Hi Everyone
It this about this tutorial
I'm following this tutorial stated before and I'm getting this error, look
Could someone guide me to fix this?
Thanks
The only apparent error is related to creating a firewall rule that allows incoming connections to the wireguard service from the wan zone. Create the rule manually, editing the destination port if necessary.
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-WireGuard'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='51820' # The correct wg listening port here
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall
/etc/init.d/firewall restart
I could fix it creating these zone configurations in both routers in the site to site enviroment
I can reach to other site and viceversa
Does it make sense?
Someone must fix the script ASAP
I ran the script with the default values and worked fine for me.
Which values did you change?
I changed these
WG_SITE_A_HOSTNAME="mysiteA.net"
WG_SITE_B_HOSTNAME="mysiteB.net"
WG_SITE_A_LAN_RANGE="192.168.1.0/24"
WG_SITE_B_LAN_RANGE="192.168.3.0/24"
Do I need to change something else?
No, it is not needed. Maybe some other typographic error broke some uci command.
I'm using the lastest version of open wrt for the archer c7 v5
About this variable WG_TRIAL="" Should I leave it empty? Right?
You can fill in something there and it will only produce the scripts. Try that and paste here the output of the files to have a look.
With this variable empty WG_TRIAL="" the main script created these scripts attached below
Main Script
#!/bin/sh
#
# s2s_combined.sh: create configuration scripts that set up a
# site-to-site VPN between two OpenWrt hosts using wireguard.
# The site configurations are symmetric, each is a server with the
# other as a peer.
#
# This script generates two script files, one for each site. The
# generated files contain matched pre-shared keys and private/public key
# values for the two sites.
#
# Run this script on one of the routers (site A for example), then
# copy the generated script for the other site to the other router.
# Run the appropriate script on each router: '/tmp/site-<hostname>.sh'
#
# After running the generated scripts, DELETE the scripts, so that
# nobody copies them and steals the keys. The keys are stored in the
# network configuration files, which you are already protecting since
# they have other confidential information such as wifi passwords, TLS
# server keys, etc.
#
# The generated scripts configure a wireguard tunnel that carries IPv4
# and IPv6 through the tunnel. It routes the other site's IPv6 ULA
# range through the tunnel, plus one IPv4 range. You can add more
# routed networks later through LuCI or uci.
#
clear
echo "======================================"
echo "| Automated WireGuard Script |"
echo "| Site-to-Site VPN |"
echo "| Script generator |"
echo "======================================"
echo -n "Defining variables... "
# Set the following values as needed to configure the generated scripts:
#
# Make this non-empty if you want to create scripts that only show
# the configuration and don't actually set it.
WG_TRIAL=""
# The hostnames of the two OpenWrt routers. Use a dynamic DNS service
# if needed so that your routers can find each other.
WG_SITE_A_HOSTNAME="xxxxxxxx.no-ip.org"
WG_SITE_B_HOSTNAME="xxxxxxxxx.ddns.net"
# The description
WG_SITE_A_DESCRIPTION="Site A, ${WG_SITE_A_HOSTNAME}"
WG_SITE_B_DESCRIPTION="Site B, ${WG_SITE_B_HOSTNAME}"
# The interface names at each site
WG_SITE_A_IF="wg_s2s_a"
WG_SITE_B_IF="wg_s2s_b"
WG_PORT="51820"
