Help! Adding a wireguard subnet crashes OpenWRT!

I've been following a few tutorials for WireGuard and ran into a problem I'd like some help with. I have WG working and I can tunnel in via cellular and see my OpenWRT router at 192.168.1.1. WG is in the LAN zone and here are the details.

  • WG0
    • 10.10.1.0/32
  • WG Peer
    • 10.10.1.2/32
  • Mobile Peer
    • 10.10.1.2/32

The issue is I cannot see other devices on the 192.168.1.X network. After reading, I tried a setting that was suggested to add 192.168.1.0/24 to the WG Peer to solve the issue. However, when I add this line it locks up OpenWRT UI and reboots do not bring it back. I have to reset the router, get to the green (default) login, and upload a config file to get back in.

  1. Why does adding this setting lock up the entire system?
  2. How and I supposed to access the other devices on 192.168.1.x?
  3. I read about adding a static route for the two networks, but no good docs showing how that is done.
  4. Is there an easier way to recover from this type of crash? Can I somehow get access to the shell and remove the offending config?

Running OpenWRT 23.05 Hnyman on an R7800

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

Also.... these are invalid:

Your wg0 interface should typically be a /24, and you must not use the .0 address because that is the network address -- it cannot be used for a host.
Your two peers are then using the same address causing yet another conflict.

Thanks Pete. I made the following changes. I can connect and get to the router, but no other machines on 192.168.1.X.

WG0
    10.10.1.1/24
WG Peer
    10.10.1.2/24
Mobile Peer
    10.10.1.3/24
BusyBox v1.36.1 (2024-04-20 16:42:26 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05-SNAPSHOT, r23835-9b33b74ef7
 -----------------------------------------------------

(root@OpenWrt)-(15:19)
([~])-(0 files): ubus call system board
{
        "kernel": "5.15.153",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Netgear Nighthawk X4S R7800",
        "board_name": "netgear,r7800",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05-SNAPSHOT",
                "revision": "r23835-9b33b74ef7",
                "target": "ipq806x/generic",
                "description": "OpenWrt 23.05-SNAPSHOT r23835-9b33b74ef7"
        }
}

(root@OpenWrt)-(15:19)
([~])-(0 files): cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd65:4504:dcb2::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option type 'bridge'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

config device
        option type 'bridge'
        option name 'br-guest'
        option ipv6 '0'

config interface 'Guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'private_key'
        option listen_port '1234'
        list addresses '10.10.1.1/24'

config wireguard_wg0
        option description 'iphone'
        option public_key 'public_key'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '10.10.1.2/24'

([~])-(0 files): cat /etc/config/firewall

config rule
        option name '[IPv6] [ANY] to [DEVICE] - ALL - DROP'
        option family 'ipv6'
        option src '*'
        list proto 'all'
        option target 'DROP'

config rule
        option name '[IPv6] [ANY] to [ANY] - ALL - DROP'
        option family 'ipv6'
        option src '*'
        option dest '*'
        list proto 'all'
        option target 'DROP'

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'guest'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'
        list network 'Guest'

config rule
        option name 'Guest-DHCP'
        list proto 'udp'
        option src 'guest'
        option target 'ACCEPT'
        option family 'ipv4'
        option dest_port '67-68'

config rule
        option name 'Guest-DNS'
        option src 'guest'
        option target 'ACCEPT'
        option dest_port '53'
        list proto 'tcp'
        list proto 'udp'
        option family 'ipv4'

config rule
        option src 'guest'
        option target 'DROP'
        option name 'Guest-Block-All'
        option enabled '0'
        option dest '*'

config redirect 'adguardhome_dns_53'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option target 'DNAT'
        option name 'Adguard Home'
        option dest 'lan'
        option dest_port '53'

config redirect 'adguardhome_dns_53_guest'
        option src 'guest'
        option proto 'tcp udp'
        option src_dport '53'
        option target 'DNAT'
        option name 'Adguard Home Guest'
        option dest 'lan'
        option dest_port '53'

config forwarding
        option src 'guest'
        option dest 'wan'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'WireGuard'
        list proto 'udp'
        option src 'wan'
        option src_dport '1234'
        option dest_ip '192.168.1.1'
        option dest_port '1234'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'

config include 'bcp38'
        option type 'script'
        option path '/usr/lib/bcp38/run.sh'

Change the allowed ips to 10.10.1.2/32. Add the route allowed ips option.

Delete the above and make it a traffic rule, not a redirect/port forward.

Let’s see your phone’s configuration and also the output of wg show

If you are using i.e. 192.0.2.0/31 (for instance on a p2p link) then both addresses are perfectly valid.
https://datatracker.ietf.org/doc/html/rfc3021 (Using 31-Bit Prefixes on IPv4 Point-to-Point Links) is old enough to buy booze :wink:

1 Like

For /30 through /24, the .0 address is invalid, though, and this is not a point-to-point type link. So it's best to avoid the .0 address unless the subnet size is larger than /24.

1 Like

As you said, on a subnet lager then /24, then .0 also becomes a fine address...

2 Likes

wireguard_wgo is now 10.10.1.2/24. checkbox for route ip checked.

wg show
Peer Details
Description: 
Public Key: 
Endpoint: 
Allowed IPs: 10.10.1.1/24
Received Data: 291.17 KiB
Transmitted Data: 3.86 MiB
Latest Handshake: Sat, 04 May 2024 23:55:08 GMT (1m ago)
Keep-Alive: every 25s

//

wireguard ios
name:
public key:
addresses: 10.10.1.3/24
dns servers: 192.168.1.1
-peer
-public key:
-endpoint: 99.192.20.1:1234
-allowed ips: 0.0.0.0/0
-persistent keepalive: 25 seconds

I created a traffic rule as per (Firewall Configuration for Wireguard vpn - #16 by mybox65). How do I delete this section from the GUI? This was generated by the GUI.

--

With the phone set to 10.10.1.3/32, I could not see the router. I changed it to 10.10.1.2/32 and was able to get to the internet as well as the router. I still cannot see other devices on 192.168.1.X

This should be in the port forwards section of the firewall. Delete it there.

Then click on the Rules tab and create a rule that has will accept udp port 1234 from the wan zone.

What OS are the hosts on that network? Windows?

Missed this initially:

You can't reach your lan from the wireguard network because you have forward set to REJECT -- change it to ACCEPT and it should work.

1 Like

Thanks. I am now able to ping everything on the 192.168.1.X network from cellular over Wireguard iOS. However, I had to keep the port forward you said to remove or it would never complete the handshake. Any ideas?

Remove the port forward, then add this:

config rule
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '1234'
        option proto 'udp'
        option target 'ACCEPT'

Reboot your router after that and then test again.

1 Like

That did the trick. I think I've solved all of the current issues now. On to the next!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.