I just bought my first OpenWrt product- a Gl-iNET Brume MV1000. What I’d like to achieve is 1) LAN to LAN VPN between 3 sites/remote clients and 2) push all Internet traffic out from one of the sites.
I am halfway there- have a Wireguard server up and running and all clients can go out to the Internet via the VPN server. However, I struggle with the LAN to LAN connectivity where clients can access any resources on any LAN.
Here’s the exact current setup:
Wireguard server is 10.0.0.1, public IP 165.225.xxx.xxx
Site 1 LAN is 192.168.8.1
Resource 1 is 192.168.8.170
Client 1 is 10.0.0.2, public IP 24.165.xxx.xxx
Client 1 has no problem connecting to the WG server and accessing the internet using the 165.225.xxx.xxx public IP. However, Client 1 is unable to ping Resource 1 @ 192.168.8.170
Looking at LuCi, I noticed that even though Wireguard is running and Client 1 has connected:
There is no WG interface showing in the dashboard
The list of routes does not show a route from 10.0.0.1 to lan (192.168.8.0)
The wireguard firewall zone is empty and the rule wireguard to lan drops forwarding packets
My networking knowledge is very light. Based on the above observations my hypothesis is that I need to define a Wireguard interface, add the interface to the wireguard zone, and then add routing and firewall rules to enable the flow between Wireguard and the LAN. This is a brand new router, out of the box, with LuCi 19.07.
I’d very much appreciate some hand holding to figure out how I can take full advantage of the router. Beggars can’t be choosers- the ideal solution would be to setup things via the GUI rather than the CLI, but of course I’d hugely appreciate either approach.
Site 1 LAN is on the same router as the wireguard server?
If yes, then you shouldn't need anything on the client, since you are allowing and routing 0.0.0.0/0
On the server you need to assign wg interface on a firewall zone and allow the traffic you want to allow. If you trust the client, then you could add the wg interface in lan zone directly.
In any case the server tutorial is easy to implement, although with commands, because it is failproof copy paste.
If you still have trouble post the following from the server.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; iptables-save -c; ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
Thank you so much for taking the time to help and respond. I used the link you shared to compile the following set of commands:
opkg update
opkg install wireguard
opkg install luci-proto-wireguard
opkg install luci-app-wireguard
opkg install qrencode
WG_IF="vpn"
WG_PORT="5001"
WG_ADDR="192.168.9.1/24"
umask go=
wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
wg genpsk > wgserver.psk
WG_KEY="$(cat wgserver.key)"
WG_PSK="$(cat wgserver.psk)"
WG_PUB="$(cat wgclient.pub)"
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.network="${WG_IF}"
uci add_list firewall.lan.network="${WG_IF}"
uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${WG_PORT}"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci set network.${WG_IF}.listen_port="${WG_PORT}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"
uci -q delete network.wgclient
uci set network.wgclient="wireguard_${WG_IF}"
uci set network.wgclient.public_key="${WG_PUB}"
uci set network.wgclient.preshared_key="${WG_PSK}"
uci add_list network.wgclient.allowed_ips="${WG_ADDR%.*}.2/32"
uci commit network
/etc/init.d/network restart
However, this is definitely not the solution as restarting the firewall generates a bunch of errors. Furthermore, the generated QR code is invalid and I cannot configure the clients to test.
Keep in mind that this is happening on a brand new install of OpenWrt 19.07
Note that the code in the wiki also generates a pre-shared key.
I'm not sure, whether the QR code includes it or not, so it may be the cause of the failure.
It generates client profiles which can be easily imported on mobile and desktop clients.
It has been tested on the latest OpenWrt release and appears to work pretty well.
This is turning out to be very frustrating! At least this is a sandbox router and reflashing the firmware is not a problem.