# The IPv4 range at each site.
# Site A will route traffic to WG_SITE_B_LAN_RANGE through the tunnel
# and vice-versa for site B
WG_SITE_A_LAN_RANGE="192.168.1.0/24"
WG_SITE_B_LAN_RANGE="192.168.3.0/24"
# The IPv6 ULA prefixes for each host. The tunnel will be configured
# to route to the peer's ULA addresses. Get this with
# "uci get network.globals.ula_prefix |sed -e 's,::/.*,,'"
WG_SITE_A_ULA_PREFIX="fdff:ffff:ffff"
WG_SITE_B_ULA_PREFIX="fdee:eeee:eeee"
# Route the IPv6 ULA prefix for the remote site through the tunnel
WG_SITE_A_LAN_RANGE6="${WG_SITE_A_ULA_PREFIX}::/48"
WG_SITE_B_LAN_RANGE6="${WG_SITE_B_ULA_PREFIX}::/48"
# The firewall zone names at each site (the VPN tunnel endpoints are placed
# in these zones)
WG_SITE_A_VPN_ZONE=vpn
WG_SITE_B_VPN_ZONE=vpn
# The firewall WAN zone names at each site, used to configure WAN
# firewall ingress rules to accept wireguard traffic on the chosen port
WG_SITE_A_WAN_ZONE=wan
WG_SITE_B_WAN_ZONE=wan
# You probably don't need to change these unless you don't like these
# internal names
WG_SITE_A_CONFIG_NAME=s2s_vpn_site_a
WG_SITE_B_CONFIG_NAME=s2s_vpn_site_b
WG_FW_RULE_ID="wg_s2s_${WG_PORT}"
echo "Done"
if [ ! -z "${WG_TRIAL}" ]; then
ECHO="echo echo"
else
ECHO="echo"
fi
cleanup() {
echo -n "Removing temporary key files... "
rm -f /tmp/wg_site_a.key /tmp/wg_site_a.pub
rm -f /tmp/wg_site_b.key /tmp/wg_site_b.pub
rm -f /tmp/wg_site_a_and_b.psk
echo "Done"
}
trap cleanup EXIT
cd /tmp
# Generate keys
umask go=
echo -n "Generating WireGuard keys for sites A and B... "
wg genkey | tee wg_site_a.key | wg pubkey > wg_site_a.pub
wg genkey | tee wg_site_b.key | wg pubkey > wg_site_b.pub
wg genpsk > wg_site_a_and_b.psk
# Site_A keys
WG_SITE_A_KEY="$(cat wg_site_a.key)"
WG_SITE_A_PUB="$(cat wg_site_a.pub)"
# Site_B keys
WG_SITE_B_KEY="$(cat wg_site_b.key)"
WG_SITE_B_PUB="$(cat wg_site_b.pub)"
# Pre-shared key known by both
WG_PSK="$(cat wg_site_a_and_b.psk)"
echo "Done"
create_site_config()
{
LOCAL_DESCRIPTION="${1}"
LOCAL_VPN_ZONE="${2}"
LOCAL_IF="${3}"
LOCAL_WAN_ZONE="${4}"
LOCAL_KEY="${5}"
LOCAL_HOSTNAME="${6}"
REMOTE_CONF="${7}"
REMOTE_PUB="${8}"
REMOTE_PSK="${9}"
REMOTE_LAN_RANGE="${10}"
REMOTE_LAN_RANGE6="${11}"
REMOTE_HOSTNAME="${12}"
REMOTE_DESCRIPTION="${13}"
if [ -z "$REMOTE_DESCRIPTION" ]; then
echo not enough args to subroutine 1>&2
exit 1
fi
echo "#!/bin/sh"
echo "clear"
echo "echo ======================================"
echo "echo \"| Automated WireGuard Script |\""
echo "echo \"| Site-to-Site VPN |\""
echo "echo \"| Configuration |\""
echo "echo ======================================"
echo "echo Generated to configure \"${LOCAL_HOSTNAME}\" to tunnel with \"${REMOTE_HOSTNAME}\""
echo "echo -n Creating firewall rule for WAN ingress..."
${ECHO} uci del_list firewall.${LOCAL_VPN_ZONE}.network=\"${LOCAL_IF}\"
${ECHO} uci add_list firewall.${LOCAL_VPN_ZONE}.network=\"${LOCAL_IF}\"
${ECHO} uci -q delete firewall.${WG_FW_RULE_ID}
${ECHO} uci set firewall.${WG_FW_RULE_ID}=\"rule\"
${ECHO} uci set firewall.${WG_FW_RULE_ID}.name=\"Allow-WireGuard-${WG_PORT}\"
${ECHO} uci set firewall.${WG_FW_RULE_ID}.src=\"${LOCAL_WAN_ZONE}\"
${ECHO} uci set firewall.${WG_FW_RULE_ID}.dest_port=\"${WG_PORT}\"
${ECHO} uci set firewall.${WG_FW_RULE_ID}.proto=\"udp\"
${ECHO} uci set firewall.${WG_FW_RULE_ID}.target=\"ACCEPT\"
${ECHO} uci commit firewall
${ECHO} /etc/init.d/firewall restart
echo "echo Done"
# Configure network, $LOCAL_DESCRIPTION tunnel endpoint
echo "echo -n Configure wireguard interface \"${LOCAL_IF}\"..."
