I'm having trouble getting an incoming wireguard connection to my router to have access to all of the other networks that can be accessed by my router. Here is the situation:
My router has access to 4 remote networks via various VPN connections
When on any device on my LAN I easily have access to each VPN network directly
When I set up a Wireguard interface for an incoming connection, I put it in my LAN firewall zone, however, it only has access to the local network directly connected to the router, not the additional networks that all devices on the LAN can access
I just can't seem to figure out how to set up Wireguard so that the incoming connection is treat as if it's a device on my LAN and thus would have access to everything the LAN has access to (including zone forwardings). I've run tcpdump to see that when I attempt (via incoming wireguard connection) to address something on a VPN network that the packet is coming through on the incoming Wireguard network but then I lose it from there. I'm not sure if it's a firewall issue. I'm using my LAN zone for the wireguard interface so theoretically it has all the forwards, gateways, routing, etc. that my devices on my LAN have.
Not that it matters as this is a broad question, but my VPN networks are all 10.0.0.0/16 addresses (each a separate subnet) and my wireguard interfaces are all different IPs on the 192.168.0.0/24 network.
I know this works with OpenVPN using a bridged/tap style connection (layer 2), but I don't want to use OpenVPN anymore for my incoming connections so I just can't see to figure out how to route traffic across these other VPN subnets using a tunnel style interface (like wiregaurd).
Can you copy the output of the following commands on Site A and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; wg
Can you also post the wireguard config from the remote device(s).
There is a lot of configuration information and it would take me a little while to redact it. Would it help if I just asked for help configuring a simplified scenario? Here is a simplified scenario:
Two sites: Site A and Site B
Both sites have OpenWRT routers connected to the internet
Site A has a LAN of 10.0.1.0/24 with two devices:
Router (10.0.1.1)
PC (10.0.1.2)
Site B has a LAN of 10.0.2.0/24 with two devices:
Router (10.0.2.1)
PC (10.0.2.2)
Site A and Site B are bidirectionally connected via Wireguard such that Site A PC (10.0.1.2) can access Site B PC (10.0.2.2)
Now, here is what I'd like to do:
Create a third site, Site C, for a laptop
Site C can connect to Site A, and should have access to Site B through Site A (it should have access to everything Site A's PC at 10.0.1.2 has access to).
Essentially I'd like Site C's PC to act as if it's on Site A's lan when it's connected and has access to everything Site A's PC would have access to
It's likely an issue with what allowed IPs you have on each device. You need to make sure you're allowing the correct subnets into and out of the tunnel at each end.
In your example site C would need the subnets for both sites A and B in the allowed IPs. Site B would need the subnets for sites A and C.
OK - everything is on 10.0.0.0/16 (Site A, B, and C) and the allowed IPs (which are set to be routed) is 10.0.0.0/16 (which covers all 3 sites). But still when I connect from Site C to Site A via wireguard, I can only access Site A's lan, and not Site B's.
If you want wireguard to set up the routes automatically then you need to use separate subnets. You can't use one large subnet for multiple sites without manual routing.
I'm trying to keep the config easy for Site C (the laptop) so that I can just connect to Site A and route to everything Site A's lan can route to (for simplicity's sake let's just call that 10.0.0.0/16). For example, say I add a Site D to Site A that is 10.0.3.0/24, I'd like my laptop to connect to Site A (which is connected to Site D) and be able to access any device on 10.0.3.0/24. Would I need to update my laptops local config for allowed IP's each time I add a network? How does putting in each subnet as an AllowedIP help with automatic routing? Essentially I just want Site A to act as my gateway and figure out the routing - so when I connect my laptop via wireguard I want all 10.0.0.0/16 addresses to route through the VPN to Site A, and have Site A handle the routing to other sites. Right now this part works (my laptop routes all 10.0.0.0/16 addresses over my wireguard connection to Site A, however, Site A isn't properly handling after that).
