I have lost access to the router. Again

In this thread, I already complained about this problem

And today it happened again.

In this thread, I tried to set up WireGuard with a whitelist on YouTube

I didn't succeed. And I tried to find out what was the reason by the method of elimination. To understand if WireGuard works at all, I went into the interface settings and cleared Allowed IP addresses.

After restarting the router, the Internet disappeared and I can no longer access the router page.

What happened? Is OpenWRT so easy to break? What have I done wrong? Let's say I messed up with the interface settings, shouldn't Internet access just disappear after this? Why did the router stop responding? I did not change the configs through the console and not through the file manager, I did it through the graphical interface. And this somehow broke the firmware?

I have backups, but such parsley will continue to happen, then I will generally be afraid to change at least something in the settings without the most precise instructions. Which are not on the Internet!

It sounds like you forward traffic thru Wireguard, then removed the Internet (i.e. all IPs or 0.0.0.0/0) from the allowed IPs setting of your Wireguard interface. Not sure why you blame OpenWrt when you clearly removed a needed setting. This would happen on any device.

Seems you figured out it worked, but became upset after you discovered it did?

???

If you'reconnecting thru Wireguard and remove allowed IPs you effectively blocked the SRC client from reaching the router's web GUI. You're describing the issue you created; but seem confused why your router stopped working?

Perhaps I'm misunderstanding why you removed a [necessary] Wireguard config; but then called the OpenWrt "easily broken".

You may want to learn basic networking, then.

:spiral_notepad: BTW, if you disable Wireguard, remove/revert the: firewall, related IP Routes and Rules as well. :wink:

:warning: I don't advise making WG config changes via the tunnel itself.

2 Likes

Wireguard is what? Is it a proxy? Or VPN? Does it affect the internet? Or Lan? I could not get access to the router through the LAN, not through the Internet!

The default config is

AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0

And here's what it looks like on the router page.

Now tell me, how is this different from what I did?

WHERE IS THE DIFFERENCE?

In the settings it says

Allowed IP addresses
+
Not necessary. The IP addresses and prefixes that this node is allowed to use inside the tunnel. Typically, these are the tunnel IP addresses of this host and the network that it routes through the tunnel.

It turns out that the settings are lying? If it is NOT necessary. So why did I lose access to the router by deleting this OPTIONAL setting?

Let's see your config files in text form... then indicate the specific thing that was removed from the configuration as it pertains to the actual text files.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

You love to complicate things. I didn't use the command line. And I have already told and even SHOWED what I did. Are you sure you know enough about this subject to help me?

login as: root
root@192.168.1.1's password:


BusyBox v1.35.0 (2022-10-14 22:44:41 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 22.03.2, r19803-9a599fee93
 -----------------------------------------------------
root@K14M:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7a:812e:8c92::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'c0:25:e9:d3:49:b1'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '1.1.1.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

config interface 'WARP'
        option proto 'wireguard'
        option private_key 'QEY1OzmLWa93D2R5rgg97OExU2Va/3p7tUHMJRh3G3I='
        option peerdns '0'
        list dns '1.1.1.1'
        list addresses '172.16.0.2/32'
        list addresses 'fd01:5ca1:ab1e:86df:b40f:273d:2974:7bb/128'

config wireguard_WARP
        option description 'warp.conf'
        option public_key 'bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo='
        option endpoint_host 'engage.cloudflareclient.com'
        option endpoint_port '2408'
        option disabled '1'

config wireguard_WARP
        option description 'warp_old.conf'
        option public_key 'bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo='
        option endpoint_host 'engage.cloudflareclient.com'
        option endpoint_port '2408'

root@K14M:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/10300000.wmac'
        option band '2g'
        option htmode 'HT20'
        option channel 'auto'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '████████'
        option encryption 'psk2'
        option key '████████'

root@K14M:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'K14M-PC'
        option dns '1'
        option mac 'B4:2E:99:97:0C:23'
        option ip '192.168.1.10'
        option leasetime 'infinite'

config host
        option name 'K14M-Android'
        option dns '1'
        option mac 'E0:1F:88:C5:AB:F6'
        option ip '192.168.1.11'
        option leasetime 'infinite'

config host
        option name 'Chromecast'
        option dns '1'
        option mac 'A4:77:33:86:AE:70'
        option ip '192.168.1.20'
        option leasetime 'infinite'

config host
        option name 'Chaika-TV'
        option dns '1'
        option mac '00:51:ED:BA:E2:52'
        option ip '192.168.1.30'
        option leasetime 'infinite'

root@K14M:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'WG0'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'WARP'

config forwarding
        option src 'lan'
        option dest 'WG0'

root@K14M:~#

???

If you don't know what it is, why did you install and configure it?

From what I could decipher, you're trying to setup CloudFlare WARP?

Umm, I can't read Cyrillic. Provide configs as @psherman noted.

???

What language did you even post?

That was rude. Don't ask/respond if you don't want assistance.

Yep, that was your issue.

  • What was the SRC IP?
  • Was Wireguard enabled accidentally on the device?

