Port forwarding not working?

Hi @psherman I dont know why but this is not working as i want, i cannot have access from A to B or from B to A... I just have access to the peer i have added previously (192.168.9.2) with local addresses from A to B but from B, i cannot access A. I want to have access to the router of B, and some computers i have there. Is this possible without adding every computer to peers?

What im trying is to connect 192.168.1.1 (B Router) from 192.168.2.0 (A Network)

The map is: I live in another city and i want to have entire access to my town net (both mine).

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd75:07f1:eeb7::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan'
        option device 'eth1.20'
        option proto 'pppoe'
        option username 'xxxxxxxxx@digi'
        option password 'xxxxxxxxx'
        option ipv6 'auto'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config 192.168.1.2 'addr'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '20'
        option name 'eth1.20'
        option mtu '1500'

config interface 'wg_vpn'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxx='
        option listen_port '51820'
        option mtu '1280'
        list addresses '192.168.9.1/24'

config wireguard_wg_vpn
        option description 'Servidor'
        option public_key 'xxxxxxxxxxxxxxxxxxx='
        option route_allowed_ips '1'
        list allowed_ips '192.168.9.2/32'
        list allowed_ips '192.168.1.0/24'

config wireguard_wg_vpn
        option public_key 'xxxxxxxxxxxxxxxxxx='
        option private_key 'xxxxxxxxxxxxxxxxx='
        option description 'Iphone'
        option route_allowed_ips '1'


root@OpenWrt:~#

I don't know if im explaining the problem correctly

What's the config on the other end (at B)?

It appears that you've provided the config for the "A" side of the network. And it seems that this is the 'server' side (i.e. B initiates the connection to A).

• Does A 192.168.2.0/24 ever need to be able to initiate connections to B 192.168.1.0/24?

If the answer to the above question is "no", then remove the list line of the below section:

Also, your iPhone peer is missing an allowed_ips -- it should likely be 192.168.9.3/32:

We also need to see the firewall and the remote side configuration (network and firewall files).

image751×400 31.9 KB

Yes, A and B will initiate connections with each other: If im in A and i have to access some file in B i need access and viceversa.

config wireguard_wg_vpn
        option public_key 'xxxxxxxxxxxxxxxxxxxxxx='
        option private_key 'xxxxxxxxxxxxxxxxxxxxx='
        option description 'Iphone'
        option route_allowed_ips '1'
        list allowed_ips '192.168.9.2/32'
(edited)

image744×333 29.6 KB

What is the device on the B side? Is it a router? A computer?

The allowed IPs for your phone is the same as the one you're using for B. They must be unique.

It is a Proxmox server.

config wireguard_wg_vpn
        option public_key 'xxxxxxxxxxxxxxxxxxxx='
        option private_key 'xxxxxxxxxxxxxxxxxxxxxx='
        option description 'Iphone'
        option route_allowed_ips '1'
        list allowed_ips '192.168.9.3/32'

root@OpenWrt:~#

image1062×348 18.1 KB

image369×808 13.2 KB

image292×640 44.2 KB

So the problem at this point lies with the proxmox server configuration. This is out of scope for these forums, but fundamentally it needs to handle the routing between the WG interface and the local network (likely in conjunction with your main router at that site in the form of static routes added to the routing table).

On the phone side of things, I wouldn't expect it to be able to reach anything on the 192.168.1.0/24 network while it is connected to the WG interface. It's only going to be able to connect to 192.168.2.0/24 and the internet. (although we'd have to also see the phone's configuration, and we'd have to check the handshake status).

The allowed IPs for your phone (on the phone's config itself) is wrong... what is your goal for the phone's connectivity?

Just internet, both 192.168.1.0 and 192.168.2.0 is not reached

The goal is access to both networks in "everywhere"

Set your phone's allowed IPs to 0.0.0.0/0

I'm still pretty sure it won't be able to reach the 192.168.1.0/24 network, but it should be able to reach 192.168.2.0/24.

