Forwarding wireguard traffic over openwrt

onlybob · December 8, 2024, 5:14am

I have an issue where my newly setup openwrt router is seemingly not letting any wireguard traffic through between my AT&T gateway and my server. I had a ddwrt router where I had perfectly flowing vpn traffic, causing me to think this is a openwrt issue, or I am ignorant of details of the openwrt firewall system. All general traffic works on openwrt, and all my websites on the server work on the local network.

My hardware setup (ordered first to last from WAN to LAN:

AT&T Humax gateway (stock firmware)
Dynalink DL-WRX36 hosting openwrt
Dell T610 (on same subnet as all other LAN devices besides guest network)

Software info:

The wireguard server is on the T610, running on a Docker Portainer stack. This system is independent of router MAC numbers to my knowledge. This is hosted on a CentOS linux environment, and is running on standard port 51820.
the Humax gateway is acting as a passthrough. I already changed the destination MAC address to match the new router.
The DL-WRX36 was successfully flashed with 24.10.0 RC2 Openwrt.

I tried to do a simple port forward on 51820 going to my server's IP address but I can't even get a handshake to go through. I enabled NAT loopback to allow VPN traffic to work on the LA side, that's not working either. I'd appreciate any help with this please, thank you.

Firewall rules as follows

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guestlan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'guestlan'

config forwarding
        option src 'guestlan'
        option dest 'wan'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'wireguard'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '192.168.0.2'
        option dest_port '51820'

NPeca75 · December 8, 2024, 5:41am

Hi

try without SRC port

onlybob · December 8, 2024, 6:07am

Sorry, how would vpn traffic on WAN port 51820 know to route to the server if I remove the source port? LuCI won't even accept a blank external port. Thank you

egc · December 8, 2024, 6:52am

So the only thing the router has to do is forward traffic to your WG server which runs on your Dell?
If so the Forwarding rules looks OK.
Try to connect from outside and after that check if your rules are hit, from the command line: nft list chain inet fw4 dstnat_wan

If they are you know you can connect from outside and the traffic is send to your Dell

onlybob · December 8, 2024, 7:02am

Hey, the vpn forward works now. I think what happened is I changed the Humax modem to go to my router as the last attempt (the passthrough to the old router MAC worked for all general traffic....makes no sense but okay) and it had to incorporate that after a period of time after a restart. Unfortunately I don't know the root cause of my issue at the time now, it was a day or so since attempting this issue again.

I tried your command and it does report the WG packets going through. Sorry for the anticlimactic result, but thanks for helping out.

NPeca75 · December 8, 2024, 7:59am

source port is port comming FROM internet
you will never know which SRC port use other side to originate trafic
DST port is port which other side want to connect with you
it is your side of connection

system · December 18, 2024, 8:00am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.