Netbird and Wireguard issues in a relatively simple scenario

Installing and Using OpenWrt
1

Hello,

I am experimenting with OpenWRT running on a small PC with two 2.5gbe ports. For now, I am still using my ISP provided device, which is a combined cable modem, router, gateway and wireless AP. I am hoping to put that device in bridge mode and replace the router+gateway functionality with this PC (with my own DNS server and other things). I also have a separate wireless AP already installed and configured to replace the AP in the ISP provided device.

So for now it was really important to be able to set up everything and make sure things work properly before doing the last step of putting the ISP device in bridge mode and connecting the cable modem to the WAN port. After all, I have a spouse and 2 late teens that would really dislike losing internet access while I work out the kinks.

The last part that doesn't work as well as I'd like is remote access to my home network. Before starting to work on this device, I had been using either Tailscale or Wireguard to access my home network from outside (from my laptop or from a HTPC at another location). So I'm now trying to configure these services on this PC (and I've also tried out Netbird and I like it). I am hoping to set up all three (Wireguard, Netbird and Tailscale) for redundancy and because I don't want to be held hostage by a company.

  • Tailscale already works flawlessly, but I worry they will eventually move essential functions to paid tiers.
  • I am less worried of this with Netbird, but I am having some trouble configuring it to work as well as Tailscale.
  • And for Wireguard I would have complete control since there are no company-provided services at all, but I'm having even more problems.

My setup is not very complicated.

  • My home network is 10.0.0.x
  • The router is sitting at 10.0.0.23 for now (the ISP-provided device is at 10.0.0.1, but I will set the router to that address when I set the ISP device to bridge mode)
  • OpenWRT is running in a VM in proxmox, and the proxmox server is at 10.0.0.21
  • An LXC container in proxmox is running docker at 10.0.0.22, with a few containers including the DNS server and a few other things
  • In all three cases (WG, Netbird and Tailscale), the setup is similar: a peer is running on the router box which shares the subnet 10.0.0.0/24.
  • In the WG case the router listens for connections on port 51820 (which for now is forwarded from the ISP-provided router, but I already have the rule to allow that port on the WAN interface).

I'd like some help in getting at least Netbird, and if possible even Wireguard, working as well as Tailscale on this box. In both these cases, client connections work and I can access the home subnet, but there are different problems.

Let's start with Netbird. There is just one thing that doesn't work in this case.

  • When a client is connected to Netbird (the router is set up as a "routing peer" sharing the 10.0.0.0/24 subnet, in Netbird parlance), I can ping and connect to other machines in 10.0.0.x like my NAS and even proxmox, either by address or by name (using my DNS at 10.0.0.22)
  • But I cannot ping or ssh into OpenWRT itself at 10.0.0.23 (neither by address nor by name). Even pinging the equivalent Netbird address for the routing peer gets no response.
  • But of course I can communicate with this machine, since it's the one routing the 10.0.0.0/25 subnet to me through Netbird.
  • So I think maybe it's some firewall rule blocking connections through Netbird to the router machine itself, but I cannot figure out what.

With Wireguard it's even more weird.

  • When a client is connected to the Wireguard network, I can ping addresses in the 10.0.0.0/24 subnet. I have also set up the Wireguard configs to use 10.0.0.22 as DNS, and if I do nslookup name I get the correct 10.0.0.x address.
  • But if I try to ping name, or ssh root@name I get "Ping request could not find name" or name resolution errors (no matter which machine name I try).
  • This is on a Windows client. I have tried to troubleshoot, flushing the DNS cache or arp lookup tables on the client, nothing seems to help.
  • I'm thinking this may be a Wireguard problem more than an OpenWRT problem, but maybe my config below will clue you in on something.

Sorry for the amount of text but I wanted to make sure I described the problems well enough.