From your router at site A:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "Intel(R) N95",
        "model": "Default string Default string",
        "board_name": "default-string-default-string",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "x86/64",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}
root@OpenWrt:~#

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd75:07f1:eeb7::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan'
        option device 'eth1.20'
        option proto 'pppoe'
        option username 'xxxxxxxxx@digi'
        option password 'xxxxxxxxx'
        option ipv6 'auto'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config 192.168.1.2 'addr'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '20'
        option name 'eth1.20'
        option mtu '1500'

config interface 'wg_vpn'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxx='
        option listen_port '51820'
        option mtu '1280'
        list addresses '192.168.9.1/24'

config wireguard_wg_vpn
        option description 'Servidor'
        option public_key 'xxxxxxxxxxxxxxxxxx='
        option route_allowed_ips '1'
        list allowed_ips '192.168.9.2/32'
        list allowed_ips '192.168.1.0/24'

config wireguard_wg_vpn
        option public_key 'xxxxxxxxxxxxxxxx='
        option private_key 'xxxxxxxxxxxxxxxx='
        option description 'Iphone'
        option route_allowed_ips '1'
        list allowed_ips '192.168.9.3/32'

root@OpenWrt:~#

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        list network 'wg_vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg_rule_vpn'
        option name 'Allow-WireGuard-vpn-wan'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

root@OpenWrt:~#

root@OpenWrt:~# wg show
interface: wg_vpn
  public key: xxxxxxxxxxxxxxxxxxxxxx=
  private key: (hidden)
  listening port: 51820

peer: xxxxxxxxxxxxxxxxxxxxxx=
  endpoint: xxx.xxx.xxx.xxx:34336
  allowed ips: 192.168.1.0/24
  latest handshake: 1 minute, 45 seconds ago
  transfer: 55.90 MiB received, 47.57 MiB sent

peer: xxxxxxxxxxxxxxxxxxxxxx=
  endpoint: 192.168.2.144:51820
  allowed ips: 192.168.9.2/32
  latest handshake: 14 minutes, 11 seconds ago
  transfer: 3.34 KiB received, 5.30 KiB sent
root@OpenWrt:~#

this doesn't belong in your network file:

It looks like your phone's config is missing or incorrect. Restart your router to force it to reload.

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config 192.168.1.2 'addr'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '20'
        option name 'eth1.20'
        option mtu '1500'

After reboot, still appearing. Should i delete it manually?

On the phone... should i set the PublicKey of the section Peer or should i set it in Interface?

I think it will be a silly thing, this have no sense

image292×639 42.2 KB

image662×639 52.5 KB

Yes, that was what I meant.

There are 4 keys involved in a WG tunnel:

• 'Server'

  • Private Key -- this will be in the interface stanza of the configuration
  • Public Key -- this will be shared with the 'client' device and will be entered into the peer config section of the config (on the 'client' device itself)

• 'Client'

  • Private Key -- this will be in the interface section of the configuration
  • Public Key -- this will be shared with the 'server' device and will be entered into the peer config section of the config (on the 'server' device itself)

Seems like that made me lost access from A to B, do it have sense?

I understood it well then, the configuration on the phone is ok.

You could put it back... but I'm not sure why it is there.

I did and didnt solved it. I dont know neither, i had that IP before i configured WG

image1215×174 10.6 KB

Unreachable

Here's another approach. In your remote PC install sshuttle package and from that machine create a vpn connection to your openwrt router with the following command:

sshuttle -r [user@ipaddress(edge-device):port] [192.168.1.0/24 (internal server's subnet)) --dns

So if you are logging in from the internet you need to put your public ip address, you also need to have port 22 open, your openwrt device needs to be in a dmz zone if it's connected to your main router or configure port forward so it can be able to connect from de internet. Additionally you need to know the internal network's ip in CIDR format.
example:

sshuttle -r root@public_ip:22 192.168.1.0/24 --dns

After that in your remote pc's terminal it should say connected. Leave that tab open and open a new one and send your file using scp or rsync. Remember you are going to be connected directly to your internal network so send you file to the recipient's local ip address.

scp /path/to/local/file.txt username@remote_host(local_ip):/path/to/destination/directory/

If you like this approach might forget about setting up wireguard.