No internet with WireGuard interface

ivanosh · July 19, 2023, 2:41am

Hello! I have an issue with WireGuard setup on OpenWRT router.
I can ping -I wg0 google.com from router via ssh but clients have no access to the internet.

I've read/watched a few guides and all of them was setting up firewall by the same way which is printed below but it not works for me.

Setup:
OpenWRT router (AX3600) connected to coax router with internet access.
OpenWRT router added as DMZ of coax router.

Ping from client:

PING 8.8.8.8 (8.8.8.8): 56 data bytes
92 bytes from openwrt (192.168.1.1): Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 e318   0 0000  3f  01 c6ce 192.168.1.10  8.8.8.8

Request timeout for icmp_seq 0
92 bytes from openwrt (192.168.1.1): Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 15d7   0 0000  3f  01 9410 192.168.1.10  8.8.8.8

Request timeout for icmp_seq 1
92 bytes from openwrt (192.168.1.1): Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 614e   0 0000  3f  01 4899 192.168.1.10  8.8.8.8

Request timeout for icmp_seq 2
92 bytes from openwrt (192.168.1.1): Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 4987   0 0000  3f  01 6060 192.168.1.10  8.8.8.8

Request timeout for icmp_seq 3
92 bytes from openwrt (192.168.1.1): Destination Port Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 f97c   0 0000  3f  01 b06a 192.168.1.10  8.8.8.8

^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdcf:fbc0:248f::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	option mtu '1500'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.1.1/24'
	option gateway '192.168.0.1'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'

config device
	option name 'wan'
	option ipv6 '1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'XXXXX'
	list addresses '10.8.0.3/32'
	option mtu '1200'
	list dns '10.8.0.1'

config wireguard_wg0
	option description 'DO'
	option public_key 'XXXXX'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host 'XXXXX'
	option endpoint_port '51820'
	option persistent_keepalive '0'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list device 'tun+'
	list network 'wan'
	option masq '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'switch'
	option dest_ip '192.168.1.16'
	option src 'wan'
	option dest 'lan'
	list proto 'udp'
	option src_dport '1024-65535'
	option dest_port '1024-65535'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'wg0'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'vpn'

Thank you in advance!

psherman · July 19, 2023, 2:47am

remove the gateway below:

Reboot and try again... if it doesn't work, let's see the output of:

wg show

ivanosh · July 19, 2023, 9:07am

Hello, @psherman ! Sorry for a delay. I've removed gateway and it works! Thank you!

But I have no clue why it works, since this gateway is address of my coax router from ISP which is providing internet to my OpenWRT router.

Can you explain please?

My next step will be creating a bash script to enable\disable vpn from phone/laptop, so is it possible to keep this gateway somehow to minimise config changes with this script?

iplaywithtoys · July 19, 2023, 9:13am

When OpenWRT is operating as a router, the LAN interface does not need to have a gateway defined; the LAN interface is the gateway. Any upstream gateway would be defined on the WAN interface, or assigned by DHCP from the upstream device (in this case, your "coax router").

ivanosh · July 19, 2023, 10:08am

Hello! Thank you for explanations.
But I don't understand then why I haven't internet access without vpn now. I've tried to reconfigure my wan interface as you described:

static:

config interface 'wan'
	option device 'wan'
	option proto 'static'
	option ipaddr '192.168.0.10'
	option netmask '255.255.255.0'
	option gateway '192.168.0.1'

dhcp:

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

but I haven't internet access if I forward traffic from lan to wan instead of vpn:

config forwarding
	option src 'lan'
	option dest 'wan'

P.S. It was working while I had gateway defined in lan interface

psherman · July 19, 2023, 5:18pm

Yes, I can see the confusion. Let's approach it this way:

If the gateway is specified, the router will try to use that specific gateway for the network, regardless if it is available and/or allowed.
it the gateway is omitted, the router will use its default route (or, if static routes and/or policy based routing are in use, it will use those as necessary).

In the case of a single internet connection, the default route is the router's wan/upstream gateway. All of the traffic from the lan and the router itself will egress via the default route. However, when you establish a VPN connectoin (depending on the details of the configuration), it may create a new default route for the traffic from the lan wherein all traffic from the lan will now flow through the tunnel.

FWIW, the router itself will still use the default route via the wan specifically for maintaining the VPN tunnel, but all other traffic can flow through the tunnel.

There are two reasons you wouldn't get internet access when you had the gateway set explicitly on the lan:

the routing table no longer included the upstream gateway as it was replaced by the WG tunnel
you didn't allow lan > wan forwarding in your firewall.

There is often confusion about routing as a function of the firewall... a silly analogy here is this:

the firewall defines what is allowed/disallowed. Let's use the example of "right turn on red" (simplifying to assume it is generally allowed in a region) -- if there is a sign disallowing it, you cannot turn right. However, in the case where the is no sign, obviously you are free to turn right on red when safe to do so.
the routing table defines what can happen in terms of logical traffic flow. If a route exists, and the firewall allows traffic to use that route, the route will be utilized. The route may exist, but the firewall may forbid traffic flow, so in that case, it would obviously not be used. But, there is also a situation where the firewall allows the traffic but the route doesn't exist... so maybe you come to an intersection where a right turn is impossible because there is no road to the right or it is a one way road.

When the VPN is up and running, the default route via the wan has been removed from the routing table. This is the last situation I talked about above where the right turn on red would be allowed, but you cannot actually make the turn because the physical conditions do not allow for it.

ivanosh · July 20, 2023, 12:00am

wow, thank you for so detailed explanations
So, based on it, here is my firewall config:

# ...
config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vpn'

and vpn start/stop scripts:

# start vpn
ifup wg0

# stop vpn
ifdown wg0
ip route add default via 192.168.0.1

For some reason when I ifdown wg0, it removes default route from table instead of vpn route. I can just ifdown wan && ifup wan but it feels not right imo and requires more time for connection establishing.

Please let me know if I can do this with more optimal way

mk24 · July 20, 2023, 12:40am

Don't start and stop interfaces manually. Make all network adjustments through the UCI system so that the right hand will keep track of what the left hand is doing.

stop wireguard:

uci set network.wg0.disabled=1
uci commit network
service network restart

start wireguard is the same except set disabled to 0.
It seems that simple uci commit does not actually kill wireguard, it is necessary to restart networking entirely.
Note that these write to the config file, the change will persist though reboot.

psherman · July 20, 2023, 12:47am

The solution to this is to simply put a metric on the wan interface. It will prevent the route from being removed (it'll just simply be lower priority).

mk24 · July 20, 2023, 12:58am

When UCI configures Wireguard to route_allowed_ips with allowed_ips of /0, it will install a "split route" to 0.0.0.0/1 and 128.0.0.0/1 via the tunnel. It also installs a "hole punch" /32 so that encrypted packets reach the peer via the real Internet interface and gateway. This is the same thing that OpenVPN does. The original default route remains in place, but it is never actually taken. Since the two split routes are more specific, they have priority.

To tear this down manually you would need to remove the two split routes, then the original default will again be active.

ivanosh · July 25, 2023, 9:00pm

thank you for your help guys

system · August 4, 2023, 9:00pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.