Help with access point + wifi guest + wireguard (VPN)

juan3211 · December 6, 2020, 9:45pm

HI, I am a newbee, but I get managed to use during last year an openwrt router as dumbap to have another wifi in my house.(main router and openwrt router joined by a rj45 cable)

Yesterday I get managed to configure a wireguard server in a virtual machine in google cloud, and my openwrt router as a client. But I CAN'T really use wireguard, as I can't redirect traffic to vpn.

My needs are like the image:

I want to keep my main wifi (wifi MR200), connect my openwrt router by a rj45 lan cable, and in openwrt router two wifis:

normal wifi to connect to it with my laptop, for example.
"domotic" wifi to connect "devices" to it (like tasmota) and , through wireguard, connect them with vpn as they are "local" to my virtual machine server. All traffic from this wifi has to go to internet though VPN.

Could you help me?

I would prefer to do it with LUCI.

Thank a lot

vgaetera · December 7, 2020, 5:29am

juan3211 · December 7, 2020, 6:52am

Thanks, do I have to configure new interfaces or firewall tables or something like that?

juan3211 · December 7, 2020, 10:20am

Thanks, but I don't have a wan interface in openwrt router.

juan3211 · December 7, 2020, 7:28pm

Hi, by reading this guide I have managed to have the 3 wifis created. https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

I have also known how to create a wireguard interface, but I dont know how to configure it so the guest wifi will use wireguard (all ips and all ports) so the devices connected to guest wifi will be in the same local lan as the google cloud virtual server).

Does anybody how to configure wireguard with luci-app-wireguard? I have a new wireguard interface and I have created a new firewall zone called WG0.

But how could I tell to my guest lan-wifi in openwrt to "USE" wireguard tunnel?

Thanks.

vgaetera · December 7, 2020, 7:33pm

juan3211 · December 7, 2020, 8:38pm

Thanks I am going to try right now, I will begin with a clean configuration, make the step of https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap
Create new wireguard interface, and try to read the link that you give me, thanks a lot.

juan3211 · December 8, 2020, 9:28am

Hi, I installed pbr package but it is very dificult for me as I am newbee.

I have wireguard correctly installed as I could make ping to my wireguard server

Just in case, I have updated my schema to better understanding.

I prefer tu use LUCI (I know that all of you are good with command line, rules, traffic zones, and so on. I know about ssh and command line, but general commands, I prefer to use LUCI, and then write what I am doing (step guide) and try to learn).

I have been reading all your links and a lot of more web pages, but I can't have it working.
I can't get managed with pbr package.

This is my schema:

Today, I have this working in my openwrt router:

VLAN:

Only one, eth0.1

Interfaces:

LAN: static address, 192.168.1.2, DNS 192.168.1.1, gateway 192.168.1.1 and DHCP OFF, Firewall zone: LAN, and bridged with eth0.1 and WIFI0
VPN: static address, 192.168.2.1, DNS and gateway blank, DHCP ON, firewall zone: VPN, I have no bridged interface, but in dropdown, WIFI_VPN is selected. (This is because I have done these steps https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap)
WG0: Wireguard VPN, 10.50.0.100, WITHOUT firewall zone, and included my server as peer (remote ip, port, 25 seconds, and allowed IPs: 10.50.0.0/24 and 192.168.2.0/24)

Firewall zones:

(it is the final step of the link "guestwifi_dumbap")
Traffic rules:

Default ones: allow-dhcp-renew, allow-ping, allow-igmp, allow-dhcpv6, allow-mld, allow-icmpv6-input, forward, allow-ipsec-esp, allow-isakmp
VPN DHCP: UDP 67-68 from VPN to "this device"
VPN DNS: TCP/UDP 53 from VPN to "this device"

These are the final steps of the guide "guestwifi_dumbap", and one step more: create the wireguard tunnel with wireguard luci config app.

PINGS:         openwrt ssh    from laptop connected WIFI_VPN
192.168.1.1        ok                         ok                    
192.168.1.2        ok                         bad
192.168.2.1        ok                         bad
10.50.0.100        ok                         bad
10.50.0.1          ok                         bad
internet           ok                         ok

What I want:

Get all my trafic from 192.168.2.x devices "tunneled" with wireguard
Not very important: avoid that 192.168.2.x devices "see" 192.168.1.x devices. It will be perfect if other way round is enabled: 1.x devices could see 2.x devices. (in order to access 2.x devices from my laptop whatever wifi I am connected to)
Not very important: create a second VLAN to have a port connected to 192.168.2.x in order to access that subnet from one rj45 port.
Is this configuration ok?: WireGuard's peer: Allowed IP's allowed IPs: 10.50.0.0/24 and 192.168.2.0/24
Not very important, as you can see in above ping table, I can't access to my openwrt router while I am connected to WIFI_VPN, I can only access to my MR200 router config web page (192.168.1.1), probably because of firewall zone forwardings. It will be great to access to openwrt router LUCI (192.168.2.1) also from WIFI_VPN, as I do from WIFI1 (192.168.1.2)

Point 2 and 3 are not important for me, and probably I would get managed to configure it, but Point 1 is very dificult for me and very important. Point 4 will be solved probably by solving point 1.