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.104",
        "hostname": "OpenWrt",
        "system": "QEMU Virtual CPU version 2.5+",
        "model": "QEMU Standard PC (Q35 + ICH9, 2009)",
        "board_name": "qemu-standard-pc-q35-ich9-2009",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.3",
                "revision": "r28872-daca7c049b",
                "target": "x86/64",
                "description": "OpenWrt 24.10.3 r28872-daca7c049b",
                "builddate": "1758316778"
        }
}

Notes about /etc/config/network:

  • The device eth0/eth1 with option mac are because since I'm passing through my eth0 from proxmox, but using a bridge device for eth1, they were being swapped (eth1 was detected first by OpenWRT so it was being named eth0 and vice versa), and I prefer having my WAN on eth0 and LAN on eth1. I based my solution on this page.
  • The gateway on br-lan is temporary, it's my ISP's router, eventually this device will be the gateway for my home network.
  • The settings in the config device sections 'wt0' and 'wg0' were me experimenting to try and fix the issues I was seeing. I can very well remove them and go back to the defaults.
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd56:f301:74ad::/48'
        option packet_steering '1'

config device 'eth0'
        option name 'eth0'
        option mac '84:47:09:46:ed:08'

config device 'eth1'
        option name 'eth1'
        option mac 'bc:24:11:18:bc:63'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        option promisc '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.23'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '10.0.0.22'
        list dns_search 'home'
        option gateway '10.0.0.1'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config interface 'tailscale'
        option proto 'none'
        option device 'tailscale0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '<redacted>'
        option listen_port '51820'
        list addresses '10.8.0.1/32'

config wireguard_wg0
        option public_key '<redacted>'
        option persistent_keepalive '25'
        list allowed_ips '10.8.0.2/32'
        list allowed_ips '10.0.0.0/8'
        option description 'excalibur'

config wireguard_wg0
        option public_key '<redacted>'
        option persistent_keepalive '25'
        list allowed_ips '10.8.0.3/32'
        list allowed_ips '10.0.0.0/8'
        option description 'whitestar'

config wireguard_wg0
        option public_key '<redacted>'
        option persistent_keepalive '25'
        list allowed_ips '10.8.0.4/32'
        list allowed_ips '10.0.0.0/8'
        option description 'defiant'

config wireguard_wg0
        option public_key '<redacted>'
        option persistent_keepalive '25'
        option description 'pixel9a-js'
        option private_key '<redacted>'
        list allowed_ips '10.8.0.5/32'
        list allowed_ips '10.0.0.0/8'

config interface 'netbird'
        option proto 'none'
        option device 'wt0'

config device
        option name 'wt0'
        option acceptlocal '0'
        option sendredirects '1'
        option multicast '1'
        option promisc '1'

config device
        option name 'wg0'
        option sendredirects '1'
        option multicast '1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option log '1'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-Ping'
        option src 'lan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option log 'Log ping on LAN '
        list icmp_type 'echo-request'

config rule
        option name 'Allow-Ping'
        option src 'netbird'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option log 'Log ping on netbird '
        list icmp_type 'echo-request'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'tailscale'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'
        list network 'tailscale'

config forwarding
        option src 'lan'
        option dest 'tailscale'

config zone
        option name 'wg'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'wg0'

config forwarding
        option src 'lan'
        option dest 'wg'

config rule
        option src '*'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '51820'
        option name 'Allow-Wireguard-Inbound'

config zone
        option name 'netbird'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'netbird'
        option log '1'

config forwarding
        option src 'netbird'
        option dest 'lan'

config forwarding
        option src 'tailscale'
        option dest 'lan'

config forwarding
        option src 'wg'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'netbird'

root@OpenWrt:~# wg show
interface: wg0
  public key: <redacted>
  private key: (hidden)
  listening port: 51820

peer: <redacted>
  allowed ips: 10.8.0.2/32
  persistent keepalive: every 25 seconds

peer: <redacted>
  allowed ips: 10.8.0.3/32
  persistent keepalive: every 25 seconds

peer: <redacted>
  allowed ips: 10.8.0.4/32, 10.0.0.0/24
  persistent keepalive: every 25 seconds