${ECHO} uci -q delete network.${LOCAL_IF}
${ECHO} uci set network.${LOCAL_IF}=\"interface\"
${ECHO} uci set network.${LOCAL_IF}.proto=\"wireguard\"
${ECHO} uci set network.${LOCAL_IF}.private_key=\"${LOCAL_KEY}\"
${ECHO} uci set network.${LOCAL_IF}.listen_port=\"${WG_PORT}\"
echo "echo Done"
# Add local site's ideas about remote site
echo "echo -n Configure peer \"${REMOTE_DESCRIPTION}\"..."
${ECHO} uci -q delete network.${REMOTE_CONF}
${ECHO} uci set network.${REMOTE_CONF}=\"wireguard_${LOCAL_IF}\"
${ECHO} uci set network.${REMOTE_CONF}.public_key=\"${REMOTE_PUB}\"
${ECHO} uci set network.${REMOTE_CONF}.preshared_key=\"${REMOTE_PSK}\"
${ECHO} uci set network.${REMOTE_CONF}.description=\""${REMOTE_DESCRIPTION}"\"
${ECHO} uci add_list network.${REMOTE_CONF}.allowed_ips=\"${REMOTE_LAN_RANGE}\"
${ECHO} uci add_list network.${REMOTE_CONF}.allowed_ips=\"${REMOTE_LAN_RANGE6}\"
${ECHO} uci set network.${REMOTE_CONF}.route_allowed_ips=\'1\'
${ECHO} uci set network.${REMOTE_CONF}.persistent_keepalive=\'25\'
${ECHO} uci set network.${REMOTE_CONF}.endpoint_host=\"${REMOTE_HOSTNAME}\"
${ECHO} uci set network.${REMOTE_CONF}.endpoint_port=\"${WG_PORT}\"
${ECHO} uci commit network
${ECHO} /etc/init.d/network restart
echo "echo Done"
echo "echo ======================================"
echo "echo \"| Next steps |\""
echo "echo ======================================"
echo "echo Remove this script: \"\$0\""
echo "echo It contains copies of your secret keys that"
echo "echo you do not need anymore, because they are now in the network"
echo "echo configuration files. Delete the script to avoid key theft."
}
echo -n "Creating configuration script for \"${WG_SITE_A_DESCRIPTION}\" ... "
create_site_config \
"${WG_SITE_A_DESCRIPTION}" \
"${WG_SITE_A_VPN_ZONE}" \
"${WG_SITE_A_IF}" \
"${WG_SITE_A_WAN_ZONE}" \
"${WG_SITE_A_KEY}"\
"${WG_SITE_A_HOSTNAME}"\
"${WG_SITE_B_CONFIG_NAME}" \
"${WG_SITE_B_PUB}" \
"${WG_PSK}" \
"${WG_SITE_B_LAN_RANGE}" \
"${WG_SITE_B_LAN_RANGE6}" \
"${WG_SITE_B_HOSTNAME}" \
"${WG_SITE_B_DESCRIPTION}" >site-${WG_SITE_A_HOSTNAME}.sh
chmod u+x site-${WG_SITE_A_HOSTNAME}.sh
echo "Done"
echo -n "Creating configuration script for \"${WG_SITE_B_DESCRIPTION}\" ... "
create_site_config \
"${WG_SITE_B_DESCRIPTION}" \
"${WG_SITE_B_VPN_ZONE}" \
"${WG_SITE_B_IF}" \
"${WG_SITE_B_WAN_ZONE}" \
"${WG_SITE_B_KEY}"\
"${WG_SITE_B_HOSTNAME}"\
"${WG_SITE_A_CONFIG_NAME}" \
"${WG_SITE_A_PUB}" \
"${WG_PSK}" \
"${WG_SITE_A_LAN_RANGE}" \
"${WG_SITE_A_LAN_RANGE6}" \
"${WG_SITE_A_HOSTNAME}" \
"${WG_SITE_A_DESCRIPTION}" >site-${WG_SITE_B_HOSTNAME}.sh
chmod u+x site-${WG_SITE_B_HOSTNAME}.sh
echo "Done"
echo "======================================"
echo "| Next steps |"
echo "======================================"
echo "1. Copy /tmp/site-${WG_SITE_A_HOSTNAME}.sh to ${WG_SITE_A_HOSTNAME} and run it there,"
echo " then delete all copies of it to protect your keys."