Wireguard uses the allowed IP field to determine which peer traffic should go to. If all the peers have the same allowed IPs then wireguard can't distinguish between peers and it won't work.
Sites which only connect to one other site, e.g. site C, can use the large subnet as everything always goes to one place. But site A needs different subnets for each peer.
OK - would you be able to provide configuration examples of how to get something like I mentioned working? I'm having trouble figuring out what allowed IP's should go where. Also, in my example my laptop would only ever be a peer to Site A, but I would expect Site A to route any traffic it gets from the laptop as if the laptop was on Site A's LAN
All of the sensitive config items have been masked with fake ones (like private and public keys) and based on our example, the configs are from Site A. Any device on Site A's LAN (10.0.1.0/24) can connect directly to Site B's network (10.0.2.0/24). When I connect via wireguard from my laptop (via WGMOBILE) I can only access the 10.0.1.0/24 network (for Site A), but I'd like to also be able to connect to Site B's network via Site A (just as any device on Site A's LAN can do).
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5e:0c78:b493::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option delegate '0'
option ipaddr '10.0.1.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '0c:80:63:cd:43:88'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'WG'
option proto 'wireguard'
option private_key 'SPDPobEa9RM92/J65nJbCy9uCsMA+O/95NKshsnmuVQ='
option listen_port '1022'
list addresses '192.168.12.1'
option delegate '0'
config wireguard_WG
option public_key '/B0wvyNfQvpVZ+Fy1nvyWoAOwcQBkAXiyJQd0vTtn3Y='
option description 'SiteB'
option persistent_keepalive '25'
option endpoint_port '1023'
list allowed_ips '10.0.2.0/24'
option route_allowed_ips '1'
option endpoint_host '11.22.33.1'
config interface 'WGMobile'
option proto 'wireguard'
list addresses '192.168.12.5'
option delegate '0'
option listen_port '1024'
option private_key 'CL+2YXCjTdzPSWCwoJuoFEmR9Poo+JiTj8tj8SL9Jmk='
config wireguard_WGMobile
option public_key 'JOGl0grVKsJ9LRb22VBz1EkeQnkrb+QCO+SgTGpwt3M='
option description 'Laptop'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '10.0.0.0/16'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan WGMobile'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'WG'
option input 'ACCEPT'
option forward 'ACCEPT'
option name 'WireGuard'
option output 'ACCEPT'
config forwarding
option dest 'lan'
option src 'WireGuard'
config forwarding
option dest 'WireGuard'
option src 'lan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 10.0.1.1/24 brd 10.0.1.255 scope global br-lan
valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.5.121/24 brd 192.168.5.255 scope global eth0.2
valid_lft forever preferred_lft forever
9: WG: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 192.168.12.1/32 brd 255.255.255.255 scope global WG
valid_lft forever preferred_lft forever
10: WGMobile: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 192.168.12.5/32 brd 255.255.255.255 scope global WGMobile
valid_lft forever preferred_lft forever
default via 192.168.5.1 dev eth0.2 proto static src 192.168.5.121
10.0.1.0/24 dev br-lan proto kernel scope link src 10.0.1.1
10.0.5.0/24 dev WGMobile proto static scope link
192.168.5.0/24 dev eth0.2 proto kernel scope link src 192.168.5.121
broadcast 10.0.1.0 dev br-lan table local proto kernel scope link src 10.0.1.1
local 10.0.1.1 dev br-lan table local proto kernel scope host src 10.0.1.1
broadcast 10.0.1.255 dev br-lan table local proto kernel scope link src 10.0.1.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.5.0 dev eth0.2 table local proto kernel scope link src 192.168.5.121
local 192.168.5.121 dev eth0.2 table local proto kernel scope host src 192.168.5.121
broadcast 192.168.5.255 dev eth0.2 table local proto kernel scope link src 192.168.5.121
local 192.168.12.1 dev WG table local proto kernel scope host src 192.168.12.1
local 192.168.12.5 dev WGMobile table local proto kernel scope host src 192.168.12.5
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
interface: WG
public key: X+9k1IBG2kwlRp+m5qUi96u3nsTrYoBZ/l86K2LpO3Q=
private key: (hidden)
listening port: 1022
interface: WGMobile
public key: BwKTsl30lHbudhuJd35XE6OlH74xlPyGpt2uQoapfTU=
private key: (hidden)
listening port: 1024
peer: JOGl0grVKsJ9LRb22VBz1EkeQnkrb+QCO+SgTGpwt3M=
allowed ips: 10.0.5.0/24
persistent keepalive: every 25 seconds
You have multiple wireguard interfaces which is generally unnecessary. You should just have multiple peers under one interface.