peer: <redacted>
  allowed ips: 10.8.0.5/32, 10.0.0.0/8
  persistent keepalive: every 25 seconds

interface: wt0
  public key: <redacted>
  private key: (hidden)
  listening port: 41683
  fwmark: 0x1bd00

peer: <redacted>
  endpoint: 184.75.129.160:51820
  allowed ips: 100.75.83.2/32
  latest handshake: 18 seconds ago
  transfer: 305.59 KiB received, 286.13 KiB sent
  persistent keepalive: every 25 seconds

peer: <redacted>
  endpoint: 127.0.0.1:2
  allowed ips: 100.75.74.200/32
  latest handshake: 43 seconds ago
  transfer: 549.13 KiB received, 1.10 MiB sent
  persistent keepalive: every 25 seconds

peer: <redacted>
  endpoint: 10.0.0.145:58104
  allowed ips: 100.75.101.63/32
  latest handshake: 1 minute, 18 seconds ago
  transfer: 87.49 KiB received, 148.55 KiB sent
  persistent keepalive: every 25 seconds

peer: <redacted>
  endpoint: 127.0.0.1:8
  allowed ips: 100.75.64.60/32
  latest handshake: 1 minute, 49 seconds ago
  transfer: 4.82 MiB received, 22.43 MiB sent
  persistent keepalive: every 25 seconds

root@OpenWrt:~# netbird status -dA
Peers detail:
 excalibur-64-60.netbird.cloud:
  NetBird IP: 100.75.64.60
  Public key: <redacted>
  Status: Connected
  -- detail --
  Connection type: Relayed
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: rels://streamline-ca-central-1b.relay.netbird.io:443
  Last connection update: 31 minutes, 25 seconds ago
  Last WireGuard handshake: 7 seconds ago
  Transfer status (received/sent) 4.9 MiB/22.5 MiB
  Quantum resistance: false
  Networks: -
  Latency: 0s

 whitestar.netbird.cloud:
  NetBird IP: 100.75.74.200
  Public key: <redacted>
  Status: Connected
  -- detail --
  Connection type: Relayed
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: rels://streamline-ca-central-1a.relay.netbird.io:443
  Last connection update: 4 hours, 27 minutes ago
  Last WireGuard handshake: 1 minute, 2 seconds ago
  Transfer status (received/sent) 549.5 KiB/1.1 MiB
  Quantum resistance: false
  Networks: -
  Latency: 0s

 defiant.netbird.cloud:
  NetBird IP: 100.75.83.2
  Public key: <redacted>
  Status: Connected
  -- detail --
  Connection type: P2P
  ICE candidate (Local/Remote): host/srflx
  ICE candidate endpoints (Local/Remote): 0.0.0.0:41683/198.51.100.0:51820
  Relay server address: rels://streamline-ca-central-1a.relay.netbird.io:443
  Last connection update: 4 hours, 27 minutes ago
  Last WireGuard handshake: 36 seconds ago
  Transfer status (received/sent) 305.6 KiB/286.1 KiB
  Quantum resistance: false
  Networks: -
  Latency: 35.522517ms

 tegu.netbird.cloud:
  NetBird IP: 100.75.101.63
  Public key: <redacted>
  Status: Connected
  -- detail --
  Connection type: P2P
  ICE candidate (Local/Remote): host/host
  ICE candidate endpoints (Local/Remote): 0.0.0.0:41683/10.0.0.145:58104
  Relay server address: rels://streamline-ca-central-1a.relay.netbird.io:443
  Last connection update: 2 hours, 50 minutes ago
  Last WireGuard handshake: 1 minute, 37 seconds ago
  Transfer status (received/sent) 87.5 KiB/148.6 KiB
  Quantum resistance: false
  Networks: -
  Latency: 11.451581ms

