I am sorry for another wireguard setup question but I am a bit desperate at the moment. Although it might end up to be more of a firewall config question.
I've spent last 2 days trying to setup my TL-WDR3500 as a wireguard client. I am on the latest stable openwrt build (19.07.5). I am using luci for config (also have no issues with command line if necessary). I have a running server with a config that I am 100% sure is working (I get stable connection to it with official wireguard client for iOS using the same client config, just different IP as I am trying to setup on my router).
Desired outcome: Route all local traffic (devices connected to the router) thru the wg.
What I have now: Traffic is not routed from lan to wg. If I connect with some device to the router and try ping 8.8.8.8 I get from 192.168.3.1 (router ip) icmp_seq=N Destination port unreachable
If I ssh into the router and try ping -I wireguardvpn 8.8.8.8 I can ping without issues.
No matter how I look at it, it seems like the issue is in the firewall configuration but I cannot understand what is wrong with it, I think I am sending all the traffic from lan to wg but I clearly miss something simple.
Please help :shrek_cat_eyes:
So far what I did:
I have created an interface for wg via luci with filling in the corresponding values I've got coming together with my server:
I've additionally check the boxes Route Allowed IPs and Force link.
Created a firewall zone called vpngw and tried to set the rules according to this tutorial https://mullvad.net/en/help/running-wireguard-router/ (just a note, I am not trying to setup mullvad VPN) but then tried to experiment so I might have drifted away from it. I have also rename firewall zone lan from lan to lan_fire to not confuse with interface. Below you can see my /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option name 'lan_fire'
option forward 'ACCEPT'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
option forward 'REJECT'
option input 'REJECT'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest 'lan_fire'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option pr
option path '/etc/firewall.user'
config zone
list device 'wireguardvpn'
option name 'vpngw'
option mtu_fix '1'
option forward 'REJECT'
option masq '1'
option output 'ACCEPT'
option input 'REJECT'
config forwarding
option dest 'vpngw'
option src 'lan_fire'
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; wg
In the network config, under config wireguard_wireguardvpn change list allowed_ips '0.0.0.0/1' to list allowed_ips '0.0.0.0/0'. Restart the wireguard interface.
In firewall config, delete the entire vpngw zone and the forwarding from the lan zone. Add wireguardvpn to option network 'wan wan6' in the wan firewall zone.
I assume you've set up an appropriate port forward on your ISP router?
I've changed list of allowed_ips and remode the zone and added the wg interface into wan zone.
I still get destination port unreachable when I try to ping 8.8.8.8 from laptop connected to the openwrt router.
I actually didn't set up the port forward on my ISP router. What would be the proper forwarding?
Not sure why but after changing the allowed IPs I briefly had a desired connection for about 5 min, then after router restart (before zone changes) it went back to the same problem.
uci set firewall.@zone[0].name="lan"
uci set firewall.@zone[1].masq="1"
uci -q delete firewall.lan_wan
uci set firewall.lan_wan="forwarding"
uci set firewall.lan_wan.src="lan"
uci set firewall.lan_wan.dest="wan"
uci commit firewall
/etc/init.d/firewall restart
Unfortunately that doesn't help too. I basically had the same config already.
What I've tested is that right after the router reboot (thru luci) I can connect for a brief moment (ping the router from vpn server by 10.0.0.2) and the the connection disappears.
I am not sure why that happens.
Thanks @trendy, I've tried that but it doesn't help.
It, though, brought up the fact that I can no longer connect to wg, as soon as I create wg interface I can no longer connect to the outside (even if I stop the interface). I have no idea why it happens now. This is my current "setup".
As you can see there is no wg interface (it was stopped via luci) but I still cannot connect anywhere. If I remove the interface completely and restart I can again connect.
