Another ping from outside problem, this time with WireGuard VPN running as client on the openwrt router

guenes · September 19, 2023, 11:12pm

Another ping from outside problem, this time with Wire-guard VPN running as client on the openwrt router.
I have a VPS server running with a WG-Server. I am able to connect to this server from my LAN. Now i want to use openwrt as WG-client, to connect all my LAN device to the VSP-server.

I was successfully connected with OpenWrt, but i have a strange problem. Ping between Virtual root server (VPS) and Openwrt is only working bidirectional. From router its self i can ping the VPN servers IP but not the way around.
But from the same VPN connection and from VPS, i am able to to ping another LAN client!! This give me the hint it must be something to do with the firewall rules. I played around with the ICMP rules but nothing is helping.
Traceroute and tracepath working fine if i use port 7.

I did a tcpdump while pinging. It shows that the VPN server using higher ports for the ICMP protocol. But i can not understand the output good enough. I need some help from experts.

In short : Ping from WG-Client (10.3.1.2) to WG-Servers (10.3.1.1) works
Ping from WG-Server to another LAN client (10.1.1.20) works
But not WG-Server to WG-Client

ping 10.3.1.2 
From 10.3.1.2 icmp_seq=548 Destination Port Unreachable

tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
00:57:44.580543 vpn   In  IP (tos 0x0, ttl 64, id 13107, offset 0, flags [DF], proto ICMP (1), length 84)
    10.3.1.1 > 10.3.1.2: ICMP echo request, id 52077, seq 214, length 64
00:57:44.580927 vpn   Out IP (tos 0xc0, ttl 64, id 36114, offset 0, flags [none], proto ICMP (1), length 112)
    10.3.1.2 > 10.3.1.1: ICMP 10.3.1.2 protocol 1 port 17291 unreachable, length 92
	IP (tos 0x0, ttl 64, id 13107, offset 0, flags [DF], proto ICMP (1), length 84)
    10.3.1.1 > 10.3.1.2: ICMP echo request, id 52077, seq 214, length 64
00:57:45.583504 vpn   In  IP (tos 0x0, ttl 64, id 13475, offset 0, flags [DF], proto ICMP (1), length 84)
    10.3.1.1 > 10.3.1.2: ICMP echo request, id 52077, seq 215, length 64
00:57:45.584786 vpn   Out IP (tos 0xc0, ttl 64, id 36194, offset 0, flags [none], proto ICMP (1), length 112)
    10.3.1.2 > 10.3.1.1: ICMP 10.3.1.2 protocol 1 port 64898 unreachable, length 92
	IP (tos 0x0, ttl 64, id 13475, offset 0, flags [DF], proto ICMP (1), length 84)
    10.3.1.1 > 10.3.1.2: ICMP echo request, id 52077, seq 215, length 64
00:57:46.583803 vpn   In  IP (tos 0x0, ttl 64, id 14425, offset 0, flags [DF], proto ICMP (1), length 84)
    10.3.1.1 > 10.3.1.2: ICMP echo request, id 52077, seq 216, length 64
00:57:46.584193 vpn   Out IP (tos 0xc0, ttl 64, id 36228, offset 0, flags [none], proto ICMP (1), length 112)
    10.3.1.2 > 10.3.1.1: ICMP 10.3.1.2 protocol 1 port 44924 unreachable, length 92
	IP (tos 0x0, ttl 64, id 14425, offset 0, flags [DF], proto ICMP (1), length 84)
    10.3.1.1 > 10.3.1.2: ICMP echo request, id 52077, seq 216, length 64
00:57:47.584723 vpn   In  IP (tos 0x0, ttl 64, id 14873, offset 0, flags [DF], proto ICMP (1), length 84)
    10.3.1.1 > 10.3.1.2: ICMP echo request, id 52077, seq 217, length 64
00:57:47.585118 vpn   Out IP (tos 0xc0, ttl 64, id 36235, offset 0, flags [none], proto ICMP (1), length 112)
    10.3.1.2 > 10.3.1.1: ICMP 10.3.1.2 protocol 1 port 55416 unreachable, length 92
	IP (tos 0x0, ttl 64, id 14873, offset 0, flags [DF], proto ICMP (1), length 84)
    10.3.1.1 > 10.3.1.2: ICMP echo request, id 52077, seq 217, length 64
00:57:48.585589 vpn   In  IP (tos 0x0, ttl 64, id 15593, offset 0, flags [DF], proto ICMP (1), length 84)
    10.3.1.1 > 10.3.1.2: ICMP echo request, id 52077, seq 218, length 64
00:57:48.586942 vpn   Out IP (tos 0xc0, ttl 64, id 36276, offset 0, flags [none], proto ICMP (1), length 112)
    10.3.1.2 > 10.3.1.1: ICMP 10.3.1.2 protocol 1 port 47987 unreachable, length 92
	IP (tos 0x0, ttl 64, id 15593, offset 0, flags [DF], proto ICMP (1), length 84)
    10.3.1.1 > 10.3.1.2: ICMP echo request, id 52077, seq 218, length 64
10 packets captured
16 packets received by filter
0 packets dropped by kernel

