
| |
+-----+----+ +-----+----+
| | | |
| | | |
| OpenWrt | | Laptop |
| | | |
+---->| |<---+ | |
| +----------+ | +----------+
| |
| |
| |
| |
| |
+----+----+ +--------+-+
| | | |
| | | |
|Raspberry| | NAS |
| Pi | | |
| | | |
+---------+ +----------+
Thanks!
Do you already have a WireGuard setup in a VPS? I'd start there, then work on the laptop and/or OpenWrt parts.
You'll setup your OpenWrt device as a WireGuard 'client'. EDIT: you'll also need to make a few minor tweaks to the firewall relative to the 'client' configuration, but that's simple to do.
Thank you for your quick reply!
Right now, "tunnel" (the WireGuard interface) is working, I can see the last handshake being made just now in LuCI, and ping [something] -I tunnel works, and takes longer, so WireGuard is working!
I'm not sure how OpenWrt routes the traffic when I have "tunnel" and "wwan" in the same firewall zone "WAN". Should I even have these two in the same zone?
Do I need to add a separate zone for "tunnel", and how if I need to?
Thanks !
move your wireguard interface into a new firewall zone. Allow forwarding from this new zone > lan.
I just did that, and it's still not routing via WireGuard.
Here's the section of zones in /etc/config/firewall
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '1'
option input 'ACCEPT'
list network 'wan'
list network 'wan6'
list network 'wwan'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'tunnel'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'tunnel'
option masq '1'
config forwarding
option src 'lan'
option dest 'tunnel'
Turn off masquerading on the tunnel.
Just tried, still not going through WireGuard..
Let's see your complete configs, starting with OpenWrt
/etc/config/network
/etc/config/firewall
Then your VPS, and then your laptop.
Obviously redact all keys and personal information.
Sure!
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fded:dbef:cb40::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config device
option name 'lan1'
option macaddr '80:cc:9c:ea:5f:4b'
config device
option name 'lan2'
option macaddr '80:cc:9c:ea:5f:4b'
config device
option name 'lan3'
option macaddr '80:cc:9c:ea:5f:4b'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
list ipaddr '10.0.0.1/23'
config device
option name 'wan'
option macaddr '80:cc:9c:ea:5f:4c'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option type 'bridge'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wwan'
option proto 'dhcp'
option device 'wlan0'
option force_link '1'
option hostname 'mbp-de-leana'
config interface 'tunnel'
option proto 'wireguard'
option private_key *
list addresses '10.66.66.100/32'
list addresses 'fd42:42:42::100/128'
option peerdns '0'
config wireguard_tunnel
option public_key *
option preshared_key *
option endpoint_host *
option endpoint_port '22'
option description *
list allowed_ips '0.0.0.0'
list allowed_ips '::0'
list allowed_ips '128.0.0.0'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '1'
option input 'ACCEPT'
list network 'wan'
list network 'wan6'
list network 'wwan'
config zone
option name 'tunnel'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'tunnel'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'tunnel'
/etc/wireguard/wg0.conf on VPS
[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = 22
PrivateKey = *
PostUp = iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
### Client iphone
...
### Client ipad
...
### Client mba
...
### Client mbp
...
### Client openwrt
[Peer]
PublicKey = *
PresharedKey = *
AllowedIPs = 10.66.66.100/32,fd42:42:42::100/128
Configuration that I imported to OpenWrt
[Interface]
PrivateKey = *
Address = 10.66.66.100/32,fd42:42:42::100/128
DNS = 94.140.14.14,94.140.15.15
[Peer]
PublicKey = *
PresharedKey = *
Endpoint = *:22
AllowedIPs = 0.0.0.0/0,::/0
Configuration of my laptop
[Interface]
PrivateKey = *
Address = 10.66.66.10/32,fd42:42:42::10/128
DNS = 94.140.14.14,94.140.15.15
[Peer]
PublicKey = *
PresharedKey = *
Endpoint = *:22
AllowedIPs = 0.0.0.0/0,::/0
You probably want the allowed_ips to be 10.66.66.0/24 such that only traffic destined for those IPs should traverse the tunnel. You also need to enable route_allowed_ips to this.
In the firewall, add
config forwarding
option src 'tunnel'
option dest 'lan'
On your laptop, it appears that you are now sending all traffic through the tunnel. If that is desired, great. If not, you may want to change the AllowedIPs to 10.0.0.0/23.
Finally, your VPS needs to have a route of 10.0.0.0/23 via 10.66.66.100.
1 Like
You probably want the allowed_ips to be 10.66.66.0/24 such that only traffic destined for those IPs should traverse the tunnel. You also need to enable route_allowed_ips to this.
Makes total sense, just did that.
Finally, your VPS needs to have a route of 10.0.0.0/23 via 10.66.66.100
Could you elaborate please? Thanks!
Your laptop wants to connect to a device on your home LAN (10.0.0.0/23), so it sends traffic to one of the IPs on that network. That traffic goes through the tunnel and reaches the VPS. Now the VPS needs to know where to send traffic going to 10.0.0.0/23... it currently isn't aware of any such networks, so it will likely drop the packets. If you add a route as I had described, it tells the VPS that it can reach 10.0.0.0/23 by sending that traffic to 10.66.66.100 (the tunnel-gateway to your home LAN)
1 Like
Aha! I get it now!
Could you tell me how to add such a route or where to find more information? I'm quite new to networking. Thanks!
Also, when I ping 10.66.66.1 via my laptop (WireGuard disconnected) via OpenWrt (WireGuard connected), is it normal that I can't reach the VPS? Is there some routing missing?
I believe that is as expected. However, if you ssh into the router and ping 10.66.66.1, it should work as long as the tunnel is up.
I just tried it, it doesn't. But ping 8.8.8.8 -I tunnel works, with a higher latency. Odd.
it is possible that your VPS doesn't respond to pings.
You can try it with your laptop connected to the VPS via WG.
It does reply when I connect to WireGuard and ping on my laptop.
Update: I can ping 10.66.66.100 (OpenWrt) from my laptop without WireGuard, but not without.
Ok... let's review the WG config of your OpenWrt router (repost so we can see the latest).
I just did a diff command, there's no difference besides option persistent_keepalive '25'. I added this because it's suggested to use 25 when OpenWrt is behind a NAT.
What about the changes I recommended earlier? Let's see the latest file, please.