Help regarding cloudflare warp wireguard vpn

amirulandalib · November 28, 2022, 4:17pm

I get the following errors:

Mon Nov 28 22:13:23 2022 daemon.notice netifd: Interface 'cf' is setting up now
Mon Nov 28 22:13:24 2022 daemon.notice netifd: Interface 'cf' is now up
Mon Nov 28 22:13:24 2022 daemon.notice netifd: Network device 'cf' link is up
Mon Nov 28 22:13:25 2022 daemon.warn odhcpd[1966]: A default route is present but there is no public prefix on lan thus we don't announce a default route!
Mon Nov 28 22:13:27 2022 daemon.notice miniupnpd[4829]: shutting down MiniUPnPd
Mon Nov 28 22:13:28 2022 daemon.notice miniupnpd[9160]: HTTP listening on port 5000
Mon Nov 28 22:13:28 2022 daemon.notice miniupnpd[9160]: HTTP IPv6 address given to control points : [fd26:430d:1a72::1]
Mon Nov 28 22:13:28 2022 daemon.notice miniupnpd[9160]: Listening for NAT-PMP/PCP traffic on port 5351
Mon Nov 28 22:13:28 2022 user.notice firewall: Reloading firewall due to ifup of cf (cf)
Mon Nov 28 22:13:31 2022 daemon.notice miniupnpd[9160]: shutting down MiniUPnPd
Mon Nov 28 22:13:31 2022 daemon.notice miniupnpd[9271]: HTTP listening on port 5000
Mon Nov 28 22:13:31 2022 daemon.notice miniupnpd[9271]: HTTP IPv6 address given to control points : [fd26:430d:1a72::1]
Mon Nov 28 22:13:31 2022 daemon.notice miniupnpd[9271]: Listening for NAT-PMP/PCP traffic on port 5351

Section @rule[9] (Support-UDP-Traceroute) is disabled, ignoring section
Section @rule[10] specifies unknown option 'ac_enabled'
Section @rule[10] specifies unknown option 'ac_suspend'
Section @rule[10] is disabled, ignoring section
Section @include[0] is not marked as compatible with fw4, ignoring section
Section @include[0] requires 'option fw4_compatible 1' to be considered compatible
Section mia option 'reload' is not supported by fw4
Section mia specifies unreachable path '/etc/mia.include', ignoring section
Automatically including '/usr/share/nftables.d/table-post/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/dstnat/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/forward/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/srcnat/20-miniupnpd.nft'

amirulandalib · November 28, 2022, 4:22pm

Here is my present config:

Network:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd26:430d:1a72::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username 'redacted'
	option ipv6 'auto'
	option type 'bridge'
	option password 'Redacted'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option type 'bridge'

config interface 'cf'
	option proto 'wireguard'
	option mtu '1280'
	list addresses '172.16.0.2/32'
        option private_key '+EunFibGK0=(redacted)'
	option auto '0'

config wireguard_cf 'cfpeer'
	option public_key 'bmXOC+UguH/lol=(redacted)'
	option endpoint_host 'engage.cloudflareclient.com'
	option endpoint_port '2408'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

Firewall:


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	list network 'lte'
	list network 'cf'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config rule
	option ac_enabled '1'
	option src '*'
	option dest 'wan'
	option proto '0'
	option target 'REJECT'
	option src_mac '10:82:D7:9D:FC:7F'
	option ac_suspend '1665048555'
	option enabled '0'
	option start_time '03:19:00'
	option stop_time '03:50:00'

config include 'mia'
	option type 'script'
	option path '/etc/mia.include'
	option reload '1'

config redirect 'adblock_lan53'
	option name 'Adblock DNS (lan, 53)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config redirect 'adblock_lan853'
	option name 'Adblock DNS (lan, 853)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'

config redirect 'adblock_lan5353'
	option name 'Adblock DNS (lan, 5353)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'

config redirect 'adblock_wan53'
	option name 'Adblock DNS (wan, 53)'
	option src 'wan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config redirect 'adblock_wan853'
	option name 'Adblock DNS (wan, 853)'
	option src 'wan'
	option proto 'tcp udp'
	option src_dport '853'
	option dest_port '853'
	option target 'DNAT'

config redirect 'adblock_wan5353'
	option name 'Adblock DNS (wan, 5353)'
	option src 'wan'
	option proto 'tcp udp'
	option src_dport '5353'
	option dest_port '5353'
	option target 'DNAT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'

My default connection without wireguard was Ppoe ipv4

amirulandalib · November 28, 2022, 4:25pm

root@router:~# wg show
interface: cf
  public key: (redacted)
  private key: (hidden)
  listening port: 57352
peer: (redacted)
  endpoint: 162.159.192.1:2408
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 16 seconds ago
  transfer: 3.32 KiB received, 217.35 KiB sent
  persistent keepalive: every 25 seconds

laingo · November 28, 2022, 4:57pm

The errors above appear to be different issues.