echo "2. Copy /tmp/site-${WG_SITE_B_HOSTNAME}.sh to ${WG_SITE_B_HOSTNAME} and run it there,"
echo " then delete all copies of it to protect your keys."
echo "======================================"
if [ ! -z "${WG_TRIAL}" ]; then
echo "========================================="
echo "| Trial mode, scripts are nonfunctional |"
echo "========================================="
fi
exit 0
Router A
#!/bin/sh
clear
echo ======================================
echo "| Automated WireGuard Script |"
echo "| Site-to-Site VPN |"
echo "| Configuration |"
echo ======================================
echo Generated to configure "xxxxxxxxxx.no-ip.org" to tunnel with "xxxxxxxxxxxx.ddns.net"
echo -n Creating firewall rule for WAN ingress...
uci del_list firewall.vpn.network="wg_s2s_a"
uci add_list firewall.vpn.network="wg_s2s_a"
uci -q delete firewall.wg_s2s_51820
uci set firewall.wg_s2s_51820="rule"
uci set firewall.wg_s2s_51820.name="Allow-WireGuard-51820"
uci set firewall.wg_s2s_51820.src="wan"
uci set firewall.wg_s2s_51820.dest_port="51820"
uci set firewall.wg_s2s_51820.proto="udp"
uci set firewall.wg_s2s_51820.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
echo Done
echo -n Configure wireguard interface "wg_s2s_a"...
uci -q delete network.wg_s2s_a
uci set network.wg_s2s_a="interface"
uci set network.wg_s2s_a.proto="wireguard"
uci set network.wg_s2s_a.private_key="xxxxxxxxxxxxxxxxxxxxxxxxxx"
uci set network.wg_s2s_a.listen_port="51820"
echo Done
echo -n Configure peer "Site B, xxxxxxxxxxxxxxx.ddns.net"...
uci -q delete network.s2s_vpn_site_b
uci set network.s2s_vpn_site_b="wireguard_wg_s2s_a"
uci set network.s2s_vpn_site_b.public_key="xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
uci set network.s2s_vpn_site_b.preshared_key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
uci set network.s2s_vpn_site_b.description="Site B, xxxxxxxxxxxx.ddns.net"
uci add_list network.s2s_vpn_site_b.allowed_ips="192.168.3.0/24"
uci add_list network.s2s_vpn_site_b.allowed_ips="fdee:eeee:eeee::/48"
uci set network.s2s_vpn_site_b.route_allowed_ips='1'
uci set network.s2s_vpn_site_b.persistent_keepalive='25'
uci set network.s2s_vpn_site_b.endpoint_host="xxxxxxxxxxx.ddns.net"
uci set network.s2s_vpn_site_b.endpoint_port="51820"
uci commit network
/etc/init.d/network restart
echo Done
echo ======================================
echo "| Next steps |"
echo ======================================
echo Remove this script: "$0"
echo It contains copies of your secret keys that
echo you do not need anymore, because they are now in the network
echo configuration files. Delete the script to avoid key theft.
