Thanks, but I don't have a wan interface in openwrt router.
Hi, by reading this guide I have managed to have the 3 wifis created. https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap
I have also known how to create a wireguard interface, but I dont know how to configure it so the guest wifi will use wireguard (all ips and all ports) so the devices connected to guest wifi will be in the same local lan as the google cloud virtual server).
Does anybody how to configure wireguard with luci-app-wireguard? I have a new wireguard interface and I have created a new firewall zone called WG0.
But how could I tell to my guest lan-wifi in openwrt to "USE" wireguard tunnel?
Thanks.
Thanks I am going to try right now, I will begin with a clean configuration, make the step of https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap
Create new wireguard interface, and try to read the link that you give me, thanks a lot.
Hi, I installed pbr package but it is very dificult for me as I am newbee.
I have wireguard correctly installed as I could make ping to my wireguard server
Just in case, I have updated my schema to better understanding.
I prefer tu use LUCI (I know that all of you are good with command line, rules, traffic zones, and so on. I know about ssh and command line, but general commands, I prefer to use LUCI, and then write what I am doing (step guide) and try to learn).
I have been reading all your links and a lot of more web pages, but I can't have it working.
I can't get managed with pbr package.
This is my schema:
Today, I have this working in my openwrt router:
- VLAN:
- Only one, eth0.1
- Interfaces:
- LAN: static address, 192.168.1.2, DNS 192.168.1.1, gateway 192.168.1.1 and DHCP OFF, Firewall zone: LAN, and bridged with eth0.1 and WIFI0
- VPN: static address, 192.168.2.1, DNS and gateway blank, DHCP ON, firewall zone: VPN, I have no bridged interface, but in dropdown, WIFI_VPN is selected. (This is because I have done these steps https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap)
- WG0: Wireguard VPN, 10.50.0.100, WITHOUT firewall zone, and included my server as peer (remote ip, port, 25 seconds, and allowed IPs: 10.50.0.0/24 and 192.168.2.0/24)
-
Firewall zones:
(it is the final step of the link "guestwifi_dumbap") -
Traffic rules:
- Default ones: allow-dhcp-renew, allow-ping, allow-igmp, allow-dhcpv6, allow-mld, allow-icmpv6-input, forward, allow-ipsec-esp, allow-isakmp
- VPN DHCP: UDP 67-68 from VPN to "this device"
- VPN DNS: TCP/UDP 53 from VPN to "this device"
These are the final steps of the guide "guestwifi_dumbap", and one step more: create the wireguard tunnel with wireguard luci config app.
PINGS: openwrt ssh from laptop connected WIFI_VPN
192.168.1.1 ok ok
192.168.1.2 ok bad
192.168.2.1 ok bad
10.50.0.100 ok bad
10.50.0.1 ok bad
internet ok ok
What I want:
- Get all my trafic from 192.168.2.x devices "tunneled" with wireguard
- Not very important: avoid that 192.168.2.x devices "see" 192.168.1.x devices. It will be perfect if other way round is enabled: 1.x devices could see 2.x devices. (in order to access 2.x devices from my laptop whatever wifi I am connected to)
- Not very important: create a second VLAN to have a port connected to 192.168.2.x in order to access that subnet from one rj45 port.
- Is this configuration ok?: WireGuard's peer: Allowed IP's allowed IPs: 10.50.0.0/24 and 192.168.2.0/24
- Not very important, as you can see in above ping table, I can't access to my openwrt router while I am connected to WIFI_VPN, I can only access to my MR200 router config web page (192.168.1.1), probably because of firewall zone forwardings. It will be great to access to openwrt router LUCI (192.168.2.1) also from WIFI_VPN, as I do from WIFI1 (192.168.1.2)
Point 2 and 3 are not important for me, and probably I would get managed to configure it, but Point 1 is very dificult for me and very important. Point 4 will be solved probably by solving point 1.
Could you help me ? Do I have to use "luci-app-vpn-policy-routing", or we need only firewall zones and traffic rules?
Thanks a lot
NOTE: After solving this I will try to write a guide or complete the guide already published with new steps for newbees.
