Hello, I am using a GL-x750v2 with original Firmware (which is OpenWRT)
I actually got LTE and Wireguard to work, now I am missing a static route to reach my home network.
root@GL-X750:~# ip route
default via 10.64.64.64 dev 3g-modem_1_1_2 proto static metric 40
10.64.64.64 dev 3g-modem_1_1_2 proto kernel scope link src 10.129.142.114
87.123.116.30 via 10.64.64.64 dev 3g-modem_1_1_2
192.168.1.0/24 dev wg0 scope link
192.168.66.0/24 dev br-lan proto kernel scope link src 192.168.66.1
so I tried to add this but got the error message:
root@GL-X750:~# ip route add 192.168.1.0/24 via 192.168.33.1 dev wg0
Error: Nexthop has invalid gateway.
It is not, if you want to report an error or get help, you will have to install real OpenWrt - we can't help you with random vendor forks.
It appears you are using firmware that is not from the official OpenWrt project.
When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.
Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).
If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.
Apart from slh's correct comment on the firmware, you are getting a valid error, as you are using a gateway which doesn't exist in your routing table. Furthermore you already have a route for 192.168.1.0/24 over wg.
I do understand all of you not beeing able to support all various branches of openwrt, but in this case I would assume to have a system/ip/network problem so I think you could help me on this anyway and would be very kind.
My Config is
Router IP 192.168.66.1
Wireguard IP of the router 192.168.33.9
Wireguard "server" ip is 192.168.33.1
Wireguard "server" lokal network is 192.168.1.x
the connection to wireguard has been established but no ping is working
I did use traceroute to check where the problem is but no clue on this:
root@GL-X750:~# traceroute 192.168.33.1
traceroute to 192.168.33.1 (192.168.33.1), 30 hops max, 38 byte packets
1 * * *
2 172.21.0.1 (172.21.0.1) 64.992 ms 18.266 ms 21.062 ms
3 10.81.7.153 (10.81.7.153) 26.280 ms 20.073 ms 10.81.7.157 (10.81.7.157) 20.993 ms
4 * * *
5 62.52.29.18 (62.52.29.18) 43.918 ms 25.888 ms 28.611 ms
6 * * *
7 * * *
8 * * *
9 * *^X^C
Thanks for your help, what else information would you need
Your wireguard interface needs an IP that includes the other end of the tunnel 192.168.33.1. I suggest 192.168.33.66/24 to make it easy to remember that it is the gateway to the 192.168.66.0 LAN. You'll need to install that route on the home router to have fully symmetric routing.
In other words:
Remote:
LAN 192.168.66.0/24
Tunnel 192.168.33.66/24
Route: 192.168.1.0/24 via 192.168.33.1
Home:
LAN 192.168.1.0/24
Tunnel 192.168.33.1/24
Route: 192.168.66.0/24 via 192.168.33.66
You can place the wg tunnel interfaces in the lan firewall zone if you trust everything on both LANs. Make sure intra-zone forwarding is enabled on lan, which is the default.
this is not accepted, the wireguard allows only 192.168.33.66/32 as IP of the WG-Interface, but this is not the problem because same at smartphone and works fine.
The routes you can see here:
root@GL-X750:~# ip route
default via 10.64.64.64 dev 3g-modem_1_1_2 proto static metric 40
10.64.64.64 dev 3g-modem_1_1_2 proto kernel scope link src 10.129.142.114
87.123.116.30 via 10.64.64.64 dev 3g-modem_1_1_2
192.168.1.0/24 dev wg0 scope link
192.168.66.0/24 dev br-lan proto kernel scope link src 192.168.66.1
trying to add this last hop is like this
root@GL-X750:~# ip route add 192.168.1.0/24 via 192.168.33.1
Error: Nexthop has invalid gateway.
