On my Fritzbox7362 with OpenWRT 23.05 i did the following:
Internet by a DHCP-client form a WLAN (of my neighbar. (he knows..)
Distribute the internet by LAN and WLAN (192.168.171.x) master/static address
That's ok so far. - i don't know how to configure the dhcp...
Installed Wireguard works.
My first router (Fritzbox native firmware) shows a working connection to the second Router OpenWrt).
I would like to have a Lan/Wlan-network on the OpenWrt-Router with the same netaddress like on my first router (192.168.1.1) and activated DHCP, so i can reach all my devices at home (first router) and on the way (second router) in the same network over VPN/Wireguard.
This can't work directly since Wireguard is a layer 3 VPN and you are asking for a layer 2 bridge. Typically the network would be set up with different IP subnets at each location and layer 3 routing between them. For example your PC has an IP of 192.168.5.100 but it can reach a PC 192.168.1.120 in the other house.
If you really need layer 2 you could run a layer 2 tunnel such as gretap inside the Wireguard tunnel. This does have potential issues with MTU and as with all layer 2 VPNs, the tunnel bandwidth being overloaded with broadcast packets.
Can you draw a topology diagram for your network that shows the devices in play (brand+model, firmware, and IP addresses) and also shows from where you will be connecting?
This is what's known as a road-warrior configuration, and should be achievable as long as your fritzbox at home has a public IPv4 address.
First thing to do is to check that the Fritz is working with a true public address. Please look at the Fritzbox's status page to find the upstream/wan IP address and post only the first to octets (in bold: aaa.bbb.cc.ddd) here.
Then, let's see your travel router's configuration:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Here the asked configs:
(the wlan based on the lan: network is disabled, because i didn't managed it to work)
The public ip of my home fritbox is "5.10.xx.xx" - a fixed ip
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb4:f38d:6781::/48'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
config dsl 'dsl'
option annex 'b'
option tone 'av'
option ds_snr_offset '0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr 'xx xx xx'
config device
option name 'lan2'
option macaddr 'xx xx xx'
config device
option name 'lan3'
option macaddr 'xx xx xx'
config device
option name 'lan4'
option macaddr 'xx xx xx'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'dsl0'
option macaddr 'xx xx xx'
config interface 'wan'
option device 'dsl0'
option proto 'pppoe'
option username 'username'
option password 'password'
option ipv6 '1'
option peerdns '0'
list dns '192.168.1.1'
config interface 'wan6'
option device '@wan'
option proto 'dhcpv6'
config interface 'wwan'
option proto 'dhcp'
config interface 'WireGuard_VPN'
option proto 'wireguard'
option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxx'
list addresses '192.168.3.1/24'
list dns '192.168.1.1'
option mtu '1412'
config wireguard_WireGuard_VPN
option description 'Imported peer configuration'
option public_key 'xxxxxxxxxxxxxxxxxxxxxxxx'
option preshared_key xxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
option persistent_keepalive '25'
option endpoint_host 'xxxxxx.myfritz.net' <<<< = 5.10.xx.xx
option endpoint_port '56363'
list allowed_ips '192.168.1.0/24'
list allowed_ips '0.0.0.0/24'
option route_allowed_ips '1'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
option channel 'auto'
option band '2g'
option htmode 'HT20'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
option disabled '1'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'sta'
option network 'wwan'
option ssid 'P20pro Thomas'
option encryption 'psk2'
option key '020f83d5c6c4'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
option masq '1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'WgardFW'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
option masq '1'
list network 'WireGuard_VPN'
config forwarding
option src 'lan'
option dest 'WgardFW'
config forwarding
option src 'WgardFW'
option dest 'lan'
This absolutely will not work. But there are other inconsistencies, too.
So let's start at the home router. I understand that it is not running OpenWrt, but please answer the following:
What is the home router's address and subnet mask (or simply the subnet for its lan).
What is the address of the home router's Wireguard interface
What is the address of the peer that will be the OpenWrt device? This is a peer configuration you will find on your home router; every peer must have a unique address.
You could consider showing screen grabs, or if there is a text config that you can pull, feel free to post that here (sanitizing as necessary).
The wireguard connection to 192.168.2.1 (another Fritz!box) works.
The wireguard connection to 192.168.3.1 gets a handshake, but doesnt reach the internet nor the clients in 192.168.1.x like x=200.
If 192.168.1.1 is your router's lan address, this also won't work because WireGuard must be on a non-overlapping subnet. This is one of the reasons I was asking the questions -- I don't understand how your setup is working at all given that there are things that are clearly not right.
Typically, the address of the WG interface will be a unique subnet relative to the lan and then the peers will have addresses within that subnet, but typically /32.