Could you help me ? Do I have to use "luci-app-vpn-policy-routing", or we need only firewall zones and traffic rules?

Thanks a lot

NOTE: After solving this I will try to write a guide or complete the guide already published with new steps for newbees.

vgaetera · December 8, 2020, 9:52am

LuCI > Network > Interfaces > WG0 > Edit

Peers > Route Allowed IPs > Uncheck
Peers > Allowed IPs:
- 0.0.0.0/0
- ::/0

Save > Save & Apply

LuCI > VPN > VPN Policy Routing > Policies

Name: VPN
Local addresses: 192.168.2.0/24
Interface: WG0

Save & Apply

juan3211 · December 8, 2020, 10:34am

Thanks, I have applied this:

LuCI > Network > Interfaces > WG0 > Edit

Peers > Route Allowed IPs > Uncheck
Peers > Allowed IPs:
0.0.0.0/0
::/0
Save > Save & Apply
Restart interface WG0

LuCI > VPN > VPN Policy Routing > Policies
Add new one ...
Name: VPN
Local addresses: 192.168.2.0/24
Interface: WG0
Save & Apply
Enable and start service control VPN Policy Routing

VPN Policy Routing says me:

lan/br-lan/192.168.1.1 ✓
WG0/10.50.0.100
The ✓ represents the default gateway.

Pings from laptop connected to WIFI_VPN:
192.168.1.1 bad
192.168.1.2 bad
192.168.2.1 bad
10.50.0.100 bad
10.50.0.1 bad
Windows 10 says me that WIFI_VPN hasn't internet connection
I have tried to do tracert openwrt.org but

1     2 ms     2 ms     2 ms  OpenWrt.lan [192.168.2.1]
2     *        *        *     Tiempo de espera agotado para esta solicitud.
3     *     OpenWrt.lan [192.168.2.1]  informes: Protocolo de destino inaccesible.

I am going to reboot router, just in case.....

Not luck, same "problems"

Will be a good way try to let me open a ssh session to 192.168.2.1 from WIFI_VPN in order to try pings from the openwrt router itself? (I don't know exactly why I can't ping to 192.168.2.1 from my laptop when it has a 192.168.2.117 ip and it is connected to WIFI_VPN)

vgaetera · December 8, 2020, 10:48am

Create a separate firewall zone for the WG0 interface with masquerading enabled.
And allow forwarding from the VPN zone to the WG0 zone.

juan3211 · December 8, 2020, 10:51am

Sorry, you have changed the reply. Wait 1 minute ...

juan3211 · December 8, 2020, 10:57am

I have not do anything from your deleted proposal.

interfaces-> wg0 -> firewall settings -> wg0 create
save
save & apply

Now I have the firewall as:

Do I have to edit the vpn=>lan or the wg0=>wan ?
Or create another "row" with vpn=>wg0 ?

(meanwhile I have add a traffic rule to let me ping from my laptop: Incoming from VPN, protocol ICMP to "this device". Also, to allow SSH: Incoming from VPN, protocol TCP port 22, to "this device")

vgaetera · December 8, 2020, 1:14pm

LuCI > Network > Firewall > General Settings > Zones > wg0 > Edit

Input: reject
Output: accept
Forward: reject
Masquerading > Check
MSS clamping > Check
Covered networks: WG0
Allow forward from source zones: vpn

Save > Save & Apply

juan3211 · December 8, 2020, 2:38pm

After doing this, the vpn=>lan has changed to: (as we have done "allow forward from sources zones: vpn").

I have removed lan from here-

If I remove it, I can put masquerading and mss clampling.

So I have checked this:

Do I configure it well?

I connected my laptop to WIFI_VPN, it says no access to internet.
Pings:
192.168.1.1 bad
192.168.1.2 ok (probably because of the new trafic rule)
192.168.2.1 ok (probably because of the new trafic rule)
10.50.0.100 ok
10.50.0.1 ok

Great !! Now I can ping to my server with 10.50.0.1.
I understand that it is ok, I could send "packets" directly to my server. I don't have an IP like 10.50.0.x because I am behind my openwrt router.