BUT at the end I cannot even ping the 192.168.33.1 (wg-server) but the handshake did take place:
endpoint: 46.114.90.238:28706
allowed ips: 192.168.33.66/32, 192.168.66.0/24
latest handshake: 1 minute, 50 seconds ago
transfer: 1.17 MiB received, 62.02 KiB sent
My impression is you have mixed up addresses....
As a first reminder, the next hop needs to be on link. Either an address from the subnet or a peer address.
As an example: if you have 10.0.0.1/24 on the device you can add any route via an address out of that subnet. The only exception is if you add multiple host routes and the os supports recursive route lookups.
Anyway as far as I can see from the first route table you posted is that 192.168.1.0/24 is already the subnet on the wg0 interface. Maybe this is just a typo in your interface config. Please share the relavant parts of etc/config/network and how do you bring up the wireguard interface.
PS: yeah even you use a fork of openwrt a invalid next hop is an invalid next hop
I did not set up any routes myself, they have been set up automatically.
Another problem could be IPTABLES? Or not the cause since I cannot even ping the 192.168.33.1 (the wg-server)?
Firewall? Did not change anything I know how this would be done in luci interface but their interface does not show firewall zones. could you tell me how i check using the cli?
these are the only options at the webinterface concerning the firewall: https://docs.gl-inet.com/en/3/tutorials/firewall/
192.168.66.0/24 is LAN-B using 192.168.33.B for wg, and therefor
192.168.33.0/24 is the subnet for the wireguard tunnel
So LAN-A should have a route 192.168.66.0/24 via 192.168.33.B
and LAN-B should have a route 192.168.1.0/24 via 192.168.33.A
Both sites should also have 192.168.33.0/24 dev wg-foo and 192.168.33.X/32 dev wg-foo.
Check with ip addr and wg the assigned addresses, status of the peers. and then with ip route again your route table.
Not quiet sure about the defaults but if your wireguard interface config has option route_allowed_ips '1' then the networks listed in allowed_ips will get an route entry.
(You could for testing purpose disable that and add routes manually.)
Regarding the firewall: If you have not added/changed anything then this is in either way an additional issue.
For a quick and dirty, and non persistent test: iptables -I INPUT 1 -i wg-foo -j ACCEPT, and iptables -I FORWARD 1 -i wg-foo -j ACCEPT, and iptables -I FORWARD 2 -o wg-foo -j ACCEPT
to simple have in and out rules at the very beginning.
This way you can at least check if traffic goes trough the tunnel or not.
How you setup proper firewall rules on your GL devices you need to check for your self, but maybe my points give a a few hints how and where to continue... good luck.
On a working wireguard client-server pair one would, on the client (mine a GL-X750 running 21.02.3 OpenWRT called gateway), find the only default route via the wireguard interface (mine called vpn) like:
root@gateway:~# ip -4 route
default dev vpn scope link
Not sure why you do not get such one.
I do notice your only default route is static:
root@GL-X750:~# ip route
default via 10.64.64.64 dev 3g-modem_1_1_2 proto static metric 40
I do not have such static one to mobile interface.
I do have (when wireguard is inactive):
root@gateway:~# ip -4 route
default via 100.79.3.82 dev wwan0 src 100.79.3.81
Perhaps GL-INET works different (which OpenWRT version?) and perhaps it (or you?) added a static default route?
ip -4 route
default via 10.64.64.64 dev 3g-modem_1_1_2 proto static metric 40
10.64.64.64 dev 3g-modem_1_1_2 proto kernel scope link src 10.144.27.47
89.247.202.195 via 10.64.64.64 dev 3g-modem_1_1_2
192.168.1.0/24 dev wg0 scope link
192.168.66.0/24 dev br-lan proto kernel scope link src 192.168.66.1
I did not add any route, the wg interface shows "green status" and there is a tiny bit of traffic, but hardly any (Upload / Download22.12 KB / 632 B) in 1 min.
