Firewall Configuration for Wireguard vpn

I think that your setup is fundamentally working now. But you're actually overcomplicating everything by a large margin.

This can be done with two routers connected to each other, no additional routing needed, no switch (L2 or L3) either. And instead of using what are normally public IP address schemes, use RFC1918 address ranges instead.

Here's what I would suggest for a simpler, but very conclusive setup:

Router 1:

• wan address - static 192.168.0.1/24
• wan zone: masquerading enabled, input = drop or reject
• lan address: 192.168.1.1/24
• lan zone: masquerading disabled, input = accept, forward = accept
• lan > wan forwarding allowed on the firewall
• wg as a 'server' with interface address 10.9.8.1/24
• wg peer with allowed IPs 10.9.8.2/32, 192.168.2.0/24
• wg either in lan zone or in its own zone (if in its own zone, masquerading disabled, input = accept, lan > wg and wg > lan forwarding allowed)
• firewall traffic rule accept the listen port for wg

Router 2:

• wan address - static 192.168.0.2/24
• wan zone: masquerading enabled, input = drop or reject
• lan address: 192.168.2.1/24
• lan zone: masquerading disabled, input = accept, forward = accept
• lan > wan forwarding allowed on the firewall
• wg as a 'client' with interface address 10.9.8.2/32
• wg peer with allowed IPs 10.9.8.1/32, 192.168.1.0/24
• wg either in lan zone or in its own zone (if in its own zone, masquerading disabled, input = accept, lan > wg and wg > lan forwarding allowed)

Then, with WG not started, try to ping from a host on one router to hosts on the other (including the lan address of the other router).... they will fail. Activate WG (make sure it has connected -- you can check the last handshake time), and try the ping tests again. They will suceed (provided that there are no local firewalls on the hosts that would prevent it).

Your setup with additional routing on your L3 capable switch is not necessary or relevant to OpenWrt + WG because the behavior will be the same regardless if the 2 routers have their wans on the same subnet or on totally different and unrelated subnets across the world.

Thank you so much for your help. I will testing it and provide you with feedback as soon as possible.

Thank you very much. I was indeed overcomplicating things, because my entire topology is a little complex.

Following your advice, The WAN ports of these two OpenWrt are directly connected. I completed the testing and everything seems to be fine. Initially, when WG was not started, the ping test failed. However, after activating WG and retesting, it was successful.

111928×1369 163 KB

221900×590 57.7 KB

I have a few small questions:

1. As shown below, on Router1: I can ping the physical LAN interface (192.168.2.1) of Route2. It seems that WireGuard is not necessary, because I don't see the second hop address 10.9.8.2. However, when pinging a testing PC, such as 192.168.2.20, it seems to go through WireGuard because I can see that its second hop is 10.9.8.2.

>tracert 192.168.2.1
  1    <1 ms    <1 ms    <1 ms  OpenWrt_A_LocalSide.lan [192.168.1.1]
  2    <1 ms    <1 ms    <1 ms  192.168.2.1


>tracert 192.168.2.20
  1    <1 ms    <1 ms    <1 ms  OpenWrt_A_LocalSide.lan [192.168.1.1]
  2     1 ms     1 ms     1 ms  10.9.8.2
  3     1 ms     1 ms     1 ms  LOANERLAPTOP-SC [192.168.2.20]

2. At the beginning, I created a traffic rule as shown below and tested that everything was working fine. However, when I deleted this traffic rule, WireGuard VPN still seemed to be working because I could still ping each other.
   