Here is the relevant settings:

diag
{
	"kernel": "5.15.127",
	"hostname": "rt1.ev.loc",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "Linksys MR8300 (Dallas)",
	"board_name": "linksys,mr8300",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0-rc3",
		"revision": "r23389-5deed175a5",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 23.05.0-rc3 r23389-5deed175a5"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr 'e8:9f:80:ab:2f:da'

config device
	option name 'lan2'
	option macaddr 'e8:9f:80:ab:2f:da'

config device
	option name 'lan3'
	option macaddr 'e8:9f:80:ab:2f:da'

config device
	option name 'lan4'
	option macaddr 'e8:9f:80:ab:2f:da'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.1.1.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option delegate '0'
	option defaultroute '0'

config device
	option name 'wan'
	option macaddr 'e8:9f:80:ab:2f:d9'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxx='
	list addresses '10.3.1.2/24'
	list dns '10.1.1.1'
	option delegate '0'
	option metric '20'

config wireguard_vpn
	option description 'wireguard_vps'
	option public_key 'O/7Cxxxxxxxxxxxxxxxx'
	option endpoint_host '134.255.237.43'
	option endpoint_port '52094'
	option persistent_keepalive '25'
	list allowed_ips '10.3.1.1/32'
	list allowed_ips '10.1.1.0/24'
	option route_allowed_ips '1'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/ev.loc/'
	option domain 'ev.loc'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '0'
	option ednspacket_max '1232'
	option port '54'
	list server '10.1.1.1'
	option boguspriv '0'

config dhcp 'lan'
	option interface 'lan'
	option start '10'
	option limit '99'
	option leasetime '  1h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option force '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list domain 'ev.loc'
	list dhcp_option '6,10.1.1.1'
	list dhcp_option '3,10.1.1.1'
	list dns 'ipv65edc::1'
	option ra_slaac '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'


package firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'vpn'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option target 'ACCEPT'
	option dest 'lan'
	list proto 'all'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option dest '*'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect 'adguardhome_dns_53'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option target 'DNAT'
	option name 'Adguard Home'
	option dest 'lan'
	option dest_port '53'

config rule
	option name 'testport80tort1'
	list proto 'tcp'
	option src 'wan'
	option dest 'lan'
	option dest_port '80'
	option target 'ACCEPT'
	list dest_ip '10.1.1.1'

config rule
	option name 'wg-test20'
	option target 'ACCEPT'
	option src 'wan'
	option dest '*'
	list src_ip '134.255.237.43'
	list src_ip '10.3.1.1'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'

config rule
	option name 'wg-test-wgport'
	option src 'lan'
	option target 'ACCEPT'
	option dest 'wan'
	list dest_ip '134.255.237.43'
	list proto 'tcp'
	list proto 'udp'
	list proto 'icmp'

config include
	option path '/etc/firewall.fail2ban'
	option enabled '1'
	option reload '1'

head: /etc/firewall.user: No such file or directory
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.2.1.2/24 brd 10.2.1.255 scope global wan
       valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.1.1.1/24 brd 10.1.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
15: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.3.1.2/24 brd 10.3.1.255 scope global vpn
       valid_lft forever preferred_lft forever
default via 10.2.1.1 dev wan  src 10.2.1.2 
10.1.1.0/24 dev br-lan scope link  src 10.1.1.1 
10.1.1.0/24 dev vpn scope link  metric 20 
10.2.1.0/24 dev wan scope link  src 10.2.1.2 
10.3.1.0/24 dev vpn scope link  metric 20 
10.3.1.1 dev vpn scope link  metric 20 
134.255.237.43 via 10.2.1.1 dev wan 
local 10.1.1.1 dev br-lan table local scope host  src 10.1.1.1 
broadcast 10.1.1.255 dev br-lan table local scope link  src 10.1.1.1 
local 10.2.1.2 dev wan table local scope host  src 10.2.1.2 
broadcast 10.2.1.255 dev wan table local scope link  src 10.2.1.2 
local 10.3.1.2 dev vpn table local scope host  src 10.3.1.2 
broadcast 10.3.1.255 dev vpn table local scope link  src 10.3.1.2 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
lrwxrwxrwx    1 root     root            16 Aug 19 16:01 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            50 Sep 19 23:40 /tmp/resolv.conf
-rw-r--r--    1 root     root           155 Sep 19 23:42 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
drwxr-xr-x    2 root     root            60 Sep 20 00:33 ./
drwxrwxrwt   21 root     root           540 Sep 20 00:09 ../
-rw-r--r--    1 root     root           155 Sep 19 23:42 resolv.conf.auto
==> /etc/resolv.conf <==
search ev.loc
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search ev.loc
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 10.2.1.1
search fritz.box
# Interface wan6
nameserver 2ipv6ip
# Interface vpn
nameserver 10.1.1.1

krazeh · September 20, 2023, 1:03am

You've altered the default Allow-Ping rule. It's probably this that is causing your issue.

guenes · September 20, 2023, 7:29am

Thanks, this solved my problem. I guess i was testing to much .-)

system · September 30, 2023, 7:31am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.