I still can NOT ping 192.168.33.1 (=wg server)
and yes I did try using plain openWRT before ... had a lot more trouble like no roming in greece possible and so on
I did check the addresses:
LAN A = 192.168.1.0/24 with the server using 192.168.1.94
this (wireguard) server uses 192.168.33.1 as wg interface address.
here the wireguard server ip routes:
wireguard-SERVER:~$ ip route
default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.94 metric 202
default via 192.168.1.1 dev wlan0 proto dhcp src 192.168.1.96 metric 303
169.254.0.0/16 dev vethee31619 scope link src 169.254.213.154 metric 208
169.254.0.0/16 dev veth5796082 scope link src 169.254.108.165 metric 210
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-4db4c8c735b6 proto kernel scope link src 172.18.0.1
192.168.1.0/24 dev eth0 proto dhcp scope link src 192.168.1.94 metric 202
192.168.1.0/24 dev wlan0 proto dhcp scope link src 192.168.1.96 metric 303
192.168.33.2 dev wg0 scope link
192.168.33.9 dev wg0 scope link
192.168.33.10 dev wg0 scope link
192.168.33.11 dev wg0 scope link
192.168.33.12 dev wg0 scope link
192.168.33.21 dev wg0 scope link
192.168.33.30 dev wg0 scope link
192.168.66.0/24 dev wg0 scope link
(side note: connecting with smartphone/notebook from anywhere using wg works just fine)
LAN B = 192.168.66.0/24 (with the GL-X750v2 as LTE router) which has the address 192.168.66.1
this LTE router has the wg interface address 192.168.33.9
here the network: https://ibb.co/Z2S0W4s
on the home network all is set up, the only problem is the LTE Router
and trying to add the second route you said:
root@GL-X750:~# ip -4 route
default via 10.64.64.64 dev 3g-modem_1_1_2 proto static metric 40
10.64.64.64 dev 3g-modem_1_1_2 proto kernel scope link src 10.144.27.47
89.247.198.76 via 10.64.64.64 dev 3g-modem_1_1_2
192.168.66.0/24 dev br-lan proto kernel scope link src 192.168.66.1
root@GL-X750:~# ip route add 192.168.1.0/24 via 192.168.33.1
Error: Nexthop has invalid gateway.
On regular OpenWrt, configuring a wireguard tunnel interface with a /24 IP is possible, and it will then appear in the routing table with the other "real" interfaces, and you can use addresses within that /24 as gateways to the LANs at remote sites (note you also have to include those LANs in allowed_ips on your end.
For some reason this OS is not starting up the tunnel properly.
Maybe you can try ip route add default wg0 metric 20
and optionally ip route del default via 10.64.64.64 dev 3g-modem_1_1_2
not sure if this helps.
Basically change the default route via modem to a better one via wireguard.
I don't know if OP wants to redirect all Internet use through the VPN or just have site to site LAN access. If you do set allowed_ips to 0.0.0.0/0 and route_allowed_ips, the wireguard programs will properly set up the routes to redirect all Internet use:
A single host route to the wireguard server via the regular WAN (LTE modem here)
and two split /1 routes that send all other Internet use into the tunnel
When the default route is the tunnel you don't need to enter other LANs separately, they're already covered. The router at the other end will decide if the requested destination IP is a LAN or the Internet.
I did change the wg-client (lte router) IP to 192.168.33.9**/24** that helped pinging one way
My problem is, I can ping from the openwrt wireguard client to the rest, but not from my LAN (1.0/24) to remote lan (66.0/24)
LAN address: 192.168.1.94
WG-Interface 192.168.33.1 (wg server)
LTE Router
LAN address: 192.168.66.1
WG-Interface: 192.168.33.9
Ping:
66.1 --> 1.94 OK
66.1 --> 33.1 OK
1.94 --> 33.9 FAIL
1.94 --> 66.1 FAIL
here the fw config:
and here pictures that show the LUCI Webinterface (interfaces / firewall)
This is how the LUCI config looks like:
interfaces: interfaces — ImgBB
firewall: https://ibb.co/Vx0Yzd1
