Good day. Please help me with configuring wireguard tunnel between OpenWrt (lan - 192.168.1.0/24, vpn - 10.10.10.1) and Keenetic (lan - 192.168.2.0/24, vpn - 10.10.10.2). OpenWrt is a server with static white IP, Keenetic - behind the NAT, via mobile.
From Keenetic I can ping OpenWrt router and all devices behind it. From OpenWrt ping to keenetic fails.
Configs:
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd10:15bc:f24f::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr 'WhiteIP'
option netmask '255.255.255.0'
option gateway 'Gateway'
list dns 'DNS'
list dns 'DNS2'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option name 'wan'
option macaddr 'MAC'
config device
option type 'bridge'
option name 'br-lan2'
list ports 'lan4'
option mtu '1500'
option macaddr 'MAC'
option txqueuelen '1000'
option mtu6 '1500'
config interface 'lan2'
option proto 'static'
option device 'br-lan2'
option ipaddr '192.168.100.1'
option netmask '255.255.255.0'
config interface 'wg0'
option proto 'wireguard'
option private_key 'ServerPrivateKey'
option listen_port '51820'
list addresses '10.10.10.1/24'
config wireguard_wg0
option description 'SamsungS20'
option public_key 'PhonePublicKey'
option private_key 'PhonePrivateKey'
option preshared_key 'PresharedKey'
list allowed_ips '10.14.0.10/32'
option route_allowed_ips '1'
option endpoint_host 'WhiteIP'
option endpoint_port '51820'
config wireguard_wg0
option description 'Suburban'
option public_key 'KeeneticPublicKey'
option private_key 'KeeneticPrivateKey'
option preshared_key 'PSKKey'
option endpoint_port '51820'
list allowed_ips '10.10.10.2/32'
list allowed_ips '192.168.2.0/24'
option route_allowed_ips '1'
cat /etc/config/firewall:
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'lan2'
list network 'wg0'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'WireGuard'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.1.1'
option dest_port '51820'
Thanks for a help!
I correct everything you write - nothing changes...
For Keenetic: I can export "running-config" - it is here:
! $$$ Model: Keenetic Giga
! $$$ Version: 2.06.1
! $$$ Agent: http/rci
! $$$ Md5 checksum: 4aa6eda72671a53c1717bcfd2da84da9
! $$$ Last change: Sun, 10 Dec 2023 17:37:42 GMT
! $$$ Username: admin
system
set net.ipv4.ip_forward 1
set net.ipv4.tcp_fin_timeout 30
set net.ipv4.tcp_keepalive_time 120
set net.ipv4.neigh.default.gc_thresh1 256
set net.ipv4.neigh.default.gc_thresh2 1024
set net.ipv4.neigh.default.gc_thresh3 2048
set net.ipv6.neigh.default.gc_thresh1 256
set net.ipv6.neigh.default.gc_thresh2 1024
set net.ipv6.neigh.default.gc_thresh3 2048
set net.netfilter.nf_conntrack_tcp_timeout_established 1200
set net.netfilter.nf_conntrack_max 16384
set vm.swappiness 60
set vm.overcommit_memory 0
set vm.vfs_cache_pressure 1000
set dev.usb.force_usb2 1
set net.ipv6.conf.all.forwarding 1
no led FN_1 indicate
no led FN_2 indicate
no button WLAN on click
no button WLAN on double-click
no button WLAN on hold
no button FN1 on click
no button FN2 on click
clock timezone Europe/Moscow
domainname WORKGROUP
hostname SmartBox
caption description
description "SmartBox Giga"
ndss dump-report disable
!
ntp server 0.pool.ntp.org
ntp server 1.pool.ntp.org
ntp server 2.pool.ntp.org
ntp server 3.pool.ntp.org
known host OpenWrt b0:be:76:54:6b:e5
access-list _WEBADMIN_Wireguard0
permit tcp 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
permit description Home
permit udp 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
permit description Home1
auto-delete
!
isolate-private
user admin
password md5 password...
password nt password...
tag cli
tag http
tag ftp
tag opt
tag cifs
tag printers
tag sftp
tag torrent
tag vpn
tag ipsec-l2tp
tag ipsec-xauth
tag http-proxy
!
dyndns profile _WEBADMIN
!
interface GigabitEthernet0
up
!
interface GigabitEthernet0/0
rename 1
switchport mode access
switchport access vlan 1
up
!
interface GigabitEthernet0/1
rename 2
switchport mode access
switchport access vlan 1
up
!
interface GigabitEthernet0/2
rename 3
switchport mode access
switchport access vlan 1
up
!
