I've tried following the guide WireGuard routing all traffic to set up a Raspberry Pi 5 running the latest (ish) snapshot of OpenWRT.
Error
I just keep getting the following error in logread:
Sun Mar 17 12:35:24 2024 daemon.notice netifd: wg0_int (1925): Try again: `notmyrealdomain.duckdns.org:51820'. Trying again in 2.07 seconds...
My configs
Snapshort build was requested with the following packages (in addition to the defaults): luci luci-ssl kmod-mt7921e kmod-mt7921u kmod-usb-net-asix-ax88179 kmod-usb-net-cdc-mbim kmod-usb-net-rtl8152 luci-proto-wireguard
I have port forwarded 51820 to the OPNSense server and have seen wg packets being received (with alternative configurations, not with the config details detailed below).
Also, I can't access luci and the DHCP server on lan/eth0 doesn't work but those are minor issues I can live with.
The intended use is to connect to roam with the device and connect to public networks via Ethernet or WiFi as a last resort. I have a TP Link UE300 as my eth1 (i.e., someone else's router/gateway where I don't have access to). I have an OPNSense (I couldn't get OpenWRT working on x86) Wireguard instance running at home and all internet traffic should flow through there.
#/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fddb:c930:0025::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan_int'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option delegate '0'
option defaultroute '0'
config interface 'wan_int'
option proto 'dhcp'
option device 'eth1'
config interface 'wg0_int'
option proto 'wireguard'
option private_key 'whatever was generated by the luci'
list addresses '10.80.90.2/32'
config wireguard_wg0_int
option public_key 'wg instance public key on OPNSense'
list allowed_ips '0.0.0.0/0'
option endpoint_host 'notmyrealdomain.duckdns.org'
option endpoint_port '51820'
option persistent_keepalive '25'
option description 'home-pt-opnsense'
option route_allowed_ips '1'
#/etc/config/firewall
config defaults
option input 'DROP'
option output 'DROP'
option forward 'DROP'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan_zone'
option output 'DROP'
option forward 'DROP'
option input 'DROP'
list network 'lan_int'
config zone
option name 'wan_zone'
option input 'DROP'
option output 'DROP'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'wan_int'
config forwarding
option src 'lan_zone'
option dest 'wg0_zone'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan_zone'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan_zone'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan_zone'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'wg0_zone'
option input 'DROP'
option output 'DROP'
option forward 'DROP'
list network 'wg0_int'
option masq '1'
config rule
option name 'Allow_DNS_IN'
option family 'ipv4'
option src 'lan_zone'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow_SSH_OUT'
option family 'ipv4'
option src 'lan_zone'
list proto 'tcp'
option dest_port '22'
option target 'ACCEPT'
config forwarding
option src 'lan_zone'
option dest 'wg0_zone'
config rule
option name 'Allow_Wireguard_OUT'
option family 'ipv4'
list proto 'udp'
option dest 'wan_zone'
option dest_port '51820'
option target 'ACCEPT'
config rule
option name 'Allow_DHCP_IN'
option family 'ipv4'
list proto 'udp'
option dest_port '67'
option target 'ACCEPT'
option src 'lan_zone'
config rule
option name 'Allow_DHCP_OUT'
option family 'ipv4'
list proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option dest 'lan_zone'
config rule
option family 'ipv4'
option dest 'wg0_zone'
option target 'ACCEPT'
option name 'Allow_DNS_OUT'
list proto 'tcp'
list proto 'udp'
option dest_port '53'
config rule
option name 'Allow_HTTP(S)_OUT'
option family 'ipv4'
list proto 'tcp'
option dest 'wg0_zone'
option dest_port '80 443'
option target 'ACCEPT'
config rule
option name 'Allow_NTP_OUT'
option family 'ipv4'
list proto 'udp'
option dest 'wg0_zone'
option dest_port '123'
option target 'ACCEPT'
In the guide from the given link, the firewall blocks everything and only some specific services for specific interfaces are allowed. You are not supposed to connect to the wg server by domain name but by ip address.
The wan port is not allowed to send DNS queries, so notmyrealdomain.duckdns.org cannot be resolved to an ip address and wireguard cannot initiate a connection. To get the DNS service working, you first need a successful wireguard connection. It's a catch 22 situation.
Try to connect to the server by ip address.
If the server public ip changes frequently and/or you prefer to connect via a domain name, you will need to create an allow rule for the wan interface and add an additional server option in /etc/config/dhcp.
# /etc/config/firewall
config rule
option name 'Allow_DNS_WAN_OUT'
option family 'ipv4'
option dest 'wan_zone'
list dest_ip '8.8.8.8'
list proto 'tcp'
list proto 'udp'
option dest_port '53'
option target 'ACCEPT'
# /etc/config/dhcp
config dnsmasq
...
list server '/notmyrealdomain.duckdns.org/8.8.8.8'
list server '10.80.90.1'
# /etc/config/firewall
config rule
option name 'Allow_LuCI'
option family 'ipv4'
option src 'lan_zone'
list proto 'tcp'
option dest_port '80 443'
option target 'ACCEPT'
Ok that makes sense and I'll try that as soon as I get back. The linked guide specifically states "<Peer_IP_or_FQDN>" so I assumed DDNS needs were taken into account.
Just to confirm, will this config result in a DNS leak for any clients that will be connected to the OpenWRT travel router? Once the Wireguard tunnel is up, I don't want 8.8.8.8 to be used anymore.
Ok luci now works. No traffic goes through the tunnel though but I can confirm that there is a handshake on both ends. I've poked around in OPNSense and can't see any firewall blocks in the live logs.
I noticed something odd in the Firewall rules. wg0_zone appears twice and I'm not sure if that means anything.
Ok I'll try that tonight. I was only following the guide. Let me know if there is a travel router guide that actually works and I'll give it a go. I need to route all traffic through my home network when I'm out and about.
I think this guide is a little over my head. It talks a lot about IPv6 but my ISP at home doesn't provide an IPv6 address.
I'm not sure how how to set it up so it is all IPv4 only and I'm worried that I might end up leaking my location if I connect to an IPv6 network and all traffic just goes out through there rather than the tunnel.
Some bits that I'm not sure for example are:
Do I need kmod-ipt-nat6 for IPv4-only
Do I need to run enable-ula.sh for an IPv4 setup?
How do I do an IPv4 setup?
Do I (or why would I) need IPv6?
Thanks for confirming I don't need IPv6 but I can't tell from the guide what I need to do to (or not do, as the case may be) in order to set up an IPv4-only tunnel. In other words, there is no "if you want IPv4, then set variable x to y" instruction.
