My goal: a vpn on my laptop for safe, remote access to my home LAN. Ping fails, so I did something wrong. I suspect either confusion about my "endpoints" or maybe a firewall block. I set up DDNS on Luci and it works fine. Is the DDNS "Lookup hostname (registered IP)" the client's "endpoint"? Or is it the router's LAN IP? Or something else like one of the "allowed" IP's?
Also, for the server, WG "identifies" the client (peer) by it's public-key, but what is the server's "endpoint" for that client? Can this be tested at home where the laptop is IN my LAN, or would I actually have to move it to a remote network?
Also, completely unsure about firewall issues in OpenWrt and what I must do, if anything to "allow" a VPN access.
Have been using linux for a long time, but completely new to VPN. Have read a howto on this forum, the one on the Wireguard site, and another one here. Still confused and unable to ping or go further.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
Also provide the wireguard config being used on your laptop.
Yes the first config, "wirevpn" did not work, so did the second w/o deleting. Let me delete it, make the changes and retry the code you gave me. Will take a few minutes at least.
OK, maybe not the right way to do it, but too much personal info in the other output post so I redid it there after making the changes krazeh suggested. Lost the laptop config will redo and put it out a bit later. Did nothing yet with trendy's post. Will be a few hours -- interruption. Thx
Oh, I added the firewall rule in /etc/config/network -- maybe the wrong place.
Concerning the link to the wiki guide...I think I saw it but confused too many things together.
As far as configuring the laptop (xubuntu) should I use the info on the Wireguard site or another? Where exactly does that write to? /etc/wireguard/wg0.conf or some thing else?
Don't forget that if you lost the configuration on the laptop, you'll need to generate new keys (public and private) for that system and then you need to copy the public key over to your OpenWrt WG peer config.
When you update the thread with new versions of your config files, please be sure to include them in a new message within the thread (do not edit the earlier posts in this thread with updated configs -- that just causes confusion; it is okay to edit them if you need to redact details such as keys and addresses, if necessary).
It's not if you've given the wireguard interface an address that covers a subnet and the peer address is in that subnet. However, if either of those is not true then you do need it.
Ok this is the corrected output of krazeh's code. I was not sure how to add the firewall rule. I put it into /etc/config/network which is probably not right.
On the laptop, I ran into a lot of problems. Wireguard is not in the Ubuntu repos so I added the PPA which the Wireguard page says is obsolete, but it seemed to install wg dkms tools etc OK. However the cmds on the Wireguard Quick start page do not work properly. I tried creating a file: /etc/wireguard/wg0.conf and filling it out as per what I've learned here but using #wg does not show any result or errors. I think wireguard is internal to this kernel, so not sure how to proceed. The Openwrt server seems to "stay alive." As a server endpoint, should I use 192.168.1.1 or my DDNS name: adsfad.dynu.net?
root@OpenWrt:~# uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0d:70f2:8a95::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config interface 'wg0'
option proto 'wireguard'
option private_key 'ABCD......efghI='
option listen_port '51820'
config wireguard_wg0
option public_key 'QRSTUV.......xyz='
option route_allowed_ips '1'
list allowed_ips '192.168.2.2/32'
config rule
option target 'ACCEPT'
option src 'wan'
option dest_port '51820'
option name 'Wireguard'
option proto 'udp'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option dest_port '22'
option src 'wan'
option name 'ssh'
option src_dport '22'
option target 'DNAT'
option dest 'lan'
option dest_ip '192.168.1.3n5'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 24.7.101.128/22 brd 24.7.103.255 scope global eth0.2
valid_lft forever preferred_lft forever
default via 24.7.100.1 dev eth0.2 proto static src 24.7.101.128
24.7.100.0/22 dev eth0.2 proto kernel scope link src 24.7.101.128
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.2 dev wg0 proto static scope link
broadcast 24.7.100.0 dev eth0.2 table local proto kernel scope link src 24.7.101.128
local 24.7.101.128 dev eth0.2 table local proto kernel scope host src 24.7.101.128
broadcast 24.7.103.255 dev eth0.2 table local proto kernel scope link src 24.7.101.128
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Concerning the laptop, seems the module is not loading into the kernel. Found others mention this issue, no solution I've seen. Here's my output from the laptop:
mintlap wireguard # wg-quick up wg0
[#] ip link add wg0 type wireguard
Error: Unknown device type.