Events:
  [INFO] SYSTEM (f679c75f-27ae-42d5-abc7-352c84e5d89e)
    Message: Network map updated
    Time: 4 hours, 27 minutes ago
  [INFO] SYSTEM (58f1436e-321b-4a7c-96a3-bbd4c33af4b3)
    Message: Network map updated
    Time: 4 hours, 5 minutes ago
  [INFO] SYSTEM (90a73c37-9286-4230-9f9a-5f70912816a9)
    Message: Network map updated
    Time: 4 hours, 5 minutes ago
  [INFO] SYSTEM (62335676-d90d-4a69-97a2-e6267bc3e687)
    Message: Network map updated
    Time: 4 hours, 4 minutes ago
  [INFO] SYSTEM (c742dffe-825a-4afd-8865-c94b70182a37)
    Message: Network map updated
    Time: 4 hours, 4 minutes ago
OS: linux/amd64
Daemon version: 0.50.2
CLI version: 0.50.2
Management: Connected to https://api.netbird.io:443
Signal: Connected to https://signal.netbird.io:443
Relays:
  [stun:stun.netbird.io:443] is Available
  [stun:stun.netbird.io:5555] is Available
  [turns:turn.netbird.io:443?transport=tcp] is Available
  [rels://streamline-ca-central-1a.relay.netbird.io:443] is Available
Nameservers:
  [10.0.0.22:53] for [.] is Available
FQDN: openwrt.netbird.cloud
NetBird IP: 100.75.111.145/16
Interface type: Kernel
Quantum resistance: false
Lazy connection: false
Networks: 10.0.0.0/24
Forwarding rules: 0
Peers count: 4/4 Connected

root@OpenWrt:~# ifstatus wan | grep address
<no output>

(for now, I have nothing plugged into the WAN port)

Thanks in advance, let me know if any more information is needed.

2

This is a problem:

It's found in all of your peers and it overlaps your lan and also closers over your entire WG network, messing up the WG local routing.

I don't know what addresses your net bird and tailscale networks are using, but if they're in the 10.0.0.0/8 subnet, those will break, too.

Usually, for an inbound WG interface, it is typically a /24 (for ease of use):

And the peers should have just a /32 for the allowed IPs (and no other allowed IPs that would conflict). The only reason for additional allowed IPs in the peer configs is if there is a route to a remote network (useful for a site-to-site), but this doesn't usually apply for the road-warrior type config that you appear to be aiming for.

And typically you need to add the route_allowed_ips option unless you are defining your routes manually.

3

Hello psherman, thanks for the help!

About the 10.0.0.0/8, my rationale in adding that was because I wanted the clients to be able to access 10.0.0.x (the LAN) as well as 10.8.0.x (the wg network, to connect between peers). But that was probably a misunderstanding on my part.

About this:

I am using the Netbird and Tailscale cloud management interfaces, the addresses given to peers for those are in the 100.x.x.x range.

I've made the edits you mentioned (changed the WG interface to 10.8.0.0/24, removed the 10.0.0.0/8 in all peers, and added route_allowed_ips to all peers). The WG part of /etc/config/network is now this:

config interface 'wg0'
        option proto 'wireguard'
        option private_key '<redacted>'
        option listen_port '51820'
        list addresses '10.8.0.0/24'

config wireguard_wg0
        option public_key '<redacted>'
        option persistent_keepalive '25'
        list allowed_ips '10.8.0.2/32'
        option description 'excalibur'
        option route_allowed_ips '1'

config wireguard_wg0
        option public_key '<redacted>'
        option persistent_keepalive '25'
        list allowed_ips '10.8.0.3/32'
        option description 'whitestar'
        option route_allowed_ips '1'

config wireguard_wg0
        option public_key '<redacted>'
        option persistent_keepalive '25'
        list allowed_ips '10.8.0.4/32'
        option description 'defiant'
        option route_allowed_ips '1'

config wireguard_wg0
        option public_key '<redacted>'
        option persistent_keepalive '25'
        option description 'pixel9a-js'
        option private_key '<redacted>'
        list allowed_ips '10.8.0.5/32'
        option route_allowed_ips '1'

And I rebooted OpenWRT.