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdde:7543:e455::/48'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.3.1'
list dns '1.1.1.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config interface 'wg'
option proto 'wireguard'
list addresses '10.0.0.2/32'
option private_key '<key>'
option force_link '1'
option listen_port '51820'
config wireguard_wg
option public_key '<key>'
option persistent_keepalive '30'
option endpoint_port '51820'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host 'wg_endpoint_ip'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'ACCEPT'
option name 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
option forward 'REJECT'
option input 'REJECT'
option masq '1'
option network 'wan wan6 wg'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest 'lan'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'lan'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'lan'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Wed Dec 23 22:57:46 2020
*nat
:PREROUTING ACCEPT [3312:273184]
:INPUT ACCEPT [88:6015]
:OUTPUT ACCEPT [43:3112]
:POSTROUTING ACCEPT [8:704]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[3312:273184] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[3070:236417] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[242:36767] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[42:2980] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[7:572] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[35:2408] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[7:572] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[3070:236417] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[35:2408] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[35:2408] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[242:36767] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed Dec 23 22:57:46 2020
# Generated by iptables-save v1.8.3 on Wed Dec 23 22:57:46 2020
*mangle
:PREROUTING ACCEPT [44234:4407897]
:INPUT ACCEPT [41012:4141152]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [40841:15975616]
:POSTROUTING ACCEPT [40841:15975616]
[0:0] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Dec 23 22:57:46 2020
# Generated by iptables-save v1.8.3 on Wed Dec 23 22:57:46 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[41014:4141256] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[40920:4134673] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[4:144] -A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[88:6015] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[2:424] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[40850:15977396] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[40802:15973672] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[13:1316] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[35:2408] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[2:424] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[13:1316] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[88:6015] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[88:6015] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[13:1316] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[13:1316] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[88:6015] -A zone_lan_src_ACCEPT -i br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[35:2408] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[2:424] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2:424] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[35:2408] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[35:2408] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[2:424] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Dec 23 22:57:46 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 192.168.0.74/24 brd 192.168.0.255 scope global eth1
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.3.1/24 brd 192.168.3.255 scope global br-lan
valid_lft forever preferred_lft forever
<wg_endpoint_ip> via 192.168.0.1 dev eth1 proto static
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.74
192.168.3.0/24 dev br-lan proto kernel scope link src 192.168.3.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev eth1 table local proto kernel scope link src 192.168.0.74
local 192.168.0.74 dev eth1 table local proto kernel scope host src 192.168.0.74
broadcast 192.168.0.255 dev eth1 table local proto kernel scope link src 192.168.0.74
broadcast 192.168.3.0 dev br-lan table local proto kernel scope link src 192.168.3.1
local 192.168.3.1 dev br-lan table local proto kernel scope host src 192.168.3.1
broadcast 192.168.3.255 dev br-lan table local proto kernel scope link src 192.168.3.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Make sure to enable IPv4 forwarding and masquerading on the server side.
And verify that your firewall on the server allows traffic forwarding from VPN to WAN.
You can assign the same mask as you have on the server, I guess that would be /24
You need to preserve the default gateway of the ISP in the routing table. You can do that by assigning different metrics to the interfaces or on wg peer allow 0.0.0.0/1 and 128.0.0.0/1 instead.
What works just fine is the wg connection from the iPhone. Since it is behind the same crappy ISP router I assume the cause is not the ISP router. This for me also means that the setup on the WG server is also correct.
