Need help for extensive network configuration

retiarylime · July 14, 2024, 6:06am

First and foremost, I am dumb and noob especially on networking things. This is my first networking diagram and I am not sure if I'm doing it correctly. Basically I have a TP-link router with openwrt installed and use it to receive internet from guest wifi and then provide lan connection for my devices. I would like to run wireguard directly on the router, however it only has 1.56MB of free space out of 55MB which is not enough to install all the needed packages for wireguard. Thus, I am setting up an openwrt VM on my proxmox host to serve as wg tunnel.

To make it more complex, I am having the wg connection through TCP port 443 using udp2raw (following this guide). It is because the guest wifi blocked all udp ports and only allow tcp 80/443. The openwrt-udp2raw-wireguard chain looks almost the same like this except the udpspeeder. I didnt use udpspeeder.

After all the hurdles, I successfully setup the network connections by self-taught up until this stage. Pheww, not easy for a noob.

My goal: I would like to have only devices connected wirelessly on wlan0 to get tunneled through wireguard.

Things I have tried (and failed): I have tried this guide but end up getting my proxmox host lost connection as well as the openwrt vm.

egc · July 14, 2024, 6:20am

If your WG client routes all its traffic through the tunnel (e.g. has allowed IPs set to 0.0.0.0/0) then simply pointing your LAN clients to use your WG client as gateway might already work.

retiarylime · July 14, 2024, 6:21am

Here's my current configurations for TP-link:

/etc/config/network:

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fdaa:07e2:6ba3::/48'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr '68:ff:7b:a7:53:ee'

config interface 'wan'
	option proto 'dhcp'
	option device 'br-wan'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '68:ff:7b:a7:53:ef'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'br-wan6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'wwan'
	option proto 'dhcp'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'br-wan'
	option type 'bridge'
	list ports 'eth0.2'

config device
	option name 'br-wan6'
	option type 'bridge'
	list ports 'eth0.2'

config interface 'trm_wwan'
	option proto 'dhcp'
	option metric '100'

config interface 'trm_wwan6'
	option device '@trm_wwan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

/etc/config/wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/10300000.wmac'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option key '#####'
	option ssid 'Personal Hotspot'
	option encryption 'psk-mixed'
	option network 'lan'
	option ifname 'wlan0'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '56'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option disabled '0'
	option cell_density '0'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'sta'
	option network 'wwan'
	option ssid 'WiFi@Guest'
	option encryption 'none'

/etc/config/firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'trm_wwan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'trm_wwan'
	list network 'trm_wwan6'

config forwarding
	option src 'lan'
	option dest 'trm_wwan'

routing table:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.122.16.1     0.0.0.0         UG    0      0        0 phy1-sta0
10.122.16.0     0.0.0.0         255.255.240.0   U     0      0        0 phy1-sta0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan

Here's my current configurations for Openwrt VM:

/etc/config/network:

	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf1:2873:6a7d::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.190'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.184'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option proto 'dhcp'
	option device 'eth1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '<PRIVKEY>'
	list addresses '10.75.7.5/24'
	list dns '9.9.9.9'
	list dns '149.112.112.112'
	option mtu '1342'
	option fwmark '0xca6c'

config wireguard_wg0
	option description 'Imported peer configuration'
	option public_key '<PUBKEY>'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option endpoint_host '127.0.0.1'
	option endpoint_port '50001'
	option route_allowed_ips '1'

config route
	option interface 'wan6'
	option target '100.100.100.10/20'
	option gateway '192.168.1.1'
	option source '10.75.7.5'
	option disabled '1'