But the problems (both through netbird and through wireguard) remain the same.

  • Any idea why, when connected to netbird, I cannot ping or ssh to the OpenWRT IP itself?
  • For wireguard, the client configs look like this (this one corresponds to excalibur above):
[Interface]
PrivateKey = <redacted>
Address = 10.8.0.2/32
DNS = 10.0.0.22

[Peer]
PublicKey = <OpenWRT wg public key>
AllowedIPs = 10.0.0.0/24
Endpoint = my.domain.name:51820
PersistentKeepalive = 25

does that seem right to you?

In case it might give more info:

root@OpenWrt:~# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 xdpgeneric/id:1 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
    link/ether bc:24:11:18:bc:63 brd ff:ff:ff:ff:ff:ff
3: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 84:47:09:46:ed:08 brd ff:ff:ff:ff:ff:ff
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.8.0.0/24 brd 10.8.0.255 scope global wg0
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether bc:24:11:18:bc:63 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.23/24 brd 10.0.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd56:f301:74ad::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::be24:11ff:fe18:bc63/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
7: tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 100.118.220.103/32 scope global tailscale0
       valid_lft forever preferred_lft forever
    inet6 fd7a:115c:a1e0::6536:dc67/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::ea7:c590:9669:4405/64 scope link stable-privacy proto kernel_ll
       valid_lft forever preferred_lft forever
8: wt0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 100.75.111.145/16 brd 100.75.255.255 scope global wt0
       valid_lft forever preferred_lft forever

root@OpenWrt:~# ip route
default via 10.0.0.1 dev br-lan proto static 
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.23
10.8.0.0/24 dev wg0 proto kernel scope link src 10.8.0.0
10.8.0.2 dev wg0 proto static scope link
10.8.0.3 dev wg0 proto static scope link
10.8.0.4 dev wg0 proto static scope link
10.8.0.5 dev wg0 proto static scope link
100.75.0.0/16 dev wt0 proto kernel scope link src 100.75.111.145

Thanks again.

4

The address here is invalid. It should be 10.8.0.1/24

5

It doesn't work that way wireguard is a routed protocol (you must use different, non-overlapping subnets and instruct the firewall what to do).

1 Like
6

I might be mistaken but it appears your router is in the same subnet as the ISP router.

If you want to test to replace your isp router then use the wan and set the router on its own subnet.

It looks like you are now using the router as bridgeAP and then you have to setup accordingly.

P.S. I also like Netbird better than e.g. tailscale but using your own wg server is superior imho as you do not have to rely on a third party

7

Ooh, that's interesting. I was wondering how I could test the WAN side without putting the ISP router in bridge mode and then potentially having to deal with breakage for other people in my house. I'll do that. Thanks!

8

I've done this, and now from a client connected through wireguard, I can ping the router but no other 10.0.0.x addresses. I don't even get a response from pinging 10.8.0.1 which is the router's wireguard address. The wireguard client has AllowedIPs = 10.0.0.0/24 in the [Peer] section, but do I need something similar on the router side so it shares the subnet?

9

first see the comment of @slh you cannot have overlapping subnets.
Second a client usually has 0.0.0.0/0 as allowed IPs meaning all traffic is routed via wireguard, maybe you do not want that then as minimum use the WG subnet e.g. 10.8.0.0/24 and the lan subnet of the router (which cannot overlap) if yo want to reach clients on the lan

Edit consider redoing your setup with the use of the wan and on a different subnet then your ISP router (and different form WG subnet)

10

That is correct, I do not want to route all traffic through wireguard. I only want to reach inside my home LAN.

Where would I specify the WG subnet and LAN subnet of the router then? (which settings I mean) Do I add elements to the list addresses part of the config interface wg0 part of /etc/config/network ?

Yes I am doing this, I will put the router's LAN interface at 10.0.1.1 and connect the other internal network (10.0.0.x) on the WAN port for my ISP router to assign it an IP. Thanks, hopefully that will be better.

