Migrate from OpenVPN client to Wireguard client

Installing and Using OpenWrt
1

Hi all,

I'm running OpenWRT (23.04.2) on a Proxmox (8.1.4) container and have successfully configured an OpenVPN client connection to PIA. I have a number of other Proxmox containers that connect to the internet via the OpenVPN connection.

I'm currently trying to migrate from OpenVPN to Wireguard. I have installed luci-proto-wireguard and have configured a Wireguard interface.

tun0 is the OpenVPN connection and wg0 is the Wireguard connection.

I can ping servers on the internet from OpenWRT on both tun0 and wg0.

I have also tested the Wireguard interfce using nslookup and traceroute by adding the following route:

# ip route add 8.8.8.8/32 via 10.8.218.218

Then running:

# nslookup bbc.com 8.8.8.8
# traceroute 8.8.8.8

At this stage. I'm fairly certain the Wireguard connection is working.

root@openwrt:/# cat /etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0'

config interface 'lan'
        option proto 'static'
        option device 'eth1'
        option ipaddr '10.50.50.1'
        option netmask '255.255.255.0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'XXXXXX'
        list addresses '10.8.218.218'
        list dns '10.0.0.243'
        list dns '10.0.0.242'

config wireguard_wg0
        option description 'Imported peer configuration'
        option public_key 'YYYYYY'
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '25'
        option endpoint_host '154.16.81.227'
        option endpoint_port '1337'

config interface 'tun0'
        option proto 'dhcp'
        option device 'tun0'

The issue I is when I convert my existing working firewall rules over to Wireguard, any client containers lose internet access.

Here's my existing working firewall config (sorry, can only post one image)

Screenshot 2024-02-08 at 3.07.07 pm
Screenshot 2024-02-08 at 3.07.07 pm939×578 49.6 KB

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'tun0'
        list network 'wan'
        list network 'wan6'
        list network 'wg0'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'tun0'

config forwarding
        option src 'lan'
        option dest 'vpn'

However, when I change the covered networks setting in the vpn zone to wg0, internet connectivity ceases and ping reports that "Destination Port Unreachable". However, this only starts happening if I restart the ping command after making the zone change. If I leave ping running it will continue to work. Only new connections will fail.

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg0'

Can anyone offer any insights into what I'm doing wrong?

Thanks :slight_smile:

2

See how you go. If it doesn't work someone will chime in soon. :slight_smile:

3

tun0 is both in the WAN and in the VPN zone that is not correct.

If you want the killswitch e.g. no traffic unless there is a VPN then only set the tun0 device in the VPN zone. (You might run into trouble if you are using a domain name as endpoint)

Both WG and OpenVPN need masquerading on the vpn zone as the server side does not know your subnet, also MSS clamping is advisable so as @spindocter already said enable MASQUERADING and MSS clamping on the VPN zone:

     option masq '1'
     option mtu_fix '1'

If you do not want a killswitch just add the tun0 and wg0 interface to the WAN zone

4

Thanks everyone :slight_smile:

I removed both tun0 and wg0 from the wan zone and added in the masq (Masquerading) and mtu_fix (MSS clamping) settings but can still not access the internet from an OpenWRT client over Wireguard. OpenVPN still works.

My working OpenVPN firewall config now looks like this:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option mtu_fix '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'tun0'

config forwarding
        option src 'lan'
        option dest 'vpn'

My non-working Wireguard firewall config looks like this:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option mtu_fix '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg0'

config forwarding
        option src 'lan'
        option dest 'vpn'
5

I did notice something but am unsure if it's an issue. On the status page the Wireguard VPN is listed but does not have a gateway set:

Screenshot 2024-02-09 at 8.41.34 am

Should it have one?

6

Well lets see the network config:
cat /etc/config/network

Did you enable Route Allowed IPs ?

7

Sorry, I did include the contents of my /etc/config/network in my original post. It, however, didn't have 'Route Allowed IPs' ticked. I enabled that option but am still unable to access the internet via wg0.

