Access LAN via WireGuard LAN, without routing all traffic to WireGuard

leana8959 · December 21, 2022, 11:03pm

Sure, sorry, I just wanted to save you some time.

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fded:dbef:cb40::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config device
	option name 'lan1'
	option macaddr '80:cc:9c:ea:5f:4b'

config device
	option name 'lan2'
	option macaddr '80:cc:9c:ea:5f:4b'

config device
	option name 'lan3'
	option macaddr '80:cc:9c:ea:5f:4b'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '10.0.0.1/23'

config device
	option name 'wan'
	option macaddr '80:cc:9c:ea:5f:4c'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option type 'bridge'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wwan'
	option proto 'dhcp'
	option device 'wlan0'
	option force_link '1'
	option hostname 'mbp-de-leana'

config interface 'tunnel'
	option proto 'wireguard'
	option private_key *
	list addresses '10.66.66.100/32'
	list addresses 'fd42:42:42::100/128'
	option peerdns '0'
	list dns '94.140.14.14'
	list dns '94.140.15.15'

config wireguard_tunnel
	option public_key *
	option preshared_key *
	option endpoint_host *
	option endpoint_port '22'
	option description *
	list allowed_ips '10.66.66.0/24'
	option persistent_keepalive '25'

/etc/config/firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option masq '1'
	option input 'ACCEPT'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config zone
	option name 'tunnel'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'tunnel'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'tunnel'
	option dest 'wan'

config forwarding
	option src 'tunnel'
	option dest 'lan'

psherman · December 21, 2022, 11:04pm

leana8959:

config wireguard_tunnel
	option public_key *
	option preshared_key *
	option endpoint_host *
	option endpoint_port '22'
	option description *
	list allowed_ips '10.66.66.0/24'
	option persistent_keepalive '25'

route_allowed_ips is missing

leana8959 · December 21, 2022, 11:09pm

Yep, just added option route_allowed_ips '1'.
What does this change exactly?

Also, I now have a weird error when I try to ping with "tunnel" on OpenWrt.

root@OpenWrt:~# ping 8.8.8.8 -I tunnel
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: Required key not available

psherman · December 21, 2022, 11:12pm

this sets up the routing table for the allowed IPs to go through.

You should now be able to ping the VPS end of the connection, but only that /24 network because all other destinations (like 8.8.8.8) are not allowed (because they are not in the allowed IPs range).

leana8959 · December 21, 2022, 11:15pm

Yes, I can ping 10.66.66.1 on OpenWrt now! Thanks!

So what do I need to do on my VPS to route 10.0.0.0/23 via 10.66.66.100?
Thanks a lot!
(If it'd take too much time to explain, knowing what keywords I can use to find what I want would really help too )

psherman · December 21, 2022, 11:21pm

If I had to guess, you'd be adding the route using the linux route command (assuming your VPS is running linux). Something like this:
$ ip route add 10.0.0.0/23/ via 10.66.66.100

leana8959 · December 21, 2022, 11:46pm

Thank you! I just finished reading it.

On my VPS, I ran ip route add 10.0.0.0/23 via 10.66.66.100 dev wg0, the route was added to the routing table.
However, when I ping any address in 10.0.0.0/23, there's no response.

PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
From 10.66.66.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available

Why is this the case?

psherman · December 22, 2022, 12:05am

Where are you pinging from?

psherman · December 22, 2022, 12:06am

I'm not sure you need to define the device in the VPS. Just simply the address should be fine because it knows about 10.66.66.0/24 already.

leana8959 · December 22, 2022, 12:09am

It was on my VPS, forgot to mention that..

I'm not sure you need to define the device in the VPS. Just simply the address should be fine because it knows about 10.66.66.0/24 already.

I tried without specifying the device and it didn't work neither.. It gives me the same error.

route output, is it normal to have 0.0.0.0 as gateway for 10.66.66.0?

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gw-li952.linode 0.0.0.0         UG    0      0        0 eth0
10.0.0.0        10.66.66.100    255.255.254.0   UG    0      0        0 wg0
10.66.66.0      0.0.0.0         255.255.255.0   U     0      0        0 wg0
213.52.129.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0

leana8959 · December 22, 2022, 12:19am

I feel like this means that 10.0.0.10 is being send to 10.66.66.100, which instead of sending it back to OpenWrt, sends it to 10.66.66.1 as it's the gateway for 10.66.66.100. Am I correct?
I tried to use traceroute to have a clearer picture, but it wouldn't run.

traceroute to 10.0.0.10 (10.0.0.10), 30 hops max, 60 byte packets
send: Required key not available

What do I need to do to fix the routing table? Thanks!

psherman · December 22, 2022, 12:26am

Yes, I think this is normal, but I could be wrong.