Here's the output from restarting the firewall on a virgin firmware:
Using username "root".
root@192.168.8.1's password:
BusyBox v1.30.1 () built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 19.07.0-rc1, r10649-c4fdb377a2
-----------------------------------------------------
root@GL-MV1000:~# uci commit firewall
root@GL-MV1000:~# /etc/init.d/firewall restart
Warning: Option 'sambasharewan'.dest_proto is unknown
Warning: Section 'sambasharewan' does not specify a protocol, assuming TCP+UDP
Warning: Option 'sambasharelan'.dest_proto is unknown
Warning: Section 'sambasharelan' does not specify a protocol, assuming TCP+UDP
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv4 raw table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule #9
* Rule #10
* Forward 'lan' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Populating IPv4 raw table
* Zone 'lan'
- Using automatic conntrack helper attachment
* Zone 'wan'
* Populating IPv6 filter table
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule #9
* Rule #10
* Forward 'lan' -> 'wan'
* Zone 'lan'
* Zone 'wan'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
uci: Entry not found
uci: Entry not found
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ipset v7.3: The set with the given name does not exist
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
* Running script '/var/etc/gls2s.include'
! Skipping due to path error: No such file or directory
* Running script '/usr/bin/glfw.sh'
* Running script '/usr/sbin/glqos.sh'
* Running script '/var/etc/mwan3.include'
root@GL-MV1000:~#
Here's the diagnostics output. For context- this is a half functional Wireguard server created using the Gl-iNet's GUI. The client can connect successfully to the server and exit back to the Internet, but can't reach any hosts on the LAN. So if we can solve the access to the LAN mystery problem I'd be on Cloud 9!
Using username "root".
root@192.168.8.1's password:
BusyBox v1.30.1 () built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 19.07.0-rc1, r10649-c4fdb377a2
-----------------------------------------------------
root@GL-MV1000:~# ubus call system board; uci export network; uci export dhcp; u
ci export firewall; \
> head -n -0 /etc/firewall.user; iptables-save -c; ip -4 addr ; ip -4 ro li tab
all ; ip -4 ru; \
> ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.*
/tmp/resolv.* /tmp/resolv.*/*
{
"kernel": "4.14.151",
"hostname": "GL-MV1000",
"model": "GL.inet GL-MV1000 (Marvell)",
"board_name": "gl-mv1000",
"release": {
"distribution": "OpenWrt",
"version": "19.07.0-rc1",
"revision": "r10649-c4fdb377a2",
"target": "mvebu/cortexa53",
"description": "OpenWrt 19.07.0-rc1 r10649-c4fdb377a2"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc0:1027:d0ed::/48'
config interface 'lan'
option type 'bridge'
option ifname 'lan0 lan1 usb0'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option hostname 'GL-MV1000-22c'
option ipaddr '192.168.8.1'
config interface 'wan'
option ifname 'wan'
option proto 'dhcp'
option hostname 'GL-MV1000-22c'
option metric '10'
config interface 'wan6'
option ifname 'wan'
option proto 'dhcpv6'
config interface 'lan0'
option ifname 'lan0'
option macaddr '94:83:c4:09:92:2d'
config interface 'lan1'
option ifname 'lan1'
option macaddr '94:83:c4:09:92:2d'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option force '1'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain 'localhost'
option name 'console.gl-inet.com'
option ip '192.168.8.1'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
option reload '1'
config include 'gls2s'
option type 'script'
option path '/var/etc/gls2s.include'
option reload '1'
config include 'glfw'
option type 'script'
option path '/usr/bin/glfw.sh'
option reload '1'
config include 'glqos'
option type 'script'
option path '/usr/sbin/glqos.sh'
option reload '1'
config include 'mwan3'
option type 'script'
option path '/var/etc/mwan3.include'
option reload '1'
config rule 'sambasharewan'
option src 'wan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'DROP'
config rule 'sambasharelan'
option src 'lan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'ACCEPT'
config rule 'glservice_rule'
option name 'glservice'
option dest_port '83'
option proto 'tcp udp'
option src 'wan'
option target 'ACCEPT'
option enabled '0'
config rule 'AllowWireguard'
option name 'Allow-Wireguard'
option target 'ACCEPT'
option src 'wan'
option proto 'udp tcp'
option family 'ipv4'
option dest_port '5001'
config zone 'wireguard'
option name 'wireguard'
option input 'ACCEPT'
option forward 'DROP'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option device 'wg0'
option masq6 '1'
config forwarding 'wireguard_wan'
option src 'wireguard'
option dest 'wan'
config forwarding 'wireguard_lan'
option src 'wireguard'
option dest 'lan'
config forwarding 'lan_wireguard'
option src 'lan'
option dest 'wireguard'
force_dns() {
# lanip=$(ifconfig br-lan |sed -n 's/.*dr:\(.*\) Bc.*/\1/p')
lanip=$(uci get network.lan.ipaddr)
[ "$1" = "add" ] && {