Here's my updated /etc/config/network:

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0'

config interface 'lan'
        option proto 'static'
        option device 'eth1'
        option ipaddr '10.50.50.1'
        option netmask '255.255.255.0'

config interface 'tun0'
        option proto 'dhcp'
        option device 'tun0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'XXXXX'
        list addresses '10.18.144.26'
        list dns '10.0.0.243'
        list dns '10.0.0.242'

config wireguard_wg0
        option description 'Imported peer configuration'
        option public_key 'YYYYY'
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '25'
        option endpoint_host '202.125.43.19'
        option endpoint_port '1337'
        option route_allowed_ips '1'

Also, in case it's useful, here's the output of both the 'route' and 'ip route' commands:

root@openwrt:/# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.13.110.1     128.0.0.0       UG    0      0        0 tun0
default         192.168.86.1    0.0.0.0         UG    0      0        0 eth0
10.13.110.0     *               255.255.255.0   U     0      0        0 tun0
10.50.50.0      *               255.255.255.0   U     0      0        0 eth1
128.0.0.0       10.13.110.1     128.0.0.0       UG    0      0        0 tun0
154.16.81.142   192.168.86.1    255.255.255.255 UGH   0      0        0 eth0
192.168.86.0    *               255.255.255.0   U     0      0        0 eth0
202.125.43.19   192.168.86.1    255.255.255.255 UGH   0      0        0 eth0

root@openwrt:/# ip route
0.0.0.0/1 via 10.13.110.1 dev tun0 
default via 192.168.86.1 dev eth0  src 192.168.86.200 
10.13.110.0/24 dev tun0 scope link  src 10.13.110.3 
10.50.50.0/24 dev eth1 scope link  src 10.50.50.1 
128.0.0.0/1 via 10.13.110.1 dev tun0 
154.16.81.142 via 192.168.86.1 dev eth0 
192.168.86.0/24 dev eth0 scope link  src 192.168.86.200 
202.125.43.19 via 192.168.86.1 dev eth0

I do notice that the default route (from route command) and for 0.0.0.0/1 are still pointing at the gateway for the tun0 interface event though tun0 has been removed from the firewall settings:

ifconfig output:

root@openwrt:/# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.13.110.3  P-t-P:10.13.110.3  Mask:255.255.255.0
          inet6 addr: fe80::48f1:a223:afb2:980a/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:5384698 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4008699 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:4103183721 (3.8 GiB)  TX bytes:332647398 (317.2 MiB)

root@openwrt:/# ifconfig wg0
wg0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.18.144.26  P-t-P:10.18.144.26  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:154 errors:0 dropped:7 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:22792 (22.2 KiB)

I'm not a networking expert, so am unsure if that's an issue?

8

[ deleted ]

9

Your OpenVPN is still running, you better disable that if you want to use WireGuard instead of OpenVPN.

After disabling OpenVPN, reboot and test again

10

Thanks everyone for the help.

In the end, I created a new Proxmox OpenWRT CT, set it up from scratch to use Wireguard, and it works :slight_smile:

Once the client CTs were migrated across, port forwards setup, etc., I was back in business.

I suspect there were some clashes between the OpenVPN and Wireguard configurations as was pointed out, and just disabling the OpenVPN interfaces/connection was not enough to get things working.

For those interested, here are my working network and firewall configurations, and the output of the 'route' command:

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0'

config interface 'lan'
        option proto 'static'
        option device 'eth1'
        option ipaddr '10.50.40.1'
        option netmask '255.255.255.0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'XXXXXX'
        list addresses 'Z.Z.Z.Z'
        list dns '10.0.0.243'
        list dns '10.0.0.242'

config wireguard_wg0
        option description 'Imported peer configuration'
        option public_key 'YYYYYY'
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '25'
        option endpoint_host '202.125.43.8'
        option endpoint_port '1337'
        option route_allowed_ips '1'

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg0'

config forwarding
        option src 'lan'
        option dest 'vpn'

root@owrt:/# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *               0.0.0.0         U     0      0        0 wg0
10.50.40.0      *               255.255.255.0   U     0      0        0 eth1
192.168.86.0    *               255.255.255.0   U     0      0        0 eth0
202.125.43.8    192.168.86.1    255.255.255.255 UGH   0      0        0 eth0
202.125.43.19   192.168.86.1    255.255.255.255 UGH   0      0        0 eth0