   

   21779×1106 64.5 KB

3. I tried to ping from Router 1 and captured the packets on Router 2, but did not find any WireGuard packets.
   

   

   43599×722 393 KB

Router 1's configuration

# wg
interface: wg0
  public key: JcZsifvDI9RyKT0AWeK7A0+AVYJhjFc81O1ZHj0DDng=
  private key: (hidden)
  listening port: 51820

peer: 0Mjp6LkFoUGx4OFECV71MKqyeJOtbgHnTCQZXxOe8Sw=
  endpoint: 192.168.0.2:51820
  allowed ips: 10.9.8.2/32, 192.168.2.0/24
  latest handshake: 42 seconds ago
  transfer: 4.73 KiB received, 7.05 KiB sent
  persistent keepalive: every 25 seconds

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.2     0.0.0.0         UG    0      0        0 eth1
0.0.0.0         9.9.9.1         0.0.0.0         UG    20     0        0 eth2
9.9.9.0         0.0.0.0         255.255.255.0   U     20     0        0 eth2
10.9.8.0        0.0.0.0         255.255.255.0   U     0      0        0 wg0
10.9.8.2        0.0.0.0         255.255.255.255 UH    0      0        0 wg0
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 eth3
192.168.0.0     0.0.0.0         255.255.255.0   U     10     0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 wg0

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 00:90:27:e7:17:01 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:90:27:e7:17:02 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::290:27ff:fee7:1702/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:90:27:e7:17:03 brd ff:ff:ff:ff:ff:ff
    inet 9.9.9.8/24 brd 9.9.9.255 scope global eth2
       valid_lft forever preferred_lft forever
    inet6 fe80::290:27ff:fee7:1703/64 scope link 
       valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:90:27:e7:17:04 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.8/24 brd 10.10.10.255 scope global eth3
       valid_lft forever preferred_lft forever
    inet6 fe80::290:27ff:fee7:1704/64 scope link 
       valid_lft forever preferred_lft forever
6: eth4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br-lan state DOWN qlen 1000
    link/ether 00:90:27:e7:17:05 brd ff:ff:ff:ff:ff:ff
7: eth5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:90:27:e7:17:06 brd ff:ff:ff:ff:ff:ff
19: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 00:90:27:e7:17:01 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fda6:e011:5fa9::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::290:27ff:fee7:1701/64 scope link 
       valid_lft forever preferred_lft forever
28: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    link/[65534] 
    inet 10.9.8.1/24 brd 10.9.8.255 scope global wg0
       valid_lft forever preferred_lft forever

# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda6:e011:5fa9::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'static'
        option netmask '255.255.255.0'
        option metric '10'
        option ipaddr '192.168.0.1'

config interface 'wanb'
        option proto 'static'
        option device 'eth2'
        option ipaddr '9.9.9.8'
        option netmask '255.255.255.0'
        option gateway '9.9.9.1'
        option metric '20'

config interface 'lanb'
        option proto 'static'
        option device 'eth3'
        option ipaddr '10.10.10.8'
        option netmask '255.255.255.0'
        option gateway '8.8.8.1'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'GGv/4oUSIBdkUpt6231o/QObwtZ4Rpio9Kbh/Mm/c38='
        option listen_port '51820'
        option defaultroute '0'
        list addresses '10.9.8.1/24'

config wireguard_wg0
        option public_key '0Mjp6LkFoUGx4OFECV71MKqyeJOtbgHnTCQZXxOe8Sw='
        option route_allowed_ips '1'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '10.9.8.2/32'
        list allowed_ips '192.168.2.0/24'
        option endpoint_host '192.168.0.2'

config device
        option name 'eth3'
        option acceptlocal '1'

**********************************
cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'lanb'
        list network 'wg0'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option mtu_fix '1'
        option masq '1'
        option input 'REJECT'
        option forward 'REJECT'
        list network 'wan'
        list network 'wanb'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        
        

Router 2's configuration

# wg
interface: wg0
  public key: 0Mjp6LkFoUGx4OFECV71MKqyeJOtbgHnTCQZXxOe8Sw=
  private key: (hidden)
  listening port: 51820

peer: JcZsifvDI9RyKT0AWeK7A0+AVYJhjFc81O1ZHj0DDng=
  endpoint: 192.168.0.1:51820
  allowed ips: 10.9.8.1/32, 192.168.1.0/24
  latest handshake: 1 minute, 37 seconds ago
  transfer: 6.91 KiB received, 1.89 KiB sent

