OpenWrt - wireguard server

tuxer · November 2, 2022, 2:01pm

Dear all,

I am seeking your help after several hours trying to get my wireguard server working. I followed several guides and digging into other posts but nothing helped me.

Please see here my configuration:

WireGuard section of /etc/config/network on 'server':

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'YMW*********kW8='
	option listen_port '51820'
	list addresses '10.200.200.1/24'
	option force_link '1'

config wireguard_wg0
	option description 'iphone14'
	option public_key 'F0n9QW*********WBy+Dgo='
	option private_key '8M2YBn*********ROHw9Vc='
	option route_allowed_ips '1'
	option endpoint_host 'server.ddns.net'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '10.200.200.2/32'

WireGuard section of /etc/config/firewall

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '51820'
	option name 'Allow-Wireguard-Inbound'

And my iPhone wireguard client is:

Some troubleshooting:

wg show:

interface: wg0
  public key: y0X****N/4RQ=
  private key: (hidden)
  listening port: 51820

peer: F0n9QW**y+Dgo=
  endpoint: 37.185.249.61:47396
  allowed ips: 10.200.200.2/32
  latest handshake: 2 minutes, 55 seconds ago
  transfer: 39.53 KiB received, 6.16 KiB sent
  persistent keepalive: every 25 seconds

Tcpdump:

root@OpenWrt:~# tcpdump -i any -vvn udp port 51820
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
15:00:59.188677 IP (tos 0x0, ttl 51, id 13693, offset 0, flags [none], proto UDP (17), length 176)
    37.185.249.61.47396 > 192.168.7.1.51820: [udp sum ok] UDP, length 148
15:00:59.188677 IP (tos 0x0, ttl 51, id 13693, offset 0, flags [none], proto UDP (17), length 176)
    37.185.249.61.47396 > 192.168.7.1.51820: [udp sum ok] UDP, length 148
15:00:59.199831 IP (tos 0x88, ttl 64, id 51483, offset 0, flags [none], proto UDP (17), length 120)
    192.168.7.48.51820 > 37.185.249.61.47396: [udp sum ok] UDP, length 92

Thanks in advance, looking forward to hearing from you.

T

mk24 · November 2, 2022, 2:12pm

tuxer:

config wireguard_wg0
	option description 'iphone14'
	option public_key 'F0n9QW*********WBy+Dgo='
REMOVE THIS LINE option private_key '8M2YBn*********ROHw9Vc='
	option route_allowed_ips '1'
REMOVE THIS LINE option endpoint_host 'server.ddns.net' 
REMOVE THIS LINE option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '10.200.200.2/32'

The phone config looks good-- though you should leave listen_port unset on the phone, it should not hurt anything.

On the server, to redirect Internet use from the phone into your server's Internet connection, the wg0 interface needs to be in a firewall zone, and that zone needs to allow forwarding to wan.

tuxer · November 2, 2022, 2:22pm

Thanks for your answer. I removed the port within my client's settings as suggested and changed this:

config wireguard_wg0
	option description 'iphone14'
	option public_key 'F0n9QW******WBy+Dgo='
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '10.200.200.2/32'

My wg0 is configured to be part of the LAN firewall zone and the LAN-> WAN is accept . I believe this is correct, but maybe I am wrong.

I attach some screenshots in case I am missing something here.

At this stage I don't have internet access nor access to private IPs from my phone when connecting to the VPN Any ideas?

mk24 · November 2, 2022, 2:29pm

Is the wireguard server running on the main router in the home?

Can you ping the phone 10.200.200.2 from the server?

tuxer · November 2, 2022, 2:33pm

The main router at my home network is 192.168.7.100 and this openwrt router is configured as bridge with ip 192.168.7.1.

From where do you want me to ping ?

Thanks in advance

mk24 · November 2, 2022, 3:02pm

This is a special situation which requires some extra steps.

Realize that the wan network in 192.168.7.1 isn't in use, so forwarding to wan is moot. The Internet requests from the phone will be forwarded to lan, and then on to the main router. The main router does not know of the 10.200.200.0 network, so it is unable to return the Internet page that the phone requested.

There are two ways to solve this; choose one:

In the main router 192.168.7.100, install a static route of 10.200.200.0/24 via 192.168.7.1. Then when the main router receives an Internet request from the phone 10.200.200.2, it will return the response to the OpenWrt router, which will then forward it back into the VPN tunnel.
In the VPN server, NAT requests from the phone into the LAN. This is done by making a separate firewall zone for the vpn, which forwards to lan, and turning on masquerade (NAT) on the lan zone. Now requests from the phone are translated to appear to come from 192.168.7.1, and the main router and LAN will handle them properly without needing a route configured.
2a. Since the lan remains unaware of the 10.200.200.0 network, a LAN machine will not be able to initiate a connection to the phone. This is probably not an issue here since it is rare to need to initiate a connection to an iPhone.

tuxer · November 2, 2022, 8:27pm

Thanks for your help. I confirm than option 1 works fine and I am able to connect to my WG server with internet and access to my local IP's.

However, I would like to understand option 2 as I would like to have a clean configuration just touching the VPN router.

I created the Zone wg forwarded to LAN, and changed the firewall zone of wg0 to this new zone (wg). Also activating the masquerading for LAN->WAN and WG -> LAN . Unfortunately this time after activating the VPN I could not reach Internet nor local ips. Any ideas? I copy next my new firewall conf:


root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wwan'
	option masq '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '51820'
	option name 'Allow-Wireguard-Inbound'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option forward 'ACCEPT'
	list network 'wg0'

config forwarding
	option src 'wg'
	option dest 'lan'

Thanks in advance,
T

mk24 · November 3, 2022, 2:56am

Don't set masq in zone wg. Set it only in lan.

tuxer · November 3, 2022, 6:31am

it works. I really appreciate your help.

Cheers
T

system · November 13, 2022, 6:32am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.