11

That should be set on the client as Allowed IPs.

Allowed IPs are not only allowing traffic but there is also a corresponding route made through the tunnel.

12

Nothing is needed on the router side, just on the client side? OK

I made the change, the router is now connected to the home subnet 10.0.0.0/24 through the WAN port and got an IP from the ISP router. The LAN side is 10.0.1.1. As far as I can see, the ip config and routes seem good, but the client is failing to connect through Wireguard (I forwarded port 51820 to the router's WAN IP from my ISP router). It looks like it connects but I never get a handshake.

(edit: also, the OpenWRT router on 10.0.1.1 doesn't seem to be able to hand out 10.0.1.x addresses through DHCP, but I can troubleshoot that later)

Here is the updated info:

root@OpenWrt:~# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 xdpgeneric/id:2 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
    link/ether bc:24:11:18:bc:63 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 84:47:09:46:ed:08 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.114/24 brd 10.0.0.255 scope global eth0
       valid_lft forever preferred_lft forever
5: tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 100.118.220.103/32 scope global tailscale0
       valid_lft forever preferred_lft forever
    inet6 fd7a:115c:a1e0::6536:dc67/128 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::77cb:2a24:a186:cdac/64 scope link stable-privacy proto kernel_ll
       valid_lft forever preferred_lft forever
6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.8.0.1/24 brd 10.8.0.255 scope global wg0
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether bc:24:11:18:bc:63 brd ff:ff:ff:ff:ff:ff
    inet 10.0.1.1/24 brd 10.0.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd56:f301:74ad::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::be24:11ff:fe18:bc63/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
9: wt0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 100.75.111.145/16 brd 100.75.255.255 scope global wt0
       valid_lft forever preferred_lft forever

root@OpenWrt:~# ip route
default via 10.0.0.1 dev eth0 proto static src 10.0.0.114 
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.114
10.0.1.0/24 dev br-lan proto kernel scope link src 10.0.1.1
10.8.0.0/24 dev wg0 proto kernel scope link src 10.8.0.1
10.8.0.2 dev wg0 proto static scope link
10.8.0.3 dev wg0 proto static scope link
10.8.0.4 dev wg0 proto static scope link
10.8.0.5 dev wg0 proto static scope link
100.75.0.0/16 dev wt0 proto kernel scope link src 100.75.111.145

(I might disable tailscale once WG and/or netbird work well, because it messes with the router's /etc/resolv.conf ... )

13

Enable only one VPN at a time as they are likely to conflict with each other.

Realize that tailscale and netbird use Wireguard as their encryption and transport. They are high level ways to automate and centrally control Wireguard linkups. Also they have a big advantage that each node is (at least initially) making outgoing connections to the central service, so it is not necessary to open or forward ports for it to work.

1 Like
14

I am doing this on the client side of course, but on the router, is there no way to keep multiple VPNs enabled at once? I would like to have some redundancy, and if I'm remote and for some reason Wireguard stops working, I would have no way to connect to the router to troubleshoot. If I lose access to the router's internal interface I also obviously have no way to go enable another VPN.

If possible, on the router, I would like to keep Wireguard and Netbird enabled. If there's a way to make that work.

Edit: I forgot to mention, with the changes suggested above applied and Tailscale disabled, WG seems to be working well. I am typing this from my laptop connected to my office network, and I can access addresses on the router's subnet 10.0.1.x as well as the router itself at 10.0.1.1 . This is great! Thanks a lot everyone for the help so far.

15

I have a wireguard server enabled and netbird.

But you cannot use an exit node as then default routing is via netbird interface (well you can if you use pbr with the right priority)

You can view the netbird table with:
ip route show table netbird
This is only available if you created routing rules
I have just started exploring netbird so still a lot to learn but see:

16

I am not using the exit node functionality. So I should be fine with both of those enabled?

And yes, both seem to be working 100% now -- I think I'll default to WG but it's nice to know I have the option. And I'll disable tailscale permanently now that the other two work.

1 Like