/etc/config/firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'udp2raw'
	option type 'script'
	option path '/var/etc/udp2raw.include'

config zone
	option name 'wg'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'wg0'
	option masq '1'
	option output 'ACCEPT'

config rule
	option name 'Allow_DNS_IN'
	option family 'ipv4'
	option src 'lan'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow_SSH_OUT'
	option family 'ipv4'
	list proto 'tcp'
	option dest 'lan'
	option dest_port '22'
	option target 'ACCEPT'

config rule
	option name 'Allow_Wireguard_OUT'
	option family 'ipv4'
	list proto 'udp'
	option dest 'wan'
	list dest_ip '127.0.0.1'
	option dest_port '50001'
	option target 'ACCEPT'

config rule
	option name 'Allow_DHCP_IN'
	option family 'ipv4'
	list proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'
	option src 'lan'

config rule
	option name 'Allow_DHCP_OUT'
	option family 'ipv4'
	list proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'wg'

config forwarding
	option src 'wg'
	option dest 'lan'

routing table:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 wg0
10.75.7.0       0.0.0.0         255.255.255.0   U     0      0        0 wg0
100.100.100.10  192.168.1.1     255.255.255.255 UGH   0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

retiarylime · July 14, 2024, 9:05am

Sorry, I am a noob. Do you have a link to any guide that show the step by step?

egc · July 14, 2024, 9:22am

It is a simple test.

If you have a WireGuard client running in your network e.g. on a Bridged AP, or NAS or VM, then you can simply point the gateway of your LAN clients e.g. your windows PC to the ip address of the WG client.

If this works you know that the WG client is properly setup to handle traffic

retiarylime · July 14, 2024, 9:34am

I have tried to point the gateway to my wg client ip on my android phone but I got no internet connection. I also need to put the dns. Which IP should i use for dns?

egc · July 14, 2024, 9:46am

Whatever you want e.g. use 9.9.9.9.
But if it does not work your VM on which your WG client runs is not properly setup to route or allow traffic

retiarylime · July 14, 2024, 9:48am

Already followed this official guide to traffic all route through wireguard but still fail.

egc · July 14, 2024, 9:56am

You can test if this works from inside your VM.

But your VM must also be setup to allow traffic from outside and route that traffic.

Cannot help you with that

retiarylime · July 14, 2024, 10:42am

I will try

retiarylime · July 16, 2024, 12:36pm

After looking at all the network config of the vm, there is no problem in firewall blocking traffic whatsoever. Just problem with routing on openwrt vm. I still cant figure it out. When I point my android phone to use 192.168.1.132 as gateway, the traffic didnt go through wireguard tunnel based on tcpdump -i eth1.

retiarylime · July 19, 2024, 4:01pm

Let me clear things out:

On openwrt VM, I am having the wg connection through udp2raw tunnel on port 443 (following this guide). The wg tunnel inside udp2raw tunnel looks like this:

The wireguard config & udp2raw command line on openwrt VM looks like this:

# /etc/wireguard/wg0.conf

# local settings for openwrt VM
[Interface]
PrivateKey = <PRIVKEY>
Address = 10.75.7.5

# send wg through udp2raw
MTU = 1342
PreUp = udp2raw -c -l 127.0.0.1:50001 -r 100.100.100.10:443 -k "shared secret" -a >/var/log/udp2raw.log 2>&1 &
PostDown = killall udp2raw || true

# remote settings for VPS server
[Peer]
PublicKey = <PUBKEY>
Endpoint = 127.0.0.1:50001
AllowedIPs = 0.0.0.0/0

I have set a traffic rule on TP-Link router to allow from android phone 192.168.1.243 to openwrt VM 192.168.1.132. Then I tried routing same as this guide. My android phone got 192.168.1.132 as gateway but fail to get internet connection.

This is my interface & my routing config, is it correct?

jdwl1o1 · July 19, 2024, 11:04pm

You can ignore the tplink, it’s firewall and routing are irrelevant as all your devices are in the LAN zone.

Are you certain the wireguard tunnel is working at all?
If you install a wg client on the phone can it connect? That’s where I would start.
Then confirm connectivity from with the openwrt vm and only then start working on the routing within your lan

retiarylime · July 20, 2024, 12:41am

Wow, thanks. It works. I just need to use the same wg config for both openwrt & android, and now my android is connected to wg but slow connection. However, is it possible to get internet connection on android tunnelled through wg without having to turn on wg client app?