OpenWrt wireguard server with Debian roadwarrior [Solved]

krazeh · August 18, 2020, 9:27am

And the public key for each peer is different? Taken from the setup on the client device?

ffries · August 18, 2020, 9:29am

The public key was generated by Android application with QR-code. Let me regenerate by hand, give some minutes. This could be it.

The Android app does not use nice fonts and I cannot distinguish L from l from I.

ffries · August 18, 2020, 9:36am

I regenerated client keys (private, public and PSK).

Now it returns:
wg show

interface: wg0
  public key: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
  private key: (hidden)
  listening port: 51820

peer: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  preshared key: (hidden)
  allowed ips: 10.0.10.2/32, 10.0.10.3/32
  persistent keepalive: every 25 seconds

So it is not complaining for public key any longer!
Still I cannot connect with Debian client.

krazeh · August 18, 2020, 9:42am

That would appear to indicate that the same public key is being used for both peers, unless you've changed one of the peer configs to put both 10.0.10.2/32 and 10.0.10.3/32 in the AllowedIPs?

ffries · August 18, 2020, 9:43am

All public and private keys are different, I just double-checked.

krazeh · August 18, 2020, 9:44am

Have you restarted the WG interface?

ffries · August 18, 2020, 9:45am

I juste restarted and wg show is still similar. To make it simple and avoid reading the whole thread, my config is as follows:

config interface 'wg0'
        option proto 'wireguard'
        list addresses '10.0.10.1/24'
        option private_key ''
        option listen_port '51820'

config wireguard_wg0
        option public_key ''
        option preshared_key ''
        option description 'x230'
        option persistent_keepalive '25'
        list allowed_ips '10.0.10.2'

#config wireguard_wg0
        option public_key ''
        option preshared_key ''
        option description 'samsunggalaxy'
        option persistent_keepalive '25'
        list allowed_ips '10.0.10.3'

krazeh · August 18, 2020, 9:49am

Get rid of the # and then restart everything again.

ffries · August 18, 2020, 9:51am

Good catch, thanks. Works.

wg show

interface: wg0
  public key: AAAAAAAAAAAAAAAAAAAAAAAAAA
  private key: (hidden)
  listening port: 51820

peer: BBBBBBBBBBBBBBBBBBBBBBBBBB
  preshared key: (hidden)
  allowed ips: 10.0.10.2/32
  persistent keepalive: every 25 seconds

peer: CCCCCCCCCCCCCCCCCCCCCCCCC
 preshared key: (hidden)
  allowed ips: 10.0.10.3/32

Many thanks.

vgaetera · August 18, 2020, 10:42am

In fact, you can set up WG server and generate client profiles with a single script.
All that remains is to transfer and import client profiles.
It helps to avoid a lot of mistakes like those.

ffries · August 18, 2020, 5:00pm

Thanks. One last question.

My LAN and WLAN are on the same bridge, so they are on the same subnet.

When connection to a WLAN or a LAN host, no encryption is being used as shown in the routing table on client side:
sudo route -n

Table de routage IP du noyau
Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
0.0.0.0         192.168.9.1     0.0.0.0         UG    100    0        0 enp0s25
0.0.0.0         192.168.9.1     0.0.0.0         UG    600    0        0 wlp3s0
10.0.10.0       0.0.0.0         255.255.255.0   U     0      0        0 wg0
192.168.9.0     0.0.0.0         255.255.255.0   U     100    0        0 enp0s25
192.168.9.0     0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

It's only when connecting to an address other than 192.168.9.x that VPN is being used.

Now that my wireless clients are using wg VPN, I would like to access the LAN using wireguard and not only wireless. This means that I would like to have different subnets, one for wireless and one for WIFI.

I am not sure how to achieve it. Does it mean I shall create a separate VLAN for my LAN? Is there a quick way to seperate WLAN and LAN in LuCi and have seperate DHCP for hosts?

It could be tricky as I also have a mesh running. So I would like to keep WLAN+mesh on the one hand and LAN on the other hand.

vgaetera · August 19, 2020, 5:11am

Personally, I use different domain suffixes to resolve LAN and VPN host names separately:

VPN suffix is configured to expand short names automatically.
LAN suffix relies on mDNS, so it works even when VPN is not available.

ffries · August 19, 2020, 7:05am

Thanks, I would be glad if you could share your configuration.

My point is that when a host (typically a small server) is connected to the OpenWRT router switch with ethernet, it does not need a point-to-point VPN as the router can take care of VPN. In a small family, I trust my ethernet wires. I only want to protect wireless WIFI or 4G roaming

So a typical roadwarrior traceroute would be:
wireless client => VPN wireless client => >VPN OpenWRT router => mini server via ethernet

So all I need to do is create a seperate subnet on both ethernet ports on my GliNet B1300 router seperate from br-lan bridge. How to achieve that? Is your sufix solution even simplier?

vgaetera · August 19, 2020, 8:00am

It should be similar to guest WLAN, except for the wireless configuration step:

Just disable bridging for LAN and assign your WLAN to the network created on the first step.

ffries · August 19, 2020, 8:09am

Thanks. This is a very interesting approach.

I am planning to offer two ESSID on wireless WIFI: essid-secure and essid-unsecure.

On essid-secure I will allow only wireguard port and kick off all other traffic. On essid-unsecure, I can connect my television and other unsecure devices and kick them away from the main network.

system · August 29, 2020, 8:09am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.