ip=$(uci get glconfig.general.ipaddr)
[ -z "$ip" ] && ip=$(uci get network.lan.ipaddr)
iptables -t nat -D PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to $ip
iptables -t nat -D PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to $ip
uci set glconfig.general.ipaddr=$lanip
uci commit glconfig
iptables -t nat -C PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
iptables -t nat -C PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
[ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
}
[ "$1" = "remove" ] && {
lanip=$(uci get glconfig.general.ipaddr)
[ -z "$lanip" ] && lanip=$(uci get network.lan.ipaddr)
iptables -t nat -C PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
[ "$?" = "0" ] && iptables -t nat -D PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
iptables -t nat -C PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
[ "$?" = "0" ] && iptables -t nat -D PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
}
}
force=$(uci get glconfig.general.force_dns)
if [ -n "$force" ]; then
force_dns add
else
force_dns remove
fi
gl-firewall
# PPTP Passthrough
iptables -t raw -D OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
iptables -t raw -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
# Generated by iptables-save v1.8.3 on Fri Jan 8 17:54:06 2021
*nat
:PREROUTING ACCEPT [287:48186]
:INPUT ACCEPT [42:2386]
:OUTPUT ACCEPT [95:7735]
:POSTROUTING ACCEPT [1:242]
:GL_SPEC_DMZ - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wireguard_postrouting - [0:0]
:zone_wireguard_prerouting - [0:0]
[287:48186] -A PREROUTING -j GL_SPEC_DMZ
[287:48186] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[134:8486] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[140:38850] -A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
[13:850] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_wireguard_prerouting
[124:9405] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[1:242] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[123:9163] -A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_wireguard_postrouting
[1:242] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[134:8486] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[123:9163] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[123:9163] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[140:38850] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wireguard_postrouting -m comment --comment "!fw3" -j MASQUERADE
COMMIT
# Completed on Fri Jan 8 17:54:06 2021
# Generated by iptables-save v1.8.3 on Fri Jan 8 17:54:06 2021
*raw
:PREROUTING ACCEPT [1070:141751]
:OUTPUT ACCEPT [794:125649]
:zone_lan_helper - [0:0]
[685:78830] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[0:0] -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Fri Jan 8 17:54:06 2021
# Generated by iptables-save v1.8.3 on Fri Jan 8 17:54:06 2021
*mangle
:PREROUTING ACCEPT [1067:141543]
:INPUT ACCEPT [701:86482]
:FORWARD ACCEPT [151:11290]
:OUTPUT ACCEPT [795:127553]
:POSTROUTING ACCEPT [947:139283]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_wan - [0:0]
:mwan3_iface_out_wan - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_ifaces_out - [0:0]
:mwan3_policy_default_poli - [0:0]
:mwan3_rules - [0:0]
[1067:141543] -A PREROUTING -j mwan3_hook
[15:780] -A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wireguard MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[795:127553] -A OUTPUT -j mwan3_hook
[319:29360] -A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
[1862:269096] -A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
[382:55833] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
[241:16943] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
[121:8995] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_out
[28:1630] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
[1862:269096] -A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
[453:47409] -A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
[137:38275] -A mwan3_iface_in_wan -i wan -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
[4:615] -A mwan3_iface_in_wan -i wan -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00
[93:7365] -A mwan3_iface_out_wan -o wan -m mark --mark 0x0/0x3f00 -m comment --comment wan -j MARK --set-xmark 0x100/0x3f00
[382:55833] -A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_wan
[121:8995] -A mwan3_ifaces_out -m mark --mark 0x0/0x3f00 -j mwan3_iface_out_wan
[28:1630] -A mwan3_policy_default_poli -m mark --mark 0x0/0x3f00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0x3f00
[28:1630] -A mwan3_rules -m mark --mark 0x0/0x3f00 -m comment --comment default_rule -j mwan3_policy_default_poli
COMMIT
# Completed on Fri Jan 8 17:54:06 2021
# Generated by iptables-save v1.8.3 on Fri Jan 8 17:54:06 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:GL_SPEC_OPENING - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wireguard_dest_ACCEPT - [0:0]
:zone_wireguard_dest_DROP - [0:0]
:zone_wireguard_forward - [0:0]