LuCI > Network > Interfaces > WG0 > Edit
- Peers > Route Allowed IPs > Uncheck
-
Peers > Allowed IPs:
- 0.0.0.0/0
- ::/0
Save > Save & Apply
LuCI > VPN > VPN Policy Routing > Policies
- Name: VPN
- Local addresses: 192.168.2.0/24
- Interface: WG0
Save & Apply
Thanks, I have applied this:
LuCI > Network > Interfaces > WG0 > Edit
Peers > Route Allowed IPs > Uncheck
Peers > Allowed IPs:
0.0.0.0/0
::/0
Save > Save & Apply
Restart interface WG0
LuCI > VPN > VPN Policy Routing > Policies
Add new one ...
Name: VPN
Local addresses: 192.168.2.0/24
Interface: WG0
Save & Apply
Enable and start service control VPN Policy Routing
VPN Policy Routing says me:
lan/br-lan/192.168.1.1 ✓
WG0/10.50.0.100
The ✓ represents the default gateway.
Pings from laptop connected to WIFI_VPN:
192.168.1.1 bad
192.168.1.2 bad
192.168.2.1 bad
10.50.0.100 bad
10.50.0.1 bad
Windows 10 says me that WIFI_VPN hasn't internet connection
I have tried to do tracert openwrt.org but
1 2 ms 2 ms 2 ms OpenWrt.lan [192.168.2.1]
2 * * * Tiempo de espera agotado para esta solicitud.
3 * OpenWrt.lan [192.168.2.1] informes: Protocolo de destino inaccesible.
I am going to reboot router, just in case.....
Not luck, same "problems"
Will be a good way try to let me open a ssh session to 192.168.2.1 from WIFI_VPN in order to try pings from the openwrt router itself? (I don't know exactly why I can't ping to 192.168.2.1 from my laptop when it has a 192.168.2.117 ip and it is connected to WIFI_VPN)
Create a separate firewall zone for the WG0 interface with masquerading enabled.
And allow forwarding from the VPN zone to the WG0 zone.
Sorry, you have changed the reply. Wait 1 minute ...
I have not do anything from your deleted proposal.
interfaces-> wg0 -> firewall settings -> wg0 create
save
save & apply
Now I have the firewall as:
Do I have to edit the vpn=>lan or the wg0=>wan ?
Or create another "row" with vpn=>wg0 ?
(meanwhile I have add a traffic rule to let me ping from my laptop: Incoming from VPN, protocol ICMP to "this device". Also, to allow SSH: Incoming from VPN, protocol TCP port 22, to "this device")
LuCI > Network > Firewall > General Settings > Zones > wg0 > Edit
- Input: reject
- Output: accept
- Forward: reject
- Masquerading > Check
- MSS clamping > Check
- Covered networks: WG0
- Allow forward from source zones: vpn
Save > Save & Apply
After doing this, the vpn=>lan has changed to: (as we have done "allow forward from sources zones: vpn").
I have removed lan from here-
If I remove it, I can put masquerading and mss clampling.
So I have checked this:
Do I configure it well?
I connected my laptop to WIFI_VPN, it says no access to internet.
Pings:
192.168.1.1 bad
192.168.1.2 ok (probably because of the new trafic rule)
192.168.2.1 ok (probably because of the new trafic rule)
10.50.0.100 ok
10.50.0.1 ok
Great !! Now I can ping to my server with 10.50.0.1.
I understand that it is ok, I could send "packets" directly to my server. I don't have an IP like 10.50.0.x because I am behind my openwrt router.
Is that way good, or do I have to do exactly what you said (first image, vpn => lan&wg0) ?
But now I have a doubt: from my laptop I can't tracert openwrt.org (for example) as I don't have any DNS configured. I can't also see my public ip address to confirm that it is the ip of my cloud server. This is to confirm that I am "inside the tunnel". I have tried to tracert 8.8.8.8, but not luck:
1 2 ms 3 ms 3 ms OpenWrt.lan [192.168.2.1]
2 * * * Tiempo de espera agotado para esta solicitud.
