Configurations wireguard, firewall, dnscrypt v2

ESR111 · June 18, 2019, 3:37am

Hello,
Help with solving a simple problem. It is necessary to pass all traffic (including DNS ) through the tunnel wireguard. Currently, the tunnel through wireguard is working(we have a handshake), but to wrap all traffic in it does not go.
config on RPI 3 B, 18.06.02.

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ifname 'eth0'

config interface 'wwan'
	option proto 'dhcp'
	option delegate '0'
	option peerdns '0'

config interface 'wg0'
	option private_key 'xxxx'
	list addresses '10.9.0.2/24'
	option listen_port '54541'
	option proto 'wireguard'
	option peerdns '0'

config wireguard_wg0
	option public_key 'xxxx'
	option allowed_ips '0.0.0.0/0'
	option endpoint_host 'x.x.x.x'
	option persistent_keepalive '25'
	option endpoint_port '54541'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'DROP'
	option output 'DROP'
	option forward 'DROP'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'lan'
	option forward 'DROP'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	option forward 'DROP'
	list network 'wwan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option family 'ipv4'
	option target 'DROP'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'DROP'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'DROP'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'DROP'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	option family 'ipv6'
	option target 'DROP'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option icmp_type 'echo-reply destination-unreachable echo-request router-advertisement router-solicitation time-exceeded'
	option target 'DROP'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option icmp_type 'echo-reply destination-unreachable echo-request time-exceeded'
	option dest '*'
	option target 'DROP'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'DROP'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'DROP'

config include
	option path '/etc/firewall.user'

config redirect
	option name 'Divert-DNS'
	option src 'lan'
	option proto 'tcpudp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config zone
	option name 'wg'
	option family 'ipv4'
	option masq '1'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	option mtu_fix '1'
	option network 'wg0'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option src 'lan'
	option name 'Lan to wg'
	option proto 'all'
	option dest 'wg'

ip -4 a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
7: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 172.16.0.10/24 brd 172.16.0.255 scope global wlan1
       valid_lft forever preferred_lft forever
8: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1
    inet 10.9.0.2/24 brd 10.9.0.255 scope global wg0
       valid_lft forever preferred_lft forever

ip -4 r

default via 172.16.0.1 dev wlan1 proto static src 172.16.0.10 
10.9.0.0/24 dev wg0 proto kernel scope link src 10.9.0.2 
x.x.x.x via 172.16.0.1 dev wlan1 proto static 
172.16.0.0/24 dev wlan1 proto kernel scope link src 172.16.0.10 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1

ip -4 ru

0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option noresolv '1'
	option localuse '1'
	list server '127.0.0.53'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '24h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/tmp/resolv.conf

# Interface wwan (Why WAN and not lan? dnscrypt v2 works fine, dnsleaktest.com never showed leaks)

ESR111 · June 18, 2019, 3:44am

@trendy please help

trendy · June 18, 2019, 10:30am

You need to route allowed IPs in wireguard tunnel for your peer.
In order for the WG to have precedence over the WWAN , you could use 2 networks:

0.0.0.0/1
128.0.0.0/1

ESR111 · June 18, 2019, 11:41am

as I understand it, I have to change the configuration below
/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ifname 'eth0'

config interface 'wwan'
	option proto 'dhcp'
	option delegate '0'
	option peerdns '0'

config interface 'wg0'
	option private_key 'GBBoD8kLfogNDneEQCd9ZN8Jfw+BK9d+9oJpiNyj11A='
	list addresses '10.9.0.2/24'
	option listen_port '54541'
	option proto 'wireguard'
	option peerdns '0'

config wireguard_wg0
	option public_key 'kw+Akj4bw6r23UrGExZFeBgFw6dWlhUmpw9Ef1rYJjg='
	option allowed_ips '0.0.0.0/1'
	option endpoint_host 'x.x.x.x'
	option persistent_keepalive '25'
	option endpoint_port '54541'

It did not work.
The route is still through wwan. for understanding, I would like to see the following: when the WG server crashes, the Internet should not work

ESR111 · June 18, 2019, 11:57am

made the following changes:
#changed to 0.0.0.0/0
option allowed_ips '0.0.0.0/0'
#add a line
option route_allowed_ips '1'
@trendy thanks for the advice, today I'll look at the leaks.

trendy · June 18, 2019, 1:17pm

Instead of this

config rule
	option enabled '1'
	option target 'ACCEPT'
	option src 'lan'
	option name 'Lan to wg'
	option proto 'all'
	option dest 'wg'

you can have the same result with this

config forwarding
        option dest 'wg'
        option src 'lan'

and as long as there is no rule for lan->wan, you won't have internet when the tunnel is down.

ESR111 · June 18, 2019, 2:09pm

Tell me more please why I have # Interface wwan in /tmp/resolv.conf, not a LAN ? I understand that it is commented out, but here it is indicated that it should be localhost.

trendy · June 18, 2019, 2:43pm

No idea. This is automatically generated and you need to check what is the content of /etc/resolv.conf that the router uses to resolve for itself.

system · June 28, 2019, 2:43pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.