Hey guys,
I set up OpenWrt 22.03.5 with WireGuard, followed all suggestion but even though the WireGuard connection is active, no traffic is going through it. I am ready to pull my 2 hairs out. Here is the ip route show.
default via 192.168.29.1 dev eth1 proto static src 192.168.29.104
10.14.0.0/16 dev wg0 proto kernel scope link src 10.14.0.2
10.71.75.0/24 dev br-lan proto kernel scope link src 10.71.75.1
192.168.29.0/24 dev eth1 proto kernel scope link src 192.168.29.104
root@SurfSharkWRT:/etc/config#
and my network file,
config interface 'loopback'
option device 'lo'Preformatted text
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'WAN'
option proto 'dhcp'
option device 'eth1'
option peerdns '0'
list dns '162.154.159.92'
list dns '1.1.1.1'
list dns '149.154.159.92'
list dns '8.8.8.8'
config interface 'wg0'
option proto 'wireguard'
option private_key 'XXX'
list addresses '10.14.0.2/16'
list dns '162.252.172.57'
list dns '149.154.159.92'
A little more information, originally I thought it was a routing issue (I want all traffic to go through the VPN) so every time I attempt to make the wg0 the default route, I lose internet.
Thanks in advance for your help with this matter.
lists any source-ip that the built-in "firewall" in wireguard will not drop after decrypt.
This one:
makes the wireguard userspace utilities automatically create a route, in this case a "default" route, in your main route table, so that if your box tries to forward traffic to any of the IPs listed as allowed, that traffic will end up being sent into the tunnel.
I don't see such a route having been added to your route table? So something must be wrong there.
You can test manually adding that route with: root@OpenWrt:~# route add default dev wg0
And see if you can then ping something on the other side?
If that doesn't work, make sure you can at least ping the wg interface on the other side of the tunnel. Your tunnel interface has IP:
So the other end is probably 10.14.0.1, see if you can ping that.
Perhaps you can show some more configs, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show
Thank you guys for all the help. I reinstalled with a new image, I added the default route to this and it seems to work. Here are the logs you'd asked for.
{
"kernel": "5.15.167",
"hostname": "SurfSharkWRT",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi 4 Model B Rev 1.4",
"board_name": "raspberrypi,4-model-b",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd4:f5e6:ae1a::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.71.75.1'
option netmask '255.255.255.0'
option ip6assign '60'
option force_link '1'
config interface 'wan'
option proto 'dhcp'
option device 'eth1'
option peerdns '0'
list dns '1.1.1.1'
list dns '162.252.172.57'
list dns '8.8.8.8'
config interface 'wg0'
option proto 'wireguard'
option private_key 'xxx'
list addresses '10.14.0.2/16'
list dns '162.252.172.57'
list dns '149.154.159.92'
config wireguard_wg0
option description 'us-sjc.conf'
option public_key 'xxxx'
list allowed_ips '0.0.0.0/0'
option endpoint_host '93.152.205.229'
option endpoint_port '51820'
option route_allowed_ips '1'
Here is the Firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wg0'
option masq '1'
config forwarding
option src 'lan'
option dest 'vpn'
# ip route show
default dev wg0 scope link
default via 192.168.29.1 dev eth1 proto static src 192.168.29.104
10.14.0.0/16 dev wg0 proto kernel scope link src 10.14.0.2
10.71.75.0/24 dev br-lan proto kernel scope link src 10.71.75.1
93.152.205.229 via 192.168.29.1 dev eth1 proto static
192.168.29.0/24 dev eth1 proto kernel scope link src 192.168.29.104
WG SHOW
root@SurfSharkWRT:~# wg show
interface: wg0
public key: xx
private key: (hidden)
listening port: 38615
peer: xx
endpoint: 93.152.205.229:51820
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 12 seconds ago
transfer: 179.49 MiB received, 144.43 MiB sent
root@SurfSharkWRT:~#
LUCI -> Network -> Routing BUT would recommend against it when using the wg tunnel as your default route.
Better in that case to use the built-in route creator because it also adds an exception for reaching the VPN server via WAN.
What happens if you (1) remove the manually added route and then (2) LUCI -> Network -> Interfaces hit STOP on the wireguard interface, wait a bit, hit START again..
Does that make the auto-magic default route through wg0 appear correctly?
You have a critical misconfiguration in your wan interface: set input to REJECT below:
Same for your VPN zone:
Input = ACCEPT is very dangerous as it allows access to the router itself, so people on the internet could attempt to gain administrative access by brute forcing your password.