Need some assistance setting up wireguard site to site VPN static routes

oliera · February 8, 2023, 4:57am

Hello everyone,

I have a strange set up between my friend's and mine networks. I used to use opnSense on both sides and had wireguard VPN working for a couple of years. I've decided to replace my opnSense box with Raspberry Pi4 and I can't get the wireguard VPN to work. Well, I got to work partially: I can actually see that the wireguard esteblishes the connection and I can actually ping the remote router from OpenWRT by selecting the wireguard interface "ping -I WG1 192.168.1.1", but not traffic is flowing between the networks otherwise. What should I add into static routes?

Here's my network diagram:

What am I missing?

oliera · February 8, 2023, 4:58am

(I couldn't include this in the OP as I'm new to the forum)

I tried to set up this route, but obviously it isn't working

oliera · February 8, 2023, 5:11am

psherman · February 8, 2023, 5:14am

Your route is wrong... it should be 192.168.1.0/24 (when you use 192.168.1.1/24, you specify a host, when you use 0/24 it specifies the network).

oliera · February 8, 2023, 6:10am

That's fair, I changed the route, but unfortunately that didn't help. Still can't ping 192.168.1.1 or any host in 192.168.1.0/24 from 10.10.0.0/24 network

psherman · February 8, 2023, 6:10am

let's see the config files.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

oliera · February 8, 2023, 6:35am

I appreciate you trying to help!

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxx:xxxx:3598::/48' < sanatized
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.10.0.1'

config interface 'WAN'
        option proto 'dhcp'
        option device 'eth1'

config device
        option name 'eth1'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'WG1'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=' < sanatized
        option listen_port '51820'
        list addresses '10.0.15.1'
        option delegate '0'

config wireguard_WG1
        option description 'Copperfield'
        option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=' < sanatized
        list allowed_ips '192.168.1.0/24'
        list allowed_ips '10.0.15.2/24'
        list allowed_ips '10.0.9.0/24'
        option route_allowed_ips '1'
        option endpoint_host 'fqdn.location2'  < sanatized
        option endpoint_port '51820'
        option persistent_keepalive '25'

config route
        option interface 'lan'
        option gateway '10.0.15.1'
        option target '192.168.1.0/24'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'WG1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'WAN'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option enabled '0'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Wireguard'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.10.0.1'
        option dest_port '51820'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Reverse Proxy'
        option src 'wan'
        option src_dport '443'
        option dest_ip '10.10.0.6'
        option dest_port '4443'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTP'
        option src 'wan'
        option src_dport '80'
        option dest_ip '10.10.0.6'
        option dest_port '8080'

psherman · February 8, 2023, 6:47am

Remvoe these...

Remove the delegate option from below:

oliera:

config interface 'WG1'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=' < sanatized
        option listen_port '51820'
        list addresses '10.0.15.1'
        option delegate '0'

Given that you have 192.168.1.0/24 in the allowed IPs for WG as well as the route allowed IPs enabled, I think you can delete this route.

This should be a standard traffic rule, not a redirect.... delete this and make it a 'rule' instead.

oliera:

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Wireguard'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.10.0.1'
        option dest_port '51820'

Reboot and try again...
let's also see the output of

wg show

oliera · February 8, 2023, 7:10am

That did it! Thank you very much.

So it is actually much simpler that I thought. It is not necessary to define any static routes and I copied allowed_ips in wireguard configuration from what I had set up in opnSense previously, I guess those aren't necessary either.

I'm unsure about the delegate option, what does that do?

As a side note I'm very surprised at the performance of wireguard on Rpi4. I'm basically maxing out remote upload rate (150Mbit/s) at 30% load.

psherman · February 8, 2023, 7:18am

I’m honestly not sure what the delegate option does and I can find the documentation at the moment. But I have seen many cases where that needs to be removed (in fact, I have never seen a case where it was necessary to be there).

Wireguard’s allowed ips field really is quite useful and easy. If you have the route allowed ips option enabled, additional routes are rarely needed. It’s really pretty cool.

And yes, wg is quite efficient. If you did the same test with OpenVPN, you’d likely peg your processor well before hitting your full internet speed.

system · February 18, 2023, 7:18am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.