Unable to access interface: Protocol not supported
[#] ip link delete dev wg0
Cannot find device "wg0"
mintlap wireguard # modprobe wireguard
modprobe: FATAL: Module wireguard not found in directory /lib/modules/5.3.0-46-generic
I know resolving this side of the issue is not part of OpenWrt, so I'll continue to look. Being in the kernel is new so I think it will get addressed quickly.
I do want to know if my server side config seems OK, though and how to deal with the "firewall" rule. Do I add the zone in Interface > wg0 (edit) > firewall add LAN zone and then in custom rule or exactly how? thx a lot.
You are right that you need to remove the firewall rule from the network config. You can literally copy/paste those lines into the /etc/config/firewall file if you are directly editing the config files.
You still need the WG network assigned to a firewall zone. You can just add it to the lan zone, or you can create a new zone for it and add the appropriate zone forwarding rules... like the following (do one or the other, not both):
Firewall option 1: add wg0 to the *existing* lan zone
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wg0'
Firewall option 2: separate wg zone and forwarding rules
config zone
option name 'wg'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'wg0'
option forward 'REJECT'
config forwarding
option dest 'lan'
option src 'wg'
config forwarding
option dest 'wan'
option src 'wg'
In my OpenWrt network config, I have a few other things specified for the WG interface and peer sections, but I'm not positive if they are actually necessary on the OpenWrt peer (vs the remote peer). Specifically, I have an address on the interface and a keep alive option on the peer... it would look like this:
network config -- add network address to wg interface and keep alive to the wg peer
config interface 'wg0'
option proto 'wireguard'
option private_key 'ABCD......efghI='
option listen_port '51820'
list addresses '192.168.2.1/24'
config wireguard_wg0
option public_key 'QRSTUV.......xyz='
option route_allowed_ips '1'
list allowed_ips '192.168.2.2/32'
option persistent_keepalive '25'
OK, pasted those firewall lines into /etc/config/firewall.
So to do option 1, from Interface > wg0 > Edit > Firewall Settings create LAN-wg0
For Option 2 go to Firewall panel and Add a zone, then forward?
Or am I confused about those?
Concerning wg on the laptop. I think I started this right at the transition period from wg being in user space to the kernel. Will have to struggle with this a bit, perhaps elsewhere and when I get it sorted out, If I still have trouble connecting, then come back here.
All have been very helpful. This has been a hard nut for me.
I should have been a bit more clear about the firewall zone options.
If you plan to use the WG to access your LAN and the WAN and don't feel the need to restrict it using the firewall, just adding the wg0 network to the LAN zone is simple (option 1). But if you want more granular control over the wg network, put it in a unique firewall zone.
As for adding to the firewall, it's actually really easy...
for option 1 using LuCI: Network > Interfaces > wg0 [edit] > Firewall Settings > Create/Assign Zone > select lan.
Option 2 (unique zone) -- the fastest way is probably to paste the configuration I posted earlier right into the firewall file. Or you can use the above process to create a new zone (called wg), then go into Network > Firewall > Zones > wg [edit] > general settings > allow forward to destination zones > [select wan and lan from the options in the dropdown].
If you have an iPhone or Android phone, or a Mac or Windows system, you can try installing wg on one of those devices and see if you can get a tunnel running, this way you know everything is working on OpenWrt (or you can troubleshoot). This way, once you get the laptop sorted out, you should be good to go.