Router B
#!/bin/sh
clear
echo ======================================
echo "| Automated WireGuard Script |"
echo "| Site-to-Site VPN |"
echo "| Configuration |"
echo ======================================
echo Generated to configure "xxxxxxxx.ddns.net" to tunnel with "xxxxxxxxxxx.no-ip.org"
echo -n Creating firewall rule for WAN ingress...
uci del_list firewall.vpn.network="wg_s2s_b"
uci add_list firewall.vpn.network="wg_s2s_b"
uci -q delete firewall.wg_s2s_51820
uci set firewall.wg_s2s_51820="rule"
uci set firewall.wg_s2s_51820.name="Allow-WireGuard-51820"
uci set firewall.wg_s2s_51820.src="wan"
uci set firewall.wg_s2s_51820.dest_port="51820"
uci set firewall.wg_s2s_51820.proto="udp"
uci set firewall.wg_s2s_51820.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
echo Done
echo -n Configure wireguard interface "wg_s2s_b"...
uci -q delete network.wg_s2s_b
uci set network.wg_s2s_b="interface"
uci set network.wg_s2s_b.proto="wireguard"
uci set network.wg_s2s_b.private_key="xxxxxxxxxxxxx"
uci set network.wg_s2s_b.listen_port="51820"
echo Done
echo -n Configure peer "Site A, xxxxxxxxxxx.no-ip.org"...
uci -q delete network.s2s_vpn_site_a
uci set network.s2s_vpn_site_a="wireguard_wg_s2s_b"
uci set network.s2s_vpn_site_a.public_key="xxxxxxxxxxxxxxxxxxxx="
uci set network.s2s_vpn_site_a.preshared_key="xxxxxxxxx="
uci set network.s2s_vpn_site_a.description="Site A, xxxxxxxxx.no-ip.org"
uci add_list network.s2s_vpn_site_a.allowed_ips="192.168.1.0/24"
uci add_list network.s2s_vpn_site_a.allowed_ips="fdff:ffff:ffff::/48"
uci set network.s2s_vpn_site_a.route_allowed_ips='1'
uci set network.s2s_vpn_site_a.persistent_keepalive='25'
uci set network.s2s_vpn_site_a.endpoint_host="xxxxxxxxx.no-ip.org"
uci set network.s2s_vpn_site_a.endpoint_port="51820"
uci commit network
/etc/init.d/network restart
echo Done
echo ======================================
echo "| Next steps |"
echo ======================================
echo Remove this script: "$0"
echo It contains copies of your secret keys that
echo you do not need anymore, because they are now in the network
echo configuration files. Delete the script to avoid key theft.
root@RouterA:/tmp# sh site-xxxxxxxxxxx.no-ip.org.sh
======================================
| Automated WireGuard Script |
| Site-to-Site VPN |
| Configuration |
======================================
Generated to configure xxxxxxxxx.no-ip.org to tunnel with xxxxxxxxxx.ddns.net
Creating firewall rule for WAN ingress...uci del_list firewall.vpn.network=wg_s2s_a
uci add_list firewall.vpn.network=wg_s2s_a
uci -q delete firewall.wg_s2s_51820
uci set firewall.wg_s2s_51820=rule
uci set firewall.wg_s2s_51820.name=Allow-WireGuard-51820
uci set firewall.wg_s2s_51820.src=wan
uci set firewall.wg_s2s_51820.dest_port=51820
uci set firewall.wg_s2s_51820.proto=udp
uci set firewall.wg_s2s_51820.target=ACCEPT
uci commit firewall
/etc/init.d/firewall restart
Done
Configure wireguard interface wg_s2s_a...uci -q delete network.wg_s2s_a
uci set network.wg_s2s_a=interface
uci set network.wg_s2s_a.proto=wireguard
uci set network.wg_s2s_a.private_key=xxxxxxxxxxxxxxj3Q=
uci set network.wg_s2s_a.listen_port=51820
Done
Configure peer Site B, xxxxxxxxx.ddns.net...uci -q delete network.s2s_vpn_site_b
uci set network.s2s_vpn_site_b=wireguard_wg_s2s_a
uci set network.s2s_vpn_site_b.public_key=xxxxxxw0Lh3gK2sU3/WIAiE=
uci set network.s2s_vpn_site_b.preshared_key=+xxxxxxxx02BKEzc1gYFAFV4=
uci set network.s2s_vpn_site_b.description=Site B, xxxxxx.ddns.net
uci add_list network.s2s_vpn_site_b.allowed_ips=192.168.3.0/24
uci add_list network.s2s_vpn_site_b.allowed_ips=fdee:eeee:eeee::/48
uci set network.s2s_vpn_site_b.route_allowed_ips=1
uci set network.s2s_vpn_site_b.persistent_keepalive=25
uci set network.s2s_vpn_site_b.endpoint_host=xxxxxxxxx.ddns.net
uci set network.s2s_vpn_site_b.endpoint_port=51820
uci commit network
/etc/init.d/network restart
Done
======================================
| Next steps |
======================================
Remove this script: site-xxxxxxxxxxx.no-ip.org.sh
It contains copies of your secret keys that
you do not need anymore, because they are now in the network
configuration files. Delete the script to avoid key theft.