I'm still not clear where your pings are originating from... is it from the VPS or the laptop (or the router itself)?

mk24 · December 22, 2022, 12:27am

Required key not available I think is a Wireguard error related to having the keys improperly installed.

Each site needs a unique private key. Derive the site's public key from that private key and install it in the peers section at the other end of the link. I think that preshared keys need not be unique. You can disable preshared keys entirely until things are working.

Then run wg at each site and confirm that handshakes are occurring.

Next, can you ping the tunnel 10.66.66 addresses from each site? This should work both from the VPS to or from a client, as well as from one client to another. The VPS will switch the packets through as long as the base 10.66.66.0/24 via wg0 route is in place. Specific routes are not needed to ping among the tunnels related to the same wg server.

leana8959 · December 22, 2022, 9:24am

I ssh-ed into the VPS and pinged 10.0.0.1 over there. I did this in order to see if the route ip route add 10.0.0.0/23 via 10.66.66.100 is working, and it's not .

leana8959 · December 22, 2022, 9:27am

Then run wg at each site and confirm that handshakes are occurring.

WireGuard is working, there are handshakes. From each client peer of WireGuard I can ping every other client (e.g. 10.66.66.10) without issue.

The Required key not available error only occurs when I ping a client of OpenWrt LAN from VPS (I ssh-ed into that server and pinged 10.0.0.1), which I think might be related to the route I created not working properly, but I'm not sure.

trendy · December 22, 2022, 9:38am

leana8959:

config wireguard_tunnel
	option public_key *
	option preshared_key *
	option endpoint_host *
	option endpoint_port '22'
	option description *
	list allowed_ips '0.0.0.0'
	list allowed_ips '::0'
	list allowed_ips '128.0.0.0'

I am not if you have fixed it already, but on OpenWrt you have forgotten the prefix lengths in the allowed_ips.

leana8959 · December 22, 2022, 10:05am

Here's the config at the moment:

config wireguard_tunnel
	option public_key *
	option preshared_key *
	option endpoint_host *
	option endpoint_port '22'
	option description *
	option route_allowed_ips '1'
	list allowed_ips '10.66.66.0/24'
	option persistent_keepalive '25'

Do I need to add these lines ?

list allowed_ips '0.0.0.0'
list allowed_ips '::0'
list allowed_ips '128.0.0.0'

Update for more context:

I can indeed ping OpenWrt from VPS (I ssh-ed to my VPS):

$ ping 10.66.66.100
PING 10.66.66.100 (10.66.66.100) 56(84) bytes of data.
64 bytes from 10.66.66.100: icmp_seq=1 ttl=64 time=20.6 ms

But pinging devices in the LAN of OpenWrt doesn't work:

$ ping 10.0.0.10
PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
From 10.66.66.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available

trendy · December 22, 2022, 10:30am

Yes, I understood the problem.
The issue is that you are not using any prefix length and it is implied that this address is a single host.
This is correct:

list allowed_ips '0.0.0.0/1'
list allowed_ips '::/0'
list allowed_ips '128.0.0.0/1'

Also on VPS allowed IPs for the peer must include the lan addresses
AllowedIPs = 10.66.66.100/32,fd42:42:42::100/128,10.0.0.0/23'

leana8959 · December 22, 2022, 10:34am

Update: I got the reverse connection part working!!

I read this thread, and expanded the scope of allowed hosts on the VPS.
(kudos to @trendy too)

### Client openwrt
[Peer]
PublicKey = *
PresharedKey = *
AllowedIPs = 10.66.66.100/32,fd42:42:42::100/128,10.0.0.0/23

Restarted WireGuard and it worked!

What remains

From my laptop connected to another LAN and with WireGuard on, I still can't ping devices in the LAN of OpenWrt. I can't access the Internet either.

leana8959 · December 22, 2022, 10:48am

Okay, I see what you mean by prefix length now, thanks!
Could you explain what these IP means and why it's needed to add them?