Adding Wireguard server to dumb AP?

bomberb17 · August 19, 2022, 5:48pm

So I changed the allowed_ips for the client to 0.0.0.0/0 and I also made a firewall rule. Still can't connect to the openwrt VPN server.
Here is my current configuration below. There might be something wrong with my firewall config?

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd77:2829:f022::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'
        list ports 'eth0.2'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'
        option delegate '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'

config interface 'lan6'
        option proto 'dhcpv6'
        option device '@lan'
        option reqaddress 'try'
        option reqprefix 'no'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '<private_key>'
        option listen_port '<port>'
        list addresses '10.14.0.1/24'

config wireguard_wg0
        option description 'HP Pavilion'
        option public_key '<test_client's_public_key>'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'

root@OpenWrt:~#  cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'
        list network 'lan6'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config zone
        option name 'wg0'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'wg0'

config forwarding
        option src 'wg0'
        option dest 'lan'

root@OpenWrt:~# wg
interface: wg0
  public key: <public_key>
  private key: (hidden)
  listening port: <wireguard port>

peer: <test_client's_public_key>
  allowed ips: 0.0.0.0/0
  persistent keepalive: every 25 seconds

psherman · August 19, 2022, 7:24pm

Let's check a few things...

First, this is not the base problem, but the allowed IPs here should be a /32. I'd recommend setting it to 10.14.0.2/32.

bomberb17:

config wireguard_wg0
        option description 'HP Pavilion'
        option public_key '<test_client's_public_key>'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'

Next, turn off masquerading in the wg0 zone.

bomberb17:

config zone
        option name 'wg0'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'wg0'

Next, have you setup port forwarding on your main router to the IP address of this dumb AP? It needs be set to forward your listen port (UDP) from the WAN of your main router to the dumb AP's IP.

Do you have a public IP on your main router's WAN? If in doubt, post the first two octets of your IP address (in bold: aaa.bbb.ccc.ddd).

Finally, let's see the config on your remote WG peer.

bomberb17 · August 19, 2022, 9:07pm

I turned off masquerading in the wg0 zone but that didn't help

config zone
        option name 'wg0'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg0'

here is also my client config (Windows)


[Interface]
PrivateKey = <client_private_key>
Address = 10.14.0.3/32
DNS = 192.168.1.1

[Peer]
PublicKey = <openwrt_pubic_key>
AllowedIPs = 0.0.0.0/0
Endpoint = <ip>:<port>
PersistentKeepalive = 25

Also others above suggested to use AllowedIPs as 0.0.0.0/0, so I am getting confused with contradictory suggestions.

As I said above, the port is forwarded (alongside with the ssh port so i can access the Openwrt dumb AP).
Not sure why the public IP is needed. Its dynamic but I have ddns setup for it, there is no issue with it since I can access the openwrt AP through ssh.

psherman · August 19, 2022, 9:23pm

The address in this interface definition (on Windows) must match the address used in the peer config. If you use the address I recommended, that would be 10.14.0.2/32.

Yes, I can understand this being confusing. Although this may be an imperfect explanation, a way to think of this is that on the 'server' side, the allowed IPs in the peer stanza refers to the address that the peer will use on the VPN tunnel itself. On the 'client' side, this refers to the IP addresses that should be sent through the tunnel.

A public IP is absolutely necessary since it is your address on the internet. It's like your street address. If I asked your address and you said "Apartment 12B" it wouldn't be all that useful -- I'd need the street address, city, and state to make sense of it from the outside. A public IP is equivalent to your street address. If you are absolutely certain you have a public IP, that can be crossed off the possible issues list -- but you should make sure that the WAN address of your main router matches the IP that you get with your dynamic dns domain name.

That said, are you accessing the OpenWrt AP via ssh from the internet? That isn't generally recommended -- once you have your VPN configured, you should disable that.

You should p

bomberb17 · August 19, 2022, 10:48pm

Yes they match already.

<test_client's_public_key>

I am 1000% sure there is no issue with the public IP address. As I said, I can access the openwrt through ssh.

psherman · August 19, 2022, 10:53pm

ok... so now restart your router and then try to connect from the remote peer (your windows machine). Once you've done that, what is the output of wg show

bomberb17 · August 19, 2022, 11:31pm

It's the same as before..

root@OpenWrt:~# wg show
interface: wg0
  public key: <public key>
  private key: (hidden)
  listening port: <wireguard port>

peer: <client_public_key>
  allowed ips: 0.0.0.0/0
  persistent keepalive: every 25 seconds

psherman · August 19, 2022, 11:33pm

You are not getting a handshake, so something is wrong. It appears you did not change the peer to 10.14.0.2/32 as I suggested (or if you did, you may not have restarted the interface/router for it to take effect).

You may have a key problem... regenerate your keys and make sure they get exchanged properly.

bomberb17 · August 19, 2022, 11:37pm

Ah never mind it worked now for some reason.. Thanks!

psherman · August 19, 2022, 11:39pm

great! glad to hear it.