Portforward WAN -> OpenWrt -> S2S Fritzbox

dancekid · April 22, 2023, 10:27pm

worked another day on phone repair. no success with openwrt and fiber. changed phone back to DSL only. tried to simplify my installation:

need to config WG client <-> server within the next week. no remote access at the moment to mom´s router.

dancekid · April 26, 2023, 7:32am

Good Morning Trendy,

i drawed another option. you think its possible to route ?

OpenWRT is just a Client at this usecase.

trendy · April 26, 2023, 9:26am

Yes, but you may want to keep only one s2s tunnel to avoid routing loops.

dancekid · April 26, 2023, 12:01pm

incoming:
192.168.178.1 portforward to 192.168.178.2
192.168.178.2 portforward to 192.168.192.2

outgoing:
192.168.179.2 pbr to 192.168.178.2
192.168.178.2 pbr to 192.168.178.1

trendy · April 26, 2023, 1:11pm

You are back here.
You should keep the tunnel between Debian and OpenWrt.

dancekid · April 28, 2023, 10:37am

Hello Trendy,

Wireguard connection is created. openwrt shows connection.
ping to www.google.de shows now result with wg0 powered up

trendy · April 28, 2023, 10:55am

To recap
Fritz4040 forwards 25002 to 192.168.178.2
OpenWrt 4040 forwards 25002 to 192.168.179.2. The WG tunnel is set up properly and OpenWrt4040 can reach Debian.
Debian has rule to forward source port 25002 to custom routing table, for example 100. Routing table 100 is using default gateway .178.2
Finally OpenWrt4040 is masquerading traffic from the WG tunnel before sending upstream to FB4040.
Is everything in place?

dancekid · May 3, 2023, 11:14am

Hello Trendy,
i am building a test environment at the moment. played with mit intel nuc to get wireguard to work and suddenly my homeautomation stopped working and my girlfried missed hot water in the morning
Now i have to build a test PC first .... then continue playing with routing..
new PC is up and running. installing wireguard,storj and stuff atm. will try to config your hints and be back in some days.

dancekid · May 5, 2023, 3:59pm

Hello Trendy,

mini-pc is up and running, created Test-IPs.
ping docker network 192.168.156.x to 192.168.157.1 works
resolv.conf shows my wg-server ip

Policy based Routing in /etc/network/interfaces:

post-up ip rule add from 192.168.156.102 lookup wg-papa
post-up ip route add default via 192.168.157.1 dev wg-papa table wg-papa

Problem:
Openwrt does not know storj 192.168.156.102
Already enabled:
Portforward 192.168.158.1 > 192.168.158.201

Any way to tell openwrt a route to 192.168.156.x

trendy · May 6, 2023, 6:23pm

Add 192.168.156.0/24 in the allowed_ips of the wg peer and make sure that route_allowed_ips is enabled.

dancekid · May 7, 2023, 9:16pm

Good Evening Trendy,
i played with Wireshark this weekend.

placed a physical node at my dad´s flat. its visible in wireshark (fritzbox-capture) at given port 25000.

placed another physical node at my flat and did point in config to dyn.dad.de.
IP resolution works. storj shows my dad´s external internet ip and tried to ping port 25010

now i started wireshark capture file at his fritzbox. all traffic generated by his physical node is shown.
not a single entry of 25010...

portforward enabled fritzbox -> openwrt... atleast in fritzbox capture i should see both ports ?

trendy · May 8, 2023, 6:34am

Do you see any traces of 25010 anywhere on the network?

dancekid · May 8, 2023, 9:12pm

Hello Trendy,
lets check OpenWRT Settings.

cable situation:
Cable Modem > WAN Fritzbox LAN > WAN OpenWRT with no LAN connections.
Wireguard add to zone LAN or WAN or create new "Wireguard" Zone ?

I need just portforward or additional traffic rule ?

trendy · May 8, 2023, 10:07pm

It depends if the cable modem and the Fritzbox have routes to the WG or not.
But do you see and packets from 25010 anywhere? Even on the Debian?

dancekid · May 12, 2023, 4:07pm

Hello Trendy,
i tried another the old way and a new way.

New way: link storj node to wg-client. connection is established and ping from wg-client or storj-node works but i cannot see storj-gui at port 14002 using dads webbrowser.
error in browser: connection refused...

I cannot access wireguard client via 192.168.158.51:14002 ?
i think additional routing is missing ?

trendy · May 12, 2023, 8:04pm

I don't know, as you don't answer what I ask and you just try your own stuff.
Good luck!

dancekid · May 12, 2023, 8:49pm

Hello Trendy,
my last post was meant as an answer to your question.
Portforward is not working. I dont see 25010.
For testing i switched to a new way to 14002 storj gui port.
Testing with webbrowser is possible that way.

Tested old way and new way. Both ways seems to miss routing from server side to client side.

dancekid · May 12, 2023, 8:51pm

Quote:
It depends if the cable modem and the Fritzbox have routes to the WG or not.

I think this routing is still missing.

trendy · May 13, 2023, 8:05am

If you don't see packets from 25010 then there is something wrong with the storj not sending proper packets.

dancekid · May 16, 2023, 8:32pm

Hello Trendy,
i made a factory reset and created a new testsetup using my fiber and dsl connection.
both networks use a fritzbox as mainrouter, dsl side got an additional openwrt router.

i see traffic from outside to openwrt now, can ping from dsl network to wg-client adress (with static route in fritzbox).
ping wg-client to www.google.de works now, too.
on dsl-side using ms edge i should be able to access storj-gui on 14002 but get: connection refused.
its the same message i get from storj node in docker.
storj node tries connecting to 25010. viewable in wireshark on openwrt. -> connection refused.
wg-tunnel on openwrt: data transmitted 112,69 mb, datareceived 5.02 mb.

i think its down to docker problem right now.
docker setup: wireguard client container + storj container.