How could I check if I am really in tunnel?
What is the real reason because of I haven't got internet access trought WG0 ? is it because any configuration in server side (I am thinkg that I am reaching my server but it can't "foward" to internet?), or in openwrt client side? (Today is not very important, but as I am going to use some devices that sometimes nees update from internet, it will be great to know the reason, so I could activate/deactive the trafic rule or firewall zone or whatever to update my devices. Is the problem server side? or cliente side? Probably I could solve it by joining again VPN=>LAN, but I prefer to understand where the problem could be.
Probably next days I will ask you about traffic rules, as I am going to try to comunicate with my 10.50.0.1 sever with different ports (MQTT, ...). Probably all of they works, so no more questions.
After that, I will try "the other points not very important" that I said some post above, and try to write steps.
Thanks a lot @vgaetera, you have helped me a lot. Much more than anyone could expect. What about these last questions?
Thanks a lot again.
You should perform diagnostics using CLI:
https://openwrt.org/docs/guide-quick-start/sshadministration
uci show network; uci show wireless; uci show firewall; uci show dhcp; \
uci show vpn-policy-routing; \
grep -v -e ^# -e ^$ /etc/firewall.user; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*; \
ip address show; ip route show table all; ip rule show; iptables-save
Post the output to pastebin.com redacting the private parts.
Hi, I know a little about ssh thanks.
Here you have (I have get it with my laptop connected with lan rj45 cable to openwrt router)
Disable masquerading in the vpn firewall zone.
It's best to disable masquerading in the wg0 zone too.
Just add 192.168.2.0/24 to the allowed IPs in the WG peer settings on the server side.
If you need this, then allow traffic forwarding from the firewall zone vpn to lan.
Perform traceroute from the client and/or check out some sites that show your IP such as ipleak.net.
Make sure that IPv4 forwarding is enabled on the server side.
Hi,
- Disable masquerading in the vpn firewall zone: done & restart VPN interface
- Disable masquerading in the wg0: done & restart wg0 interface
(I understood here to enable it, sorry for my misunderstanding: Help with access point + wifi guest + wireguard (VPN)). - Add 192.168.2.0/24 to the allowed IPs in the WG peer settings on the server side: done in server. I had Allowed IPs = 10.50.0.100/32, now I have Allowed IPs = 10.50.0.100/32, 192.168.2.0/24
Now I can see in my server side (10.50.0.1) mosquitto broker an address like 192.168.2.x connected to, not always 10.50.0.100. Thanks a lot. It is much better.
-
Ping 192.168.1.1 "If you need this, then allow traffic forwarding from the firewall zone vpn to lan." It is not important for me, as I can connect to WIFI1 so I am in 192.168.1.1. It was only for information. May be it is risky for me to allow traffic forwarding from vpn to lan. That way I am not sure if vpn will "go" to lan or to wg0. So I dont change anything here.
-
About "Perform traceroute from the client and/or check out some sites that show your IP such as ipleak.net." I cant check it as I can't connect to internet when I am in WIFI_VPN. Let's check if with next step I could reach internet and then, I could check with traceroute
-
"Make sure that IPv4 forwarding is enabled on the server side" I have read in google cloud this: You can only enable IP forwarding when you create an instance, and enabling IP forwarding alone is not sufficient to cause the instance to forward packets. Its guest operating system must be configured as well.
So at this moment, I prefer not to do it. It is important, but not very important. Without internet access then I supposed that my devices are in the tunnel, aren't they?
Thanks a lot @vgaetera I think I have reach my "limit" .
May be in a few days I could create another google cloud instance with IP4 forwarding to check what you said, only to learn about it. (but I need also to configure debian in google coud instance)
I need to write also the guide for everyone else.
Thanks a lot.
It is required only when using a commercial VPN provider.
No need for redundant masquerading on the client side with your own VPN server.
But you should enable masquerading on the server side in any case.
Sorry for digging this post up. I'm trying to do exactly the same setup here. Any concluded solution?
Thanks.
It would be best to start your own topic,in case the wiki doesn't help.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.