Problem with ssh to LAN client via remote wireguard client

thurcom · May 18, 2024, 8:46pm

I have a wireguard server setup on my home openwrt router that allows me to access my LAN remotely, and to route traffic through my home connection from possibly insecure (e.g. coffee shop) access points.

When I have a laptop (computer "A") at a remote location I can ssh into my router, and from there ssh into another computer (computer "B") on my LAN, but I cannot directly ssh into that computer (i.e. from "A" I can't "ssh user@B_IP"). It would be sufficient to do this hop ssh, but I also want to mount a drive from "A" onto "B" via smb, and control "A" remotely via screen share using vnc (both computers are macs), which I can't currently do.

I was able to both mount a drive from "B" onto "A" and use remote desktop when I was at home on the LAN, so I thought it would work via the wireguard connection, but apparently not. It seems like I'm close but have some configuration wrong.

I was hoping someone could take a look at my configuration and see if there is anything obviously wrong. Also, I'm still learning new things about openwrt, so feel free to correct anything I've got wrong or misunderstand.

Here is my basic network setup

network_diagram

I've included my network, firewall, and pbr config files below, with sensitive info redacted.

My basic setup is to use the openwrt policy based routing to direct traffic to the internet or via a wireguard connection to a vpn server (wg0 here) based on ip address. 192.168.0.x/24 goes via wg0, 192.168.1.x/24 goes via wan. I try to use static IPs for all devices, though I do have a dhcp server running on the router.

I have two wireguard server interfaces setup. wg1 works and is typically how I connect to the internet using "A". For instance, "A" connects to wg1 and has IP 192.168.0.32. From here I can ssh to router, and mount an smb drive connected to router. I cannot ssh to "B" or mount smb drives ets. When "A" is at home on the lan, this works.

wg2 I just set up as an additional test using suggestions I found in other threads, but nothing currently works.

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXXX:XXXX:XXXX::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	option ipaddr '192.168.0.1'
	option netmask '255.255.0.0'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'wg0'
	option proto 'wireguard'
	option listen_port '8003'
	option private_key 'XXXX'
	option addresses 'XXX.XXX.XXX.XXX'

config wireguard_wg0
	option endpoint_port '1337'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option persistent_keepalive '25'
	option description 'XXXX'
	option public_key 'XXXX'
	option endpoint_host 'XXX.XXX.XXX.XXX'

config interface 'wg1'
	option proto 'wireguard'
	option private_key 'XXXX='
	option listen_port '8006'
	list addresses '192.168.0.3'

config wireguard_wg1
	option description 'Peer1'
	option endpoint_port '8006'
	option route_allowed_ips '1'
	option public_key 'XXXX='
	option private_key 'XXXX='
	option preshared_key 'XXXX='
	list allowed_ips '192.168.0.47/32'
	list allowed_ips '192.168.1.47/32'

config interface 'wg2'
	option proto 'wireguard'
	option private_key 'XXXX='
	option listen_port '8007'
	option mtu '1280'
	list addresses '10.10.10.1/24'

config wireguard_wg2
	option description 'Peer1'
	option public_key 'XXXX='
	option private_key 'XXXX='
	option preshared_key 'XXXX='
	list allowed_ips '10.10.10.47/32'
	option route_allowed_ips '1'
	option endpoint_host 'name.ddns.com'
	option persistent_keepalive '25'

/etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	list network 'wg1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'wg0'
	list network 'wg0'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wg0'

config forwarding
	option src 'wg0'
	option dest 'wan'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config rule
	option name 'Allow-wg1-Inbound'
	option family 'ipv4'
	list proto 'udp'
	option src '*'
	option dest_port '8006'
	option target 'ACCEPT'

config zone
	option name 'wg1fw'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wg2'

config rule
	option name 'Allow-Wg2-WAN'
	list proto 'udp'
	option src 'wan'
	option dest_port '8007'
	option target 'ACCEPT'
	option family 'ipv4'

config forwarding
	option src 'lan'
	option dest 'wg1fw'

config forwarding
	option src 'wg1fw'
	option dest 'lan'

/etc/config/pbr

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '1'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '1'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list ignored_interface 'wg1'
	list ignored_interface 'wg2'

config policy
	option name 'Ignore LAN'
	option interface 'ignore'
	option dest_addr '192.168.0.0/16'

config policy
	option name 'wg0 Subnet'
	option src_addr '192.168.0.0/24'
	option interface 'wg0'

config policy
	option name 'wan Subnet'
	option src_addr '192.168.1.0/24'
	option interface 'wan'

Peer1 wireguard config


[Interface]
PrivateKey = XXXX=
ListenPort = 8006
Address = 192.168.0.47/32
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = XXXX=
PresharedKey = XXXX=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = name.ddns.com:8006

egc · May 19, 2024, 7:51am

Some thoughts about your setup

You have redacted the ip address of wg0, normally this is a private IP address so no need to redact , actually it makes things difficult to give proper support as this ip address should not overlap with other subnets
furthermore it should be list addresses and not option addresses see other examples

thurcom:

config interface 'wg1'
	option proto 'wireguard'
	option private_key 'XXXX='
	option listen_port '8006'
	list addresses '192.168.0.3'

config wireguard_wg1
	option description 'Peer1'
	option endpoint_port '8006'
	option route_allowed_ips '1'
	option public_key 'XXXX='
	option private_key 'XXXX='
	option preshared_key 'XXXX='
	list allowed_ips '192.168.0.47/32'
	list allowed_ips '192.168.1.47/32'

WireGuard is a routed solution so best practices is to make sure that all involved subnets (Computer A, Router and WG subnet are different).
The WG subnet is the same as the routers so I propose to change that e.g. in 172.18.0.0/24.
So as list address for wg1 you use 172.18.0.1/24
For the peers address you use 172.18.0.2/24 in the clients config but note for the list allowed IPs, you use list allowed_ips '172.18.0.2/32'

This should make it possible to ping/connect from router A to B assuming the firewall of computer B allows traffic from 172.18.0.0/24!
If you cannot tweak the firewall of computer B to allow this traffic then you have to MASQUERADE/SNAT 172.18.0.0/24 coming out of br-lan.