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth1
6.6.6.0         0.0.0.0         255.255.255.0   U     0      0        0 eth2
10.9.8.1        0.0.0.0         255.255.255.255 UH    0      0        0 wg0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 wg0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 00:f1:f3:1f:da:24 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:f1:f3:1f:da:25 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 brd 192.168.0.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::2f1:f3ff:fe1f:da25/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:f1:f3:1f:da:26 brd ff:ff:ff:ff:ff:ff
    inet 6.6.6.8/24 brd 6.6.6.255 scope global eth2
       valid_lft forever preferred_lft forever
    inet6 fe80::2f1:f3ff:fe1f:da26/64 scope link
       valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:f1:f3:1f:da:27 brd ff:ff:ff:ff:ff:ff
6: eth4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:f1:f3:1f:da:28 brd ff:ff:ff:ff:ff:ff
7: eth5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:f1:f3:1f:da:29 brd ff:ff:ff:ff:ff:ff
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 00:f1:f3:1f:da:24 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd15:619b:2d98::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::2f1:f3ff:fe1f:da24/64 scope link
       valid_lft forever preferred_lft forever
14: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    link/[65534]
    inet 10.9.8.2/32 brd 255.255.255.255 scope global wg0
       valid_lft forever preferred_lft forever

# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd15:619b:2d98::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'

config interface 'wan'
        option device 'eth1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.0.2'

config interface 'lanb'
        option proto 'static'
        option device 'eth2'
        option ipaddr '6.6.6.8'
        option netmask '255.255.255.0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'YEtZJtUPjmzEYa80tMbVSZdPWG7gge92ZnU2kpkd7WQ='
        option listen_port '51820'
        list addresses '10.9.8.2/32'

config wireguard_wg0
        option public_key 'JcZsifvDI9RyKT0AWeK7A0+AVYJhjFc81O1ZHj0DDng='
        list allowed_ips '10.9.8.1/32'
        list allowed_ips '192.168.1.0/24'
        option route_allowed_ips '1'
        option endpoint_host '192.168.0.1'
        option endpoint_port '51820'

**********************************
# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'lanb'
        list network 'wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

This is because you've got the wg0 network associated with the lan zone which has input = accept. Basically, the router itself recognizes that 192.168.2.1 belongs to itself, so it can reply directly without having to do any routing.

WG is most certainly necessary -- if you stop the WG interface, you will not be able to ping the router's lan address from the other router.

The traffic rule is necessary on the router that is 'listening' for an inbound connection. It is not necessary for the other router (which is initiating the connection).

Were you capturing UDP packets on the wan? You'll only see WG packets passing between the two wan ports.

After deleting the traffic rules, I even restarted /etc/init.d/firewall, but both sides can still ping each other. As for packet capture, I was on Router1 and pinged Router2. On Router2, to capture the all inbound packets, I used the command "tcpdump -w /etc/keepalived/capture_all.cap".

I think maybe these are not problems, but rather my testing method is incorrect. I will test again.

Did you stop and try to restart the WG connection after deleting the traffic rules?

no，perhaps this is the reason. I will test again，Thanks!!

Hi Psherman,

Today, I've done more testing, but things still seem strange. I did restart the WG connection on both side, but I still can't capture WireGuard packets, and it works even without traffic rule.

The Post is getting too long, I am trying to create a new post to explain the problem in more detail since this one is getting lengthy

I'm not an expert on this part, so I can't help here... but...

This shouldn't be the case. We should review the latest configs (just the network and firewall files) on each device.

Let's keep things in this thread. Creating another thread will only make things more confusing and may end up bifurcating the conversation and solutions.

Thanks a lot, I just saw your reply. I can put the new post (Unable to capture WireGuard packets) in this thread.

new top11585×568 101 KB

As shown in the topology diagram, the following is my configuration on OpenWrt. WireGuard seems to work normally, but no traffic rules are configured, and WireGuard packets cannot be captured.