Delete
option proto 'wireguard'
list addresses '192.168.12.5'
option delegate '0'
option listen_port '1024'
option private_key 'CL+2YXCjTdzPSWCwoJuoFEmR9Poo+JiTj8tj8SL9Jmk='
Change config wireguard_WGMobile to config wireguard_WG. Change list allowed_ips '10.0.0.0/16' in that config block to a /24 subnet.
Update the config on your mobile device to use the public key for the WG interface and an IP from the /24 subnet you've picked. Allowed IPs on the mobile device can be '10.0.0.0/16' (as long as it is connecting only to Site A).
list addresses '192.168.12.1' in config interface 'WG' is unnecessary and can be deleted.
In your firewall config change option network 'lan WGMobile' to option network 'lan WG'.
Delete
config zone
option network 'WG'
option input 'ACCEPT'
option forward 'ACCEPT'
option name 'WireGuard'
option output 'ACCEPT'
config forwarding
option dest 'lan'
option src 'WireGuard'
config forwarding
option dest 'WireGuard'
option src 'lan'
On site B check the allowed IPs is set to '10.0.0.0/16' (again assuming it is connecting only to Site A).
Restart the wireguard interfaces on any devices where you've made changes.
It looks like the OpenWRT device isn't connected directly to the internet? Do you have correct routes added to the internet gateway device?
I have multiple WG interfaces because I want to be able to eventually restrict traffic based on interface (which is why I want to group all mobile devices into their own network and interface). The salient point from your edits suggests that I set mobile device IPs to be on the specific subnet that I've picked (in this case for Site A that would be 10.0.1.x). Also, is it effective to remove the list address from all wireguard interfaces? When I first set things up I think I had issues if I didn't put an IP address for each wireguard interface. If one is required, should I stop using a separate addressing scheme for the wireguard interface IPs? What I mean is for all the wireguard interface IPs I've used a 192.168.12.x address, should I switch over and use IPs on my 10.0.x.x network (depending on the 10.0.x.x subnet I'm attached to)? Or perhaps I should be able to get it to work without assigning any IPs to the actual wireguard interfaces?
I am using a separate router for testing until I can get everything working, so at the time I pulled the configs it was not connected to the internet.
For site to site to work where the VPN server is not also the site's main router, you do need to manually install extra routes in the main router. These tell site to site traffic to gateway through the VPN server.
In all of my cases the wireguard/VPN servers are the primary internet connected OpenWRT router at each location so at least that's not an added complication.
I would advise that you consider how necessary this is. It is possible to use multiple interfaces but it adds complexity which may not actually be necessary in the long run. If you do have multiple interfaces then you have to ensure that you have appropriate firewall rules.
If you're thinking you should give mobile devices an IP from 10.0.1.0/24 then that's not right. You can pick a subnet (say for example 10.0.10.0/24) and use that for addressing mobile devices, but you have to ensure that there's no overlap in each peer's allowed IPs, i.e. for single end devices you should use a /32 address as the allowed IP for the peer config.
Where wireguard is running on a router and you're using it to allow remote devices to access a connected LAN then it doesn't need a separate IP address. You will have access to the router through it's normal LAN address. Remote devices (end devices, not another router for a site to site VPN) will need an 'list addresses' entry and this should match what is in the allowed IPs field for the respective peer config on the router.