:zone_wireguard_input - [0:0]
:zone_wireguard_output - [0:0]
:zone_wireguard_src_ACCEPT - [0:0]
[715:87130] -A INPUT -j GL_SPEC_OPENING
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[715:87130] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[613:79619] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[36:1872] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[96:6824] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[6:687] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_wireguard_input
[151:11290] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[91:7516] -A FORWARD -m comment --comment "!fw3: Traffic offloading" -m conntrack --ctstate RELATED,ESTABLISHED -j FLOWOFFLOAD --hw
[91:7516] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[15:780] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
[45:2994] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_wireguard_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[814:131649] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[717:123636] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:480] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[95:7533] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_wireguard_output
[2:111] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[1:328] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[36:1872] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[2:480] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[15:780] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[15:780] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wireguard forwarding policy" -j zone_wireguard_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[96:6824] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -p tcp -m tcp --dport 137 -m comment --comment "!fw3: @rule[10]" -j ACCEPT
[0:0] -A zone_lan_input -p tcp -m tcp --dport 138 -m comment --comment "!fw3: @rule[10]" -j ACCEPT
[0:0] -A zone_lan_input -p tcp -m tcp --dport 139 -m comment --comment "!fw3: @rule[10]" -j ACCEPT
[0:0] -A zone_lan_input -p tcp -m tcp --dport 445 -m comment --comment "!fw3: @rule[10]" -j ACCEPT
[54:4212] -A zone_lan_input -p udp -m udp --dport 137 -m comment --comment "!fw3: @rule[10]" -j ACCEPT
[2:480] -A zone_lan_input -p udp -m udp --dport 138 -m comment --comment "!fw3: @rule[10]" -j ACCEPT
[0:0] -A zone_lan_input -p udp -m udp --dport 139 -m comment --comment "!fw3: @rule[10]" -j ACCEPT
[0:0] -A zone_lan_input -p udp -m udp --dport 445 -m comment --comment "!fw3: @rule[10]" -j ACCEPT
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[40:2132] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[2:480] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[2:480] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[40:2132] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[1:40] -A zone_wan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[154:11267] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[6:687] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[2:72] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p tcp -m tcp --dport 137 -m comment --comment "!fw3: @rule[9]" -j DROP
[0:0] -A zone_wan_input -p tcp -m tcp --dport 138 -m comment --comment "!fw3: @rule[9]" -j DROP
[0:0] -A zone_wan_input -p tcp -m tcp --dport 139 -m comment --comment "!fw3: @rule[9]" -j DROP
[0:0] -A zone_wan_input -p tcp -m tcp --dport 445 -m comment --comment "!fw3: @rule[9]" -j DROP
[0:0] -A zone_wan_input -p udp -m udp --dport 137 -m comment --comment "!fw3: @rule[9]" -j DROP
[0:0] -A zone_wan_input -p udp -m udp --dport 138 -m comment --comment "!fw3: @rule[9]" -j DROP
[0:0] -A zone_wan_input -p udp -m udp --dport 139 -m comment --comment "!fw3: @rule[9]" -j DROP
[0:0] -A zone_wan_input -p udp -m udp --dport 445 -m comment --comment "!fw3: @rule[9]" -j DROP
[1:176] -A zone_wan_input -p udp -m udp --dport 5001 -m comment --comment "!fw3: Allow-Wireguard" -j ACCEPT
[0:0] -A zone_wan_input -p tcp -m tcp --dport 5001 -m comment --comment "!fw3: Allow-Wireguard" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[3:439] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[95:7533] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[95:7533] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[3:439] -A zone_wan_src_REJECT -i wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wireguard_dest_ACCEPT -o wg0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wireguard_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wireguard_dest_DROP -o wg0 -m comment --comment "!fw3" -j DROP
[45:2994] -A zone_wireguard_forward -m comment --comment "!fw3: Zone wireguard to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wireguard_forward -m comment --comment "!fw3: Zone wireguard to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wireguard_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wireguard_forward -m comment --comment "!fw3" -j zone_wireguard_dest_DROP