11980×802 99.2 KB

22115×384 43 KB

51761×1536 122 KB

61634×1756 177 KB

For example, on PC1 ：
I can ping/trace 192.168.2.20 (PC2) as shown below. Once I typed "ifdown wg0", I cannot ping/trace it anymore. This seems to prove that the WireGuard tunnel is working.

>tracert 192.168.2.20
  1     1 ms     *        *     OpenWrt_A_LocalSide.lan [192.168.1.1]
  2     1 ms     1 ms     1 ms  10.9.8.2
  3     2 ms     1 ms     2 ms  LOANERLAPTOP-SC [192.168.2.20]

At this point, there are only icmp packet , no WireGuard packets on its peer (OpenWrt 2)

cap on router23681×888 363 KB

After ’ifdown wg0‘

>tracert 192.168.2.20
  1     *        *     OpenWrt_A_LocalSide.lan [192.168.1.1]  reports: Destination net unreachable.

Openwrt 1's info.

# wg
interface: wg0
  public key: JcZsifvDI9RyKT0AWeK7A0+AVYJhjFc81O1ZHj0DDng=
  private key: (hidden)
  listening port: 51820

peer: 0Mjp6LkFoUGx4OFECV71MKqyeJOtbgHnTCQZXxOe8Sw=
  endpoint: 192.168.0.2:51820
  allowed ips: 10.9.8.2/32, 192.168.2.0/24
  latest handshake: 33 seconds ago
  transfer: 197.39 KiB received, 168.29 KiB sent
  persistent keepalive: every 25 seconds



# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.9.8.0        0.0.0.0         255.255.255.0   U     0      0        0 wg0
10.9.8.2        0.0.0.0         255.255.255.255 UH    0      0        0 wg0
192.168.0.0     0.0.0.0         255.255.255.0   U     10     0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 wg0

# ip route get 192.168.2.20
      192.168.2.20 dev wg0  src 10.9.8.1 

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 00:90:27:e7:17:01 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:90:27:e7:17:02 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::290:27ff:fee7:1702/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 00:90:27:e7:17:03 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 00:90:27:e7:17:04 brd ff:ff:ff:ff:ff:ff
6: eth4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br-lan state DOWN qlen 1000
    link/ether 00:90:27:e7:17:05 brd ff:ff:ff:ff:ff:ff
7: eth5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:90:27:e7:17:06 brd ff:ff:ff:ff:ff:ff
43: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 00:90:27:e7:17:01 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fda6:e011:5fa9::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::290:27ff:fee7:1701/64 scope link 
       valid_lft forever preferred_lft forever
47: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    link/[65534] 
    inet 10.9.8.1/24 brd 10.9.8.255 scope global wg0
       valid_lft forever preferred_lft forever

Openwrt 2's info.

# wg
interface: wg0
  public key: 0Mjp6LkFoUGx4OFECV71MKqyeJOtbgHnTCQZXxOe8Sw=
  private key: (hidden)
  listening port: 51820

peer: JcZsifvDI9RyKT0AWeK7A0+AVYJhjFc81O1ZHj0DDng=
  endpoint: 192.168.0.1:51820
  allowed ips: 10.9.8.1/32, 192.168.1.0/24
  latest handshake: 8 seconds ago
  transfer: 119.45 KiB received, 163.67 KiB sent
  


 

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth1
10.9.8.1        0.0.0.0         255.255.255.255 UH    0      0        0 wg0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 wg0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan

# ip route get 192.168.1.20
         192.168.1.20 dev wg0  src 10.9.8.2


# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 00:f1:f3:1f:da:24 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:f1:f3:1f:da:25 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 brd 192.168.0.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::2f1:f3ff:fe1f:da25/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 00:f1:f3:1f:da:26 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:f1:f3:1f:da:27 brd ff:ff:ff:ff:ff:ff
6: eth4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:f1:f3:1f:da:28 brd ff:ff:ff:ff:ff:ff
7: eth5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:f1:f3:1f:da:29 brd ff:ff:ff:ff:ff:ff
21: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 00:f1:f3:1f:da:24 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd15:619b:2d98::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::2f1:f3ff:fe1f:da24/64 scope link 
       valid_lft forever preferred_lft forever
27: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    link/[65534] 
    inet 10.9.8.2/32 brd 255.255.255.255 scope global wg0
       valid_lft forever preferred_lft forever