Can you check your routes after bringing up cf

Share the output of this:

route -n 
ip r
curl --interface cf https://ipinfo.io

Should resolve to a Cloudflare address.

{
  "ip": "<<ip>>",
...
  "org": "AS13335 Cloudflare, Inc.",
...
}

amirulandalib · November 29, 2022, 3:40pm

root@router:~# route -n
ip r
curl --interface cfKernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0
       0 cf
10.90.8.1       0.0.0.0         255.255.255.255 UH    0      0
       0 pppoe-wan
162.159.192.1   10.90.8.1       255.255.255.255 UGH   0      0
       0 pppoe-wan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0
       0 br-lan
 hroot@router:~# ip r
ttps://ipidefault dev cf scope link
n10.90.8.1 dev pppoe-wan scope link  src 10.90.8.251
162.159.192.1 via 10.90.8.1 dev pppoe-wan
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
froot@router:~# curl --interface cf https://ipinfo.io
curl: (6) Could not resolve host: ipinfo.io

amirulandalib · November 29, 2022, 3:42pm

Fyi

I am using adblock on my router

And there is currently a bug with luci app wireguard

lleachii · November 29, 2022, 4:16pm

I also setup an interface with the account generated by wgcf. Works here.

There's traffic.

You're not using a QR code (you used wgcf) - how is your comment related to your issue?
Not necessarily a bug, the QR Code and what's expected has been a discussion since it was created - see: [?] luci-app-wireguard QR Code shows Private Key

Does it block Cloudflare?

amirulandalib · November 29, 2022, 5:35pm

I suspended adblock process and tested its same from router and warp isn't blocked in my country I connected manually using warp vpn from my phone it works fine there

amirulandalib · November 29, 2022, 5:36pm

Do you have any social media where I could send you the warp credentials for further testing ?

lleachii · November 29, 2022, 5:41pm

You could Direct Message me here.

But why?

I am able to generate and use credentials successfully from wgcf.

amirulandalib · November 29, 2022, 5:46pm

root@OpenWrt:~# curl --interface cf https://ipinfo.io
{
  "ip": "104.28.240.82",
  "city": "Dhaka",
  "region": "Dhaka",
  "country": "BD",
  "loc": "23.7104,90.4074",
  "org": "AS13335 Cloudflare, Inc.",
  "postal": "1000",
  "timezone": "Asia/Dhaka",
  "readme": "https://ipinfo.io/missingauth"

Works now but doesn't route to my phone

lleachii · November 29, 2022, 5:48pm

(That is not a direct/private message)

amirulandalib · November 29, 2022, 5:49pm

Btw had to fix this connection error I tried manual DNS 1.1.1.1 then after some tries it works accordingly

amirulandalib · November 29, 2022, 5:50pm

It works now but doesn't route to my phone help me for this

lleachii · November 29, 2022, 5:51pm

Not sure what that means. I thought this was setup on the OpenWrt.

amirulandalib · November 29, 2022, 5:53pm

I want it to route this warp vpn through all the devices connected to the router

lleachii · November 30, 2022, 12:30am

Try: https://cloudflare.com/cdn-cgi/trace

I do this:

# in /etc/config/network

config route                      
        option interface 'foo_warp1'
        option target '0.0.0.0/0'
        option table '1' 

config rule                
        option src '192.168.1.0/24'                       
        option dest '0.0.0.0/0'
        option priority '1' #order in IP_rules
        option lookup '1' #table_assigned

Some use a PBR package.

(If you want to name the table, it requires extra config.)

amirulandalib · November 30, 2022, 2:57am

powtrix · November 30, 2022, 3:50am

Reconfig your wg as this steps:

amirulandalib · November 30, 2022, 6:31am

Duh I gained the necessary configurations and got my wireguard working but I have a task remaining that is I want all the connected devices to my router to be routed via the wireguard vpn on my router