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdde:7543:e455::/48'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.3.1'
list dns '1.1.1.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config interface 'wg'
option proto 'wireguard'
option private_key 'key'
option force_link '1'
list addresses '10.0.0.2/24'
config wireguard_wg
option public_key 'key'
option persistent_keepalive '30'
option endpoint_port '51820'
option route_allowed_ips '1'
option endpoint_host '<endpoint_ip>'
list allowed_ips '0.0.0.0/1'
list allowed_ips '128.0.0.0/1'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'ACCEPT'
option name 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
option forward 'REJECT'
option input 'REJECT'
option masq '1'
option network 'wan wan6 wg'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest 'lan'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'lan'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'lan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Thu Dec 24 13:41:05 2020
*nat
:PREROUTING ACCEPT [384:43938]
:INPUT ACCEPT [71:4983]
:OUTPUT ACCEPT [132:9546]
:POSTROUTING ACCEPT [65:4740]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[384:43938] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[194:16569] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[190:27369] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i wg -m comment --comment "!fw3" -j zone_wan_prerouting
[213:14430] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[1:332] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[23:1561] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[125:8129] -A POSTROUTING -o wg -m comment --comment "!fw3" -j zone_wan_postrouting
[1:332] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[194:16569] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[148:9690] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[148:9690] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[190:27369] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Dec 24 13:41:05 2020
# Generated by iptables-save v1.8.3 on Thu Dec 24 13:41:05 2020
*mangle
:PREROUTING ACCEPT [2487:271041]
:INPUT ACCEPT [1653:195146]
:FORWARD ACCEPT [606:42672]
:OUTPUT ACCEPT [1770:661425]
:POSTROUTING ACCEPT [2376:704097]
[0:0] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[343:20580] -A FORWARD -o wg -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i wg -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Dec 24 13:41:05 2020
# Generated by iptables-save v1.8.3 on Thu Dec 24 13:41:05 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[424:37154] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1229:157992] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1154:152161] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[8:480] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[71:4983] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[4:848] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wg -m comment --comment "!fw3" -j zone_wan_input
[606:42672] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[606:42672] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wg -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[424:37154] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[1347:625771] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1207:607961] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[1:332] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[95:14233] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[44:3245] -A OUTPUT -o wg -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[4:848] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[8:480] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:332] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[606:42672] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[606:42672] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[71:4983] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[71:4983] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1:332] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1:332] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[71:4983] -A zone_lan_src_ACCEPT -i br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[95:14233] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wg -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[650:45917] -A zone_wan_dest_ACCEPT -o wg -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o wg -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[4:848] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[4:848] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[139:17478] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[139:17478] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[4:848] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i wg -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Dec 24 13:41:05 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 192.168.0.74/24 brd 192.168.0.255 scope global eth1
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.3.1/24 brd 192.168.3.255 scope global br-lan
valid_lft forever preferred_lft forever
11: wg: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.0.0.2/32 brd 255.255.255.255 scope global wg
valid_lft forever preferred_lft forever
0.0.0.0/1 dev wg proto static scope link
default via 192.168.0.1 dev eth1 proto static src 192.168.0.74
128.0.0.0/1 dev wg proto static scope link
<endpoint_ip> via 192.168.0.1 dev eth1 proto static
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.74
192.168.3.0/24 dev br-lan proto kernel scope link src 192.168.3.1
local 10.0.0.2 dev wg table local proto kernel scope host src 10.0.0.2
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev eth1 table local proto kernel scope link src 192.168.0.74
local 192.168.0.74 dev eth1 table local proto kernel scope host src 192.168.0.74
broadcast 192.168.0.255 dev eth1 table local proto kernel scope link src 192.168.0.74
broadcast 192.168.3.0 dev br-lan table local proto kernel scope link src 192.168.3.1
local 192.168.3.1 dev br-lan table local proto kernel scope host src 192.168.3.1
broadcast 192.168.3.255 dev br-lan table local proto kernel scope link src 192.168.3.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
interface: wg
public key: key
private key: (hidden)
listening port: 44129
peer: key
endpoint: <endpoint_ip>:51820
allowed ips: 0.0.0.0/1, 128.0.0.0/1
transfer: 0 B received, 10.55 KiB sent
persistent keepalive: every 30 seconds
I start thinking that maybe something is broken in packages.
Unfortunately I am not profound enough in firewall rules to spot if something is not right there.
@trendy thanks for looking into it.
Apparently "soft" reboot from luci doesn't do the same as "hard" reboot by unlugging the power source
I've "hard" rebooted the router and the settings were applied (I've double checked) but that didn't help. I've also checked the keys setup and it was fine too. I've set the setup back to 0.0.0.0/0 and 10.0.0.2/32. And made a hard router reboot again. No luck.
Then your line about the reboot made me think though and so I've also tried to reboot the server, after that wireguard connection finally works for me.
I am still not sure why the server needed a reboot to start working (especially since the other client worked just fine) but I'll take it. Just in case I've setup a daily server reboot in cron and will monitor how the connection works over the next couple of days.
Thanks a lot everyone who tried to help!
Any ideas why the server reboot was necessary are welcome for posterity.