But these are peers on smartphones and a laptop - and not another router.
There must be a difference, i think. At least because the Fritzbox offers a choice between these 2 versions of buildung a WireGuard connection.
I wish to have a Lan2Lan Wireguard and i need the WLAN part, too. (to get the internet by a public wlan and the option of my own wlan out of the router).
At xmas i will try again. When it works with two Fritzboxes, it should be possible with a Fritzbox and an OpenWrt router....
There is no reason the router can't be on the same subnet... it's just another peer.
I don't know how the Fritzbox vendor firmware expects this to be done, but with OpenWrt the remote router would be 'just another peer' on the same subnet.
We can get to all of that. But I would suggest that you get a general connection working first. I recommend restructuring your FB such that all the peers are on the same subnet as the main WG interface. Then, the remote router will have its WG address set accordingly. What you'll have is 3 different subnets: FB lan, WG tunnel, remote router lan. (you can have more subnets, too, of course, but these these are the minimum and all subnets must be non-overlapping).
I wonder if it is the site-to-site part of this configuration that is tripping you up?
This is expected with Windows. The host-level Windows Firewall prohibits connections from other subnets unless you make adjustments to its configuration.
This is probably a firewall configuration and/or routing issue (on the routers). Simple to fix, usually.
Let's see the latest configs for both routers (the below applies to the OpenWrt device; for the FB, please indicate the latest WG addresses and related configurations):
This is expected with Windows. The host-level Windows Firewall prohibits connections from other subnets unless you make adjustments to its configuration.>
Where can i myke these adjustments?
Here the configs:
First my home router (Fritzbox)
public key xxxxxxxxxxxxxxxxx
internet adress xxxxxxxxx.myfritz.net:56363 <--- 5.10.xx.xx
[Interface]
PrivateKey = YKjFaSCWbdpLwBDTE9Y8g0LlBHQHqi7QkE97Yy1hYHM=
ListenPort = 56363
Address = 192.168.1.1/24
DNS = 192.168.1.1,192.168.2.1,192.168.3.1
DNS = fritz.box
[Peer]
.
[Peer]
PublicKey = xxxxxxxxxxxxxxx
PresharedKey = xxxxxxxxxxxxxxx
AllowedIPs = 192.168.3.0/24
PersistentKeepalive = 25
Second the OpenWRT
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb4:f38d:6781::/48'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
config dsl 'dsl'
option annex 'b'
option tone 'av'
option ds_snr_offset '0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr '08:96:D7:B5:67:7D'
config device
option name 'lan2'
option macaddr '08:96:D7:B5:67:7D'
config device
option name 'lan3'
option macaddr '08:96:D7:B5:67:7D'
config device
option name 'lan4'
option macaddr '08:96:D7:B5:67:7D'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'dsl0'
option macaddr '08:96:D7:B5:67:80'
config interface 'wan'
option device 'dsl0'
option proto 'pppoe'
option username 'username'
option password 'password'
option ipv6 '1'
option peerdns '0'
list dns '192.168.1.1'
config interface 'wan6'
option device '@wan'
option proto 'dhcpv6'
config interface 'wwan'
option proto 'dhcp'
config interface 'WireGuard_VPN'
option proto 'wireguard'
option private_key 'xxxxxxxxxxxxxxxxxxxx'
option mtu '1412'
list addresses '192.168.3.1/32'
list dns '192.168.1.1'
list dns '8.8.8.8'
list dns '192.168.3.1'
config wireguard_WireGuard_VPN
option description 'Imported peer configuration'
option public_key 'xxxxxxxxxxxxxxxxx'
option preshared_key 'xxxxxxxxxxxxxxxxxxxxxxx'
option persistent_keepalive '25'
option endpoint_host 'xxxxxx.myfritz.net' <---- my static ip 5.10.xx.xx. at 192.168.1.1
option endpoint_port '56363'
option route_allowed_ips '1'
list allowed_ips '0.0.0.0/0'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'WgardFW'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '1'
list network 'WireGuard_VPN'
config forwarding
option src 'lan'
option dest 'WgardFW'
In the windows firewall settings. Where exactly? I have no idea, I don’t use windows.
The address here conflicts with your lan address/subnet. It must be something different. You can use something like 192.168.1.2/24 since your other peer is 192.168.1.1 — but you might change both of these to a less common subnet so you don’t encounter issues if you are at a location that uses this subnet.
Do you want to be able to connect from the Fritz side to the openwrt device? If so, set input to accept. What about devices behind the openwrt router? If yes, disable masquerading, and allow wgardfw > lan forwarding.
