Pangolin with WireGuard Client (OpenWRT)

Installing and Using OpenWrt
1

Hello,

I'm facing a strange issue: OpenWRT is able to establish a connection with Pangolin (Gerbil), but no traffic is passing through.

Specifically, when I try to ping the Gerbil service, all packets are dropped. Likewise, when Gerbil tries to ping the wireguard interface, those packets are also dropped. This occurs even with no firewall zone assigned to the wireguard interface, so there should be nothing blocking the traffic.

I performed a packet capture and can see traffic coming from Pangolin, but there is no response—only timeouts.

I've tried assigning firewall zones, inspecting routes and rules, and everything appears to be configured correctly. I even tested with a fresh OpenWRT VM, but the result was the same.

At this point, I'm unsure where the problem might lie.

default via 192.168.20.1 dev eth0 
REDACTED via 192.168.20.1 dev eth0 (PANGOLIN IP)
100.89.128.12/30 dev wg0 scope link  src 100.89.128.12 
192.69.0.0/24 dev eth1 scope link  src 192.69.0.1 
192.168.20.0/24 dev eth0 scope link  src 192.168.20.253 

interface: wg0
  public key: REDACTED
  private key: (hidden)
  listening port: 51820

peer: REDACTED
  endpoint: REDACTED:51820
  allowed ips: 100.89.128.1/32
  latest handshake: 6 seconds ago
  transfer: 3.73 KiB received, 2.70 KiB sent
  persistent keepalive: every 5 seconds

OpenWrt -> Gerbil

root@OpenWrt-vc:/# ping -I wg0 100.89.128.1
PING 100.89.128.1 (100.89.128.1): 56 data bytes
^C
--- 100.89.128.1 ping statistics ---
20 packets transmitted, 0 packets received, 100% packet loss

Gerbil -> OpenWRT

root@20a6bc290716:/# ping 100.89.128.12
PING 100.89.128.12 (100.89.128.12) 56(84) bytes of data.
^C
--- 100.89.128.12 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3063ms

Tcpdump: (trying to acsess the openwrt UI by pointing a subdomain at the uhttpd)

{6A2FCEC3-3FF7-4EBB-ACBA-AE61E50044ED}
{6A2FCEC3-3FF7-4EBB-ACBA-AE61E50044ED}1366×294 40.5 KB

2

The routing table doesn't look right.

Due to the configuration of your wireguard interface, 100.89.128.1 is not accessible via wg0, so the default gateway will be used instead. Also note that with this prefix length, 100.89.128.12 is a network, not a host address.

Change the wireguard interface address to 100.89.128.12/24 and try again.

2 Likes
3

THANK YOU!!! i was debuging this for 3days and i over looked the subnet so many damn times! huge thank you!

as a side not pangolin provided the wrong subnet for the client(OpenWrt), i asumed it was corect given the fact it worked on my PC and Phone

1 Like
4

Just as a side note - that IP seems to be in CGNAT space...

$ ipcalc 100.64.0.0/10
Address:   100.64.0.0           01100100.01 000000.00000000.00000000
Netmask:   255.192.0.0 = 10     11111111.11 000000.00000000.00000000
Wildcard:  0.63.255.255         00000000.00 111111.11111111.11111111
=>
Network:   100.64.0.0/10        01100100.01 000000.00000000.00000000
HostMin:   100.64.0.1           01100100.01 000000.00000000.00000001
HostMax:   100.127.255.254      01100100.01 111111.11111111.11111110
Broadcast: 100.127.255.255      01100100.01 111111.11111111.11111111
Hosts/Net: 4194302               Class A

Anyways - interesting concept - esp now that we have the Great American Firewall slowly starting to happen...

5

Yes it is in cgnat space, thats default pangolin configuration, but in my case it dosent cause problems

1 Like
6

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.