Is that way good, or do I have to do exactly what you said (first image, vpn => lan&wg0) ?

But now I have a doubt: from my laptop I can't tracert openwrt.org (for example) as I don't have any DNS configured. I can't also see my public ip address to confirm that it is the ip of my cloud server. This is to confirm that I am "inside the tunnel". I have tried to tracert 8.8.8.8, but not luck:

1     2 ms     3 ms     3 ms  OpenWrt.lan [192.168.2.1]
2     *        *        *     Tiempo de espera agotado para esta solicitud.

How could I check if I am really in tunnel?

What is the real reason because of I haven't got internet access trought WG0 ? is it because any configuration in server side (I am thinkg that I am reaching my server but it can't "foward" to internet?), or in openwrt client side? (Today is not very important, but as I am going to use some devices that sometimes nees update from internet, it will be great to know the reason, so I could activate/deactive the trafic rule or firewall zone or whatever to update my devices. Is the problem server side? or cliente side? Probably I could solve it by joining again VPN=>LAN, but I prefer to understand where the problem could be.

Probably next days I will ask you about traffic rules, as I am going to try to comunicate with my 10.50.0.1 sever with different ports (MQTT, ...). Probably all of they works, so no more questions.

After that, I will try "the other points not very important" that I said some post above, and try to write steps.

Thanks a lot @vgaetera, you have helped me a lot. Much more than anyone could expect. What about these last questions?

Thanks a lot again.

vgaetera · December 9, 2020, 10:21am

You should perform diagnostics using CLI:
https://openwrt.org/docs/guide-quick-start/sshadministration

uci show network; uci show wireless; uci show firewall; uci show dhcp; \
uci show vpn-policy-routing; \
grep -v -e ^# -e ^$ /etc/firewall.user; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*; \
ip address show; ip route show table all; ip rule show; iptables-save

Post the output to pastebin.com redacting the private parts.

juan3211 · December 9, 2020, 2:51pm

Hi, I know a little about ssh thanks.
Here you have (I have get it with my laptop connected with lan rj45 cable to openwrt router)

vgaetera · December 9, 2020, 4:27pm

Disable masquerading in the vpn firewall zone.

It's best to disable masquerading in the wg0 zone too.
Just add 192.168.2.0/24 to the allowed IPs in the WG peer settings on the server side.

If you need this, then allow traffic forwarding from the firewall zone vpn to lan.

Perform traceroute from the client and/or check out some sites that show your IP such as ipleak.net.

Make sure that IPv4 forwarding is enabled on the server side.

juan3211 · December 9, 2020, 7:05pm

Hi,

Disable masquerading in the vpn firewall zone: done & restart VPN interface
Disable masquerading in the wg0: done & restart wg0 interface
(I understood here to enable it, sorry for my misunderstanding: Help with access point + wifi guest + wireguard (VPN)).
Add 192.168.2.0/24 to the allowed IPs in the WG peer settings on the server side: done in server. I had Allowed IPs = 10.50.0.100/32, now I have Allowed IPs = 10.50.0.100/32, 192.168.2.0/24

Now I can see in my server side (10.50.0.1) mosquitto broker an address like 192.168.2.x connected to, not always 10.50.0.100. Thanks a lot. It is much better.

Ping 192.168.1.1 "If you need this, then allow traffic forwarding from the firewall zone vpn to lan." It is not important for me, as I can connect to WIFI1 so I am in 192.168.1.1. It was only for information. May be it is risky for me to allow traffic forwarding from vpn to lan. That way I am not sure if vpn will "go" to lan or to wg0. So I dont change anything here.
About "Perform traceroute from the client and/or check out some sites that show your IP such as ipleak.net." I cant check it as I can't connect to internet when I am in WIFI_VPN. Let's check if with next step I could reach internet and then, I could check with traceroute
"Make sure that IPv4 forwarding is enabled on the server side" I have read in google cloud this: You can only enable IP forwarding when you create an instance, and enabling IP forwarding alone is not sufficient to cause the instance to forward packets. Its guest operating system must be configured as well.

So at this moment, I prefer not to do it. It is important, but not very important. Without internet access then I supposed that my devices are in the tunnel, aren't they?

Thanks a lot @vgaetera I think I have reach my "limit" .

May be in a few days I could create another google cloud instance with IP4 forwarding to check what you said, only to learn about it. (but I need also to configure debian in google coud instance)

I need to write also the guide for everyone else.

Thanks a lot.

vgaetera · December 9, 2020, 7:11pm

It is required only when using a commercial VPN provider.
No need for redundant masquerading on the client side with your own VPN server.
But you should enable masquerading on the server side in any case.