[0:0] -A zone_wireguard_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wireguard_input -m comment --comment "!fw3" -j zone_wireguard_src_ACCEPT
[0:0] -A zone_wireguard_output -m comment --comment "!fw3" -j zone_wireguard_dest_ACCEPT
[0:0] -A zone_wireguard_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Fri Jan 8 17:54:06 2021
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.68.75/22 brd 192.168.71.255 scope global wan
valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.8.1/24 brd 192.168.8.255 scope global br-lan
valid_lft forever preferred_lft forever
11: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.0.0.1/24 scope global wg0
valid_lft forever preferred_lft forever
default via 192.168.68.1 dev wan table 1
default via 192.168.68.1 dev wan proto static src 192.168.68.75
10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.1
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1
192.168.68.0/22 dev wan proto kernel scope link src 192.168.68.75
broadcast 10.0.0.0 dev wg0 table local proto kernel scope link src 10.0.0.1
local 10.0.0.1 dev wg0 table local proto kernel scope host src 10.0.0.1
broadcast 10.0.0.255 dev wg0 table local proto kernel scope link src 10.0.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.8.0 dev br-lan table local proto kernel scope link src 192.168.8.1
local 192.168.8.1 dev br-lan table local proto kernel scope host src 192.168.8.1
broadcast 192.168.8.255 dev br-lan table local proto kernel scope link src 192.168.8.1
broadcast 192.168.68.0 dev wan table local proto kernel scope link src 192.168.68.75
local 192.168.68.75 dev wan table local proto kernel scope host src 192.168.68.75
broadcast 192.168.71.255 dev wan table local proto kernel scope link src 192.168.68.75
0: from all lookup local
1001: from all iif wan lookup main
2001: from all fwmark 0x100/0x3f00 lookup 1
2061: from all fwmark 0x3d00/0x3f00 blackhole
2062: from all fwmark 0x3e00/0x3f00 unreachable
32766: from all lookup main
32767: from all lookup default
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx 1 root root 16 Dec 7 07:33 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 32 Dec 7 07:33 /tmp/resolv.conf
-rw-r--r-- 1 root root 54 Dec 7 07:33 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 8.8.8.8
nameserver 8.8.4.4
head: /tmp/resolv.*/*: No such file or directory
root@GL-MV1000:~#
For virgin firmware I can spot a lot of penetrations.
These are warnings and I hope that you are not really sharing samba on the wan.
Lan by default accepts everything, there is no reason to open again.
In any case, as you can read, you didn't specify the destination protocol and the compiler assumes tcp+udp. In fact there is a typo: option dest_proto 'tcpudp'
Here you are running a lot of scripts which don't exist in a vanilla OpenWrt. Some of them produce the errors you see.
I don't see the point of running a Release Candidate version, when there are stable ones.
Also this is OpenWrt forum, we don't support the custom firmwares of 3rd vendors.
Masquerade on wireguard firewall zone is not needed, nor mtu fix.
I can see only hits towards the wan but not the lan. Both are accepted anyway.
Also there is mwan3 running. It would have helped to mention that, since it is manipulating the routing.
First, I can’t thank you enough for taking the time to help! I can understand that it’s difficult to help someone with little knowledge of OpenWRT plus the added complexity of the Brume firmware.
I stumbled upon a thread on the Gl forum discussing VPN. Evidently the desired use case- reaching LAN resources on the server side LAN- does work if the router is just hanging off the LAN rather than work as a router. That is, connect the WAN interface to the desired LAN and don’t connect anything to the LAN interface.
I did exactly that and now I can ping LAN hosts from my iPhone over a VPN tunnel. The iPhone is browsing the internet via my home network. So mission accomplished.
However, this is only possible when using the Gl supplied Wireguard GUI; Luci has not worked at all and neither has CLI.
Now the question- the Brume supports 19.07.5; how do I upgrade without a systemupgrade file? Do I have to build OpenWRT all by myself? The Wiki page for this router is no help.
The device is supported in snapshots, that means without preinstalled Luci. You can flash the image on an sdcard and use that. Then configure the network and install Luci and the rest of the programs you need.
Access to the lan side of the network over wireguard when the router is placed to the edge works fine with OpenWrt, I don't know what have they messed up in GL.
I’d like to provide a quick update- the reason I was unable to ping hosts on the LAN side of my router us because I was trying to ping Windows 10 hosts...and the Windows firewall by default drops ICMP packets. Lesson learned not to test routing with Windows targets.
That said, I still can’t get WG up and running via Luci or the published scripts. The GL iNet GUI only does basic config that cannot be further managed via the Luci GUI for firewall and routing purposes.