root@RouterB:/tmp/tmp# sh site-xxxxxxxxx.ddns.net.sh
======================================
| Automated WireGuard Script |
| Site-to-Site VPN |
| Configuration |
======================================
Generated to configure xxxxxxxx.ddns.net to tunnel with xxxxxxxxxx.no-ip.org
Creating firewall rule for WAN ingress...uci del_list firewall.vpn.network=wg_s2s_b
uci add_list firewall.vpn.network=wg_s2s_b
uci -q delete firewall.wg_s2s_51820
uci set firewall.wg_s2s_51820=rule
uci set firewall.wg_s2s_51820.name=Allow-WireGuard-51820
uci set firewall.wg_s2s_51820.src=wan
uci set firewall.wg_s2s_51820.dest_port=51820
uci set firewall.wg_s2s_51820.proto=udp
uci set firewall.wg_s2s_51820.target=ACCEPT
uci commit firewall
/etc/init.d/firewall restart
Done
Configure wireguard interface wg_s2s_b...uci -q delete network.wg_s2s_b
uci set network.wg_s2s_b=interface
uci set network.wg_s2s_b.proto=wireguard
uci set network.wg_s2s_b.private_key=qLm8xxxxxxVQk+pbcPoUutyF7YPXI=
uci set network.wg_s2s_b.listen_port=51820
Done
Configure peer Site A, xxxxxx.no-ip.org...uci -q delete network.s2s_vpn_site_a
uci set network.s2s_vpn_site_a=wireguard_wg_s2s_b
uci set network.s2s_vpn_site_a.public_key=W47W1xxxxxxxxx8J2ghSoYSVYTvZUbJ+9+2o=
uci set network.s2s_vpn_site_a.preshared_key=+HHAXwxxxxxxnN/SA02BKEzc1gYFAFV4=
uci set network.s2s_vpn_site_a.description=Site A, xxxxxxx.no-ip.org
uci add_list network.s2s_vpn_site_a.allowed_ips=192.168.1.0/24
uci add_list network.s2s_vpn_site_a.allowed_ips=fdff:ffff:ffff::/48
uci set network.s2s_vpn_site_a.route_allowed_ips=1
uci set network.s2s_vpn_site_a.persistent_keepalive=25
uci set network.s2s_vpn_site_a.endpoint_host=xxxxxxxxx.no-ip.org
uci set network.s2s_vpn_site_a.endpoint_port=51820
uci commit network
/etc/init.d/network restart
Done
======================================
| Next steps |
======================================
Remove this script: site-xxxxxxxxxxx.ddns.net.sh
It contains copies of your secret keys that
you do not need anymore, because they are now in the network
configuration files. Delete the script to avoid key theft.
Do you have any zone in firewall named vpn? If not, it will fail as above. You should either create such a zone or use lan as the zone, as usually you connect site to site 2 lan segments.
Thanks for your answer
About your comments, we can confirm the script is wrong, so someone should modify it and state that we must create a zone as you said.
Right?
The script is not wrong, I was wrong to mention that nothing else needs to be changed when you also needed to adjust the firewall zone.
Thanks for your answer
Well so if I should need this adjust, why the others users shouldn't do it? Why just me?
Just like the hostname or the IP address, it's a variable for the script. Keep it as it is or change it. The author of the script had in mind that the Wireguard interface should not belong to lan zone to allow isolation.
I could do a tutorial to share the experience in this topic
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.