Openwrt 1's Configuratin

# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda6:e011:5fa9::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'static'
        option netmask '255.255.255.0'
        option metric '10'
        option ipaddr '192.168.0.1'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'GGv/4oUSIBdkUpt6231o/QObwtZ4Rpio9Kbh/Mm/c38='
        option listen_port '51820'
        option defaultroute '0'
        list addresses '10.9.8.1/24'

config wireguard_wg0
        option public_key '0Mjp6LkFoUGx4OFECV71MKqyeJOtbgHnTCQZXxOe8Sw='
        option route_allowed_ips '1'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '10.9.8.2/32'
        list allowed_ips '192.168.2.0/24'
        option endpoint_host '192.168.0.2'

config device
        option name 'eth3'
        option acceptlocal '1'


******************************
# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option mtu_fix '1'
        option masq '1'
        option input 'REJECT'
        option forward 'REJECT'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Openwrt 2's Configuratin

# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd15:619b:2d98::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'

config interface 'wan'
        option device 'eth1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.0.2'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'YEtZJtUPjmzEYa80tMbVSZdPWG7gge92ZnU2kpkd7WQ='
        option listen_port '51820'
        list addresses '10.9.8.2/32'

config wireguard_wg0
        option public_key 'JcZsifvDI9RyKT0AWeK7A0+AVYJhjFc81O1ZHj0DDng='
        list allowed_ips '10.9.8.1/32'
        list allowed_ips '192.168.1.0/24'
        option route_allowed_ips '1'
        option endpoint_host '192.168.0.1'
        option endpoint_port '51820'

******************************
# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Someone gave me an idea,

Just a thought but traffic from router 2 to router 1 is always possible even without WG.

So maybe this is a case of asymmetric routing e.g. packets come in via a different interface then they are going out?

OpenWRT does not block INVALID packets by default, I think, so this is allowed.

I think it is, but each of my OpenWrt devices has only one WAN for WireGuard and only one LAN for connecting to PCs. It seems unlikely that asymmetric routing would occur.

You need at least one firewall rule: allow input of UDP 51820 on one of the routers wan to allow encrypted Wireguard packets in.

The encrypted packets only exist on the wan interfaces, should you want to sniff them. Inside each router the wg0 interface will carry unencrypted packets from 192.168.1.X to 192.168.2.Y as if a direct connection exists, which is the operating principle of a VPN.

Good news, I found out that if I add an extra "-i eth1" option, where eth1 is the WAN interface. For example, if I run "tcpdump -i eth1 -w /etc/keepalived/29.cap", I will be able to capture WireGuard packets. However, if I run "tcpdump -w /etc/keepalived/30.cap", I won't be able to capture WireGuard packets.

It's still unclear to me why WireGuard is able to work without any traffic rules configured on both ends.

I guess since you have endpoint_host set on both sides, and are using the same port on both sides, this outgoing traffic punches a hole in the firewalls.

image1380×494 93 KB

Just based on my above testing, it appears that there is no need to set up specific traffic rules on both sides to allow inbound WireGuard traffic on the WAN port. Even if the WAN zone is set to input:reject, the WAN port can still receives WireGuard traffic.

image1380×428 57.6 KB

Your meaning is that if there is outbound traffic going out of the WAN port, then within a limited time(within 30 seconds), the inbound traffic can pass through?

That is because the incoming packets are treated as a response to outgoing ones: same IP and port that is configured as endpoint_host. When an endpoint_host and port is configured, the Wireguard peer config instance will attempt to initiate a connection.'

Yes that is how a stateful firewall works. For example if you go to a website on port 443, the website will reply to you from port 443, and that packet will be allowed in.