This assumes Computer A is a simple client which NAT's its traffic out of the WG interface so that all traffic from computer A is coming from its WG address e.g.: 172.18.0.2 and that the IP address of Computer A is not in 192.168.0.0/24 (the routers subnet) and not in 172.18.0.0/24 (the WG subnet)

Then there also seems to be a third wg interface wg2 not sure what that is doing?

I do not have more time to day to look at it but I am sure someone else will chime in and if not there is always a tomorrow

thurcom · May 19, 2024, 5:04pm

This worked! Thanks!

After reading through your description, I think I had two things wrong. First, I had my peer address in my client as /32 rather than /24 as you suggest. I also needed to turn masquerading on in my firewall config for the forwarding from wg2fw zone to lan. I made these changes and it worked.

I still need to do some more reading to better understand the nuts and bolts of what these various options are doing. But if I understand correctly, computer A is (I think) indeed a simple NAT that now uses 172.18.0.2 and therefore needs masqurading to be able to forward to the lan using the router IP that computer B allows (i.e. within 192.168.0.0/24).

Also, as I've fixed tons of problems by reading through other threads in the forum, I'll outline what I did for anyone else who comes across this.

First, wg2 is the new wireguard interface I'm trying to setup correctly, while I left wg1 in place temporarily to facilitate access to router in case I screwed something up. wg2 now has its own subnet that remote peers connect to (172.18.0.0/24), and its own firewall zone (wg2fw). This firewall zone is now forwarding to lan and uses masqurading so as to appear with the router ip so other lan computer's firewalls don't block it. (Please feel free to correct anything I've got wrong and I'll edit this.) The relevant updated sections of the various config files are now:

updates to /etc/config/network

config interface 'wg2'
	option proto 'wireguard'
	option private_key 'XXXX='
	option listen_port '8007'
	option mtu '1280'
	list addresses '172.18.0.1/24'

config wireguard_wg2
	option description 'Peer1'
	option public_key 'XXXX='
	option private_key 'XXXX='
	option preshared_key 'XXXX='
	list allowed_ips '172.18.0.2/32'
	option route_allowed_ips '1'
	option endpoint_host 'name.ddns.com'
	option persistent_keepalive '25'

updates to /etc/config/firewall


config zone
	option name 'wg2fw'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wg2'
	option masq '1'

config rule
	option name 'Allow-Wg2-WAN'
	list proto 'udp'
	option src 'wan'
	option dest_port '8007'
	option target 'ACCEPT'
	option family 'ipv4'

config forwarding
	option src 'lan'
	option dest 'wg2fw'

config forwarding
	option src 'wg2fw'
	option dest 'lan'

updates to peer wireguard config

[Interface]
PrivateKey = XXXX=
Address = 172.18.0.2/24
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = XXXX=
PresharedKey = XXXX=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = name.ddns.com:8007

egc · May 19, 2024, 5:39pm

WireGuard setup looks good

As this is the server setup you do not need MASQUERADING, so you should be able to remove `option masq '1'``

The MASQUERADING for the WG interface should not be necessary as your client has route allowed IPs set to 0.0.0.0/0 meaning all traffic is allowed and should also be routed back by default.

If everything is working and you can connect from A to B you do not need the MASQUERADING on the LAN zone, that was the MASQUERADING I was talking about.
It should not be necessary as long as computer B accepts traffic from 172.18.0.2.
But computer B should/could have its own firewall which normally only allows traffic from its own subnet (192.168.0.0/24).
The best approach is to tweak the local firewall of computer B to allow traffic from the WG subnet (172.18.0.0/24) but if that is not feasible you MASQUERADE traffic from the LAN zone going to computer B by setting ``option masq '1' on the LAN firewall zone.
This will change the source address of all traffic going to computer B to the routers address (192.168.0.1) and computer B will allow this traffic by default.
Not my favourite solution as you loose logging and access control as all traffic has the source of the router.

For advanced users
Instead of MASQUERADING all traffic coming from the router to the LAN you can only MASQUERADE traffic from 172.18.0.0/24 with a Firewall NAT rule:

/etc/config/firewall:
config nat
	option name 'SNAT-WGserver'
	option src 'lan'
	option src_ip '172.18.0.0/24'
	option target 'MASQUERADE'
	list proto 'all'
	option enabled '1'

But as said the firewall of computer B might already allow traffic from other local/private subnets so you do not need to do anything extra

thurcom · May 19, 2024, 6:32pm

Interesting! And you're right, if I remove option masq '1' it still works fine as I am assuming my computer B firewall was already able to accept it. I think part of my problem may also have been that I'm trying to use pbr with this as well (to route lan traffic through the vpn or not based on which subnet I put each computer on... maybe not the most eloquent solution, but it did seem to work). When I add 'wg2' to the list of ignored interfaces in pbr things seem to work better as well.

I'm going to play around more with the firewall on computer B and trying to add your final advanced MASQUERADING option... but I'll probably wait until I get back home to try it in case I temporarily break something. Thanks again!

system · May 29, 2024, 6:33pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.