Access Local Lan over Wireguard with WRT Router

wrt-noob · May 1, 2020, 10:02pm

<keys, public-ip, etc changed for privacy>

I was able to set up the wireguard tunnel from a dedicated server to the openwrt router.

The problem now I'm running into is accessing devices from outside the network through the tunnel (via the dedicated server IP).

For example I'm in a remote office thousands of miles away, and trying to connect to the devices on the lan behind the OWRT router. I'd like to be able to access them through the dedicated server's tunnel because the way the ISP is routing everything, going direct to the router just isn't an option. But the dedicated server is in a neraby datacenter that has a decent ISP with good routing.

What's preventing me from connecting to 23.44.44.15:5450 to get to my NAS?

I think I messed something up with the firewall or the routing because I'm not able to get internet through the dedicated server IP on the devices behind the 3200acm.

Here's a map of the network:

/etc/config/network file on the openwrt:


config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd14:4b4c:235f::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'dsfgfdsgfsdgsfdvgfdsbygsb5='
        option listen_port '53810'
        list addresses '10.66.66.1/24'

config wireguard_wg0
        option endpoint_port '53810'
        option description 'ubuntudedicated'
        option public_key 'fdsgbfdsgfdbgdfsbgfsdbgdfsbgdfsbgfd='
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        option endpoint_host '23.44.44.15'
        list allowed_ips '10.66.66.2/32'
        list allowed_ips '192.168.1.1/24'

config rule
        option in 'lan'
        option lookup '100'
config route
        option interface 'wg0'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option table '100'

/etc/config/firewall on openwrt

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'

On the server: ufw status
Status: inactive

/etc/wireguard/wg0.conf


[Interface]
Address = 10.66.66.2/24
SaveConfig = true
ListenPort = 53810
PrivateKey = safdsfdsafadsfdsafdsafds=

[Peer]
PublicKey = dfdsafdsafbsdafbsdabfsad=
AllowedIPs = 10.66.66.1/32
AllowedIPs = 192.168.1.1/24
Endpoint = ISProuterWANip:53810

trendy · May 1, 2020, 11:25pm

If there was problem with routing nothing would work anyway.

The IP addresses for the tunnel are vice versa in the diagram, no big deal as long as they are correct in the config.
In wireguard_wg0 you don't need the allowed_ips 192.168.1.1/24 and it is wrong. Also remove the route_allowed_ips.
In Ubuntu change the AllowedIPs to 192.168.1.0/24 and enable the Route_allowed_IPs
Then you need masquerade and a DNAT on Ubuntu for port 5450 to 192.168.1.3:3450 .

wrt-noob · May 1, 2020, 11:53pm

Thanks!

I tried to add the route option on Ubuntu but it doesn't like it.

route_allowed_ips = true

it says this:

root@host:/etc/wireguard# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
Line unrecognized: `Route_allowed_IPs=true'
Configuration parsing error
[#] ip link delete dev wg0

then tried = 1 instead, but same result, parsing error.

trendy · May 2, 2020, 8:25am

It seems that there is no such option in Ubuntu.
I am afraid that you'll have to create a post-up script to add the route.

wrt-noob · May 2, 2020, 3:52pm

Makes sense!

I decided to just route everything directly to 2 of my other secure dedicated servers where I already have remote access and server applications installed, this keeps my first jump secure by not opening it to the net.
So theoretically I should be able to login to any of my Ubuntu16 server and be able to ping any of the 192.168.1.* IP's from the openwrt network.

Updated Network Map https://i.imgur.com/Ziv21Ra.png

PostUp Scripts: I think I found one that will work.

From here: https://iliasa.eu/wireguard-how-to-access-a-peers-local-network/#comments

My Ubuntu18 10.66.66.2 WGserver now has this
/etc/wireguard/wg0.conf

[Interface]
#Server Ubuntu18 Jump Point (middleman)#
PrivateKey = <server's private key>
Address = 10.66.66.2/24
SaveConfig = true
ListenPort = 53810
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
#A openWRT#
PublicKey = <peer A's public key>
AllowedIPs = 10.66.66.1/32, 192.168.1.0/24
EndPoint = openwrtPublicIP:53810

[Peer]
#B ubuntu16server#
PublicKey = <peer B's public key>
AllowedIPs = 10.66.66.3/32
Endpoint = peerBpublicIP:53810

[Peer]
#C ubuntu16server2#
PublicKey = <peer C's public key>
AllowedIPs = 10.66.66.4/32
Endpoint = peerCpublicIP:53810

Note, in the link to iliasa's blog they didn't include the Endpoints in the example config. But I could not establish a ping between the peers without the Endpoint entries.