So I don't see any specific issues here. I do hope that you made some changes to the keys to make what you posted invalid, otherwise you have just shared sensitive data that should have been redacted (and if that is the case, destroy the keys and start over).

What did you change that then caused the problem?

1 Like

Yea....it's interesting.

The configuration file is the primary reference for how things are actually configured. Luci is a layer of abstraction that might be incorrect. Also should you post screenshots of Luci please set the language to English first.

Saving and restoring a configuration is done file by file. If there are settings in a file like /etc/config/network (where Wireguard is set up), the entire file will be saved and restored. Any changes anywhere in the file that you did before the restore will be removed. The save/restore does not merge configurations block by block or line by line.

3 Likes

What did I change? I unplugged the router's power cable and plugged it back in. There is no on/off button on the router. What else have I changed? Added the warp_old.conf file to the interface tunnel. Didn't change anything else.

I wrote at the very beginning. In the "WARP" interface, the tunnels tab had a lot of AllowedIPs. I removed them all. I thought that when AllowedIPs are registered, then WireGuard will only work for these IPs. And if the IP is not specified, it will work for all connections. I deleted them, applied the settings and the router went into reboot. After the reboot, I waited about 10 minutes but could not connect to the router. Then I created this thread.

And only then I just manually restarted the router and was able to connect to it.

Are you accessing the router via openwrt.lan or it's IP?

Why. Can you explain?

(You need to answer all questions community members are asking in order to assist.)

If you're doing things to break your config, I'd suggest simply stopping - unless there's some reason.

Through his IP.

What for? You wrote that I did everything wrong and broke the router myself. Therefore, I took a known-good config in which AllowedIPs was not registered, loaded it into the router and compared how it differs from mine.

In the browser interface, the AllowedIPs fields are empty. In the config file it says

AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0

By the fact that I would be convinced and uploaded the second file. What if in the second file, the AllowedIPs fields would not be empty, but would contain the values "0.0.0.0/0". I had to check...

  • What IP? (The router has at least 4)

???

  • Are you just testing?
  • Are you asking a question?

This is why the Internet broke. I do not know about the access to the web GUI without more information.

In what sense? The one by default. 192.168.1.1

I tested and asked a question.

One more time from the beginning. I downloaded the warp.conf configuration file that I use on PC and smartphone. And I wanted to set it up on the router. I have a Chromecast device on one TV and a smart TV in the kitchen. I would like to watch YouTube on both. But after recent events, it has been blocked for me for an unknown reason. On chromecast and on smart TV, neither VPN nor proxy can be installed. I did not find a working option. That's why I decided to put WireGuard on the router. But with one difference, I wanted WireGuard to work only for blocked resources.

Therefore, I opened the configuration file warp.conf, and replaced the lines in it

AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0

IP addresses of YouTube that I found on the network. I set up WireGuard on the router according to the instructions on the network. But YouTube still wouldn't open. All other sites worked, YouTube did not. Then I decided to check if WireGuard works at all, or did I configure it incorrectly? To do this, I needed to remove the white list from its settings, so that it would work for all addresses and not for those that I specified. To do this, I opened the router settings in the browser, the WireGuard interface, the (peers) tab, the warp.conf file and deleted all the fields with IP addresses that were there. The AllowedIPs field has become empty. I applied the settings and the router itself went into a reboot after which it never came out.

Then I manually restarted it and after that it turned on, I did not notice any changes in the WireGuard interface, because I only changed it before restarting.

Further, they wrote here that I did something wrong on that router and turned it off. What did I do? Removed IP addresses from the AllowedIPs list. If the router turned off, did I delete them incorrectly?

To check "it's right" I loaded the original warp.conf file, before that renaming it to warp_old.conf so that there would be no conflict. I downloaded it, opened the tab (peers), found a new file, and looked at how the fields with AllowedIPs were registered in it. They registered in the same way, just an empty field without any values. The result is exactly the same as mine. So what did I do wrong?

Now, if it were not necessary to delete all fields, but instead it was necessary to leave one field with a value of 0.0.0.0/0, then yes. Then I removed AllowedIPs incorrectly. But I did everything right

And I don't know what that means. I have all my settings here.

Well, what is the address?

image

???

Perhaps someone else should explain.

:+1:

Я предполагаю, что ваша картина была на русском языке. Трудно понять, спрашиваете ли вы или объясняете, почему вы сломали свой маршрутизатор.

Это заставляет меня думать, что вы не понимаете основы работы с сетями, потому что вы продолжаете спрашивать, почему.

I assume you're picture was in Russian. It is difficult to understand if you are inquiring or explain why you broke your router.

It makes me think you don't understand basic networking, because you then continue to ask why.

I suggest using a default OpenWrt, and do not attempt to setup Wireguard.

And what does it mean?

Here's what the default whitelist settings looked like in the file.

And here's how I set it up.

I don't see the difference.

In the configuration file, the absence of a white list looks like this

AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0

But after loading into the browser, it, the white list, is displayed as I showed. Just an empty field. An empty field with no values.

default doesn't work either. And WireGuard doesn't like torrents and other similar programs.

Why are you calling that a white list?

What instructions have you been referencing?

Can you clearly explain the reason you setup Wireguard?