Also, it calls for Peer A (openwrt) to have these settings applied to the peer config but I'm not sure how to do this with openwrt: Even if I knew how to put this into OpenWRT, I'm not sure which of my openwrt interfaces to write into the rule in place of wlan0.

DNS = 1.1.1.1
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE

I managed to setup the peers correctly.
I can ping from 10.66.66.3 to 10.66.66.2 and vice versa
I can ping from 10.66.66.4 to 10.66.66.2 and vice versa
I cannot ping from 10.66.66.3 to 10.66.66.1 (openwrt)
I cannot ping from 10.66.66.4 to 10.66.66.1 (openwrt)
I can ping from 10.66.66.2 to 10.66.66.1 (And vice versa)
I can ping from 10.66.66.2 to 192.168.1.*

Peer B Ubuntu16 10.66.66.3's config
/etc/wireguard/wg0.conf

[Interface]
Address = 10.66.66.3/24
SaveConfig = true
ListenPort = 53810
PrivateKey = <ubuntu16server's private key>=

[Peer]
#ubuntu18 jump point server#
PublicKey = <ubuntu18serverpublickey>=
AllowedIPs = 10.66.66.1/32, 10.66.66.2/32, 192.168.1.0/24
Endpoint = ubuntu18jumpPointpublicIP:53810

Peer C Ubuntu16server2 10.66.66.4 config
/etc/wireguard/wg0.conf

[Interface]
Address = 10.66.66.4/24
SaveConfig = true
ListenPort = 53810
PrivateKey = <ubuntu16server2's private key>=

[Peer]
#ubuntu18 jump point server#
PublicKey = <ubuntu18serverpublickey>=
AllowedIPs = 10.66.66.1/32, 10.66.66.2/32, 192.168.1.0/24
Endpoint = ubuntu18jumpPointpublicIP:53810

trendy · May 2, 2020, 4:32pm

Again you are not adding routes for the necessary prefixes from OpenWrt. You'll need something like ip route add 192.168.1.0/24 dev wg0 via 10.66.66.1 in post-up script.

Correct.

It is not necessary. You can assign wg0 to a firewall zone and the policies will be inherited from the zone. For simplicity you can assign it to lan zone.

Verify that forward traffic from wg0 is allowed in Ubuntu18 server. Also that forwarding is enables in /etc/sysctl.conf .

Use AllowedIPs = 10.66.66.0/24, 192.168.1.0/24 for simplicity in peers B and C.

wrt-noob · May 2, 2020, 4:44pm

OMG Thankyou.
I changed the POSTUP rule in the ubuntu16(wgserver jump point) from ETH0 to WG0 and everything started working properly.

now it's

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE

That's it.

WOW. Um. Can I buy you a beer? Lol

trendy · May 2, 2020, 4:45pm

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Better to the project: https://openwrt.org/faq/how_can_i_donate_money_to_openwrt

wrt-noob · May 2, 2020, 7:09pm

1 last question related to this network setup.

I have a windows10 laptop that I connected to the OpenWRT router (the laptop's dhcp address is 192.168.1.43 or something, automatic).

With the current settings, I can't connect to the laptop with Teamviewer.

What is the best practice so that I can teamviwer and get into this laptop?
Is there a better way to remote into it?

I figure I could add an outside laptop as a wireguard peer and I could use that as if I was on the lan, but that's not as mobile because I'd have to reconfigure the peer everytime I try to connect that laptop from a different location.

trendy · May 2, 2020, 8:24pm

Teamviewer works without vpn or something similar. It is punching its way out of the firewall.
Check if the Windows firewall is messing things. Wouldn't be the first time.

You can, there are roadwarrior cases in wireguard and I use it myself. In Ubuntu18 server don't use the endpoint for that peer.

system · May 12, 2020, 8:34pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.