interface GigabitEthernet0/3
rename 4
switchport mode access
switchport access vlan 1
up
!
interface GigabitEthernet0/Vlan1
description "Home VLAN"
security-level private
ip dhcp client dns-routes
ip name-servers
up
!
interface GigabitEthernet1
security-level public
down
!
interface GigabitEthernet1/0
rename 0
down
!
interface WifiMaster0
country-code US
compatibility GN
channel width 40-below
tx-burst
rekey-interval 86400
up
!
interface WifiMaster0/AccessPoint0
rename AccessPoint
description "Wi-Fi access point"
mac access-list type none
security-level private
authentication wpa-psk ns3 password...
encryption enable
encryption wpa2
ip dhcp client dns-routes
ip name-servers
ssid OWG
wmm
rrm
up
!
interface WifiMaster0/AccessPoint1
rename GuestWiFi
description "Guest access point"
mac access-list type none
security-level private
encryption disable
ip dhcp client dns-routes
ip name-servers
down
!
interface WifiMaster0/AccessPoint2
mac access-list type none
security-level private
ip dhcp client dns-routes
ip name-servers
down
!
interface WifiMaster0/AccessPoint3
mac access-list type none
security-level private
ip dhcp client dns-routes
ip name-servers
down
!
interface WifiMaster0/WifiStation0
security-level public
encryption disable
ip dhcp client dns-routes
ip name-servers
down
!
interface WifiMaster1
country-code US
compatibility N+AC
channel 52
channel width 40-above/80
tx-burst
rekey-interval 86400
band-steering
band-steering preference 5
beamforming explicit
atf disable
downlink-mumimo
up
!
interface WifiMaster1/AccessPoint0
rename AccessPoint_5G
description "5GHz Wi-Fi access point"
mac access-list type none
security-level private
authentication wpa-psk ns3 password...
encryption enable
encryption wpa2
ip dhcp client dns-routes
ip name-servers
ssid OWG_5G
wmm
rrm
up
!
interface WifiMaster1/AccessPoint1
rename GuestWiFi_5G
description "5GHz Guest access point"
mac access-list type none
security-level private
encryption disable
ip dhcp client dns-routes
ip name-servers
down
!
interface WifiMaster1/AccessPoint2
mac access-list type none
security-level private
ip dhcp client dns-routes
ip name-servers
down
!
interface WifiMaster1/AccessPoint3
mac access-list type none
security-level private
ip dhcp client dns-routes
ip name-servers
down
!
interface WifiMaster1/WifiStation0
security-level public
encryption disable
ip dhcp client dns-routes
ip name-servers
down
!
interface UsbLte0
description "Mobile Broadband"
usb device-id 8087 095a
security-level public
ip global 49150
ip adjust-ttl send 64
ip adjust-ttl recv 64
igmp upstream
ipv6 no name-servers
ping-check profile default
up
!
interface Bridge0
rename Home
description "Home network"
inherit GigabitEthernet0/Vlan1
include AccessPoint
include AccessPoint_5G
include GigabitEthernet1
mac access-list type none
security-level private
ip address 192.168.2.1 255.255.255.0
ip dhcp client dns-routes
ip name-servers
iapp key ns3 password...
up
!
interface Wireguard0
description WG-Home
security-level public
ip address 10.10.10.2 255.255.255.255
ip access-group _WEBADMIN_Wireguard0 in
ip tcp adjust-mss pmtu
wireguard listen-port 51820
wireguard peer Correct_Key !Home
endpoint WhiteIPofServer:51820
keepalive-interval 25
preshared-key Correct_PSK
allow-ips 10.10.10.0 255.255.255.0
allow-ips 192.168.1.0 255.255.255.0
!
up
!
ip route 192.168.10.0 255.255.255.0 192.168.2.86 auto reject
ip route 192.168.1.0 255.255.255.0 Wireguard0 auto reject
ip dhcp pool _WEBADMIN
range 192.168.2.33 192.168.2.152
lease 25200
bind Home
enable
!
ip dhcp pool _WEBADMIN_GUEST_AP
enable
!
ip dhcp host b0:be:76:54:6b:e5 192.168.2.86
ip name-server 8.8.8.8 "" on Wireguard0
ip http port 80
ip http security-level public
ip http lockout-policy 5 15 3
ip http ssl enable
ip http ssl redirect
ip http webdav
security-level public
!
ip nat Home
ip nat vpn
ip telnet
port 23
security-level public
lockout-policy 5 15 3
!
ip ssh
port 22
security-level public
lockout-policy 5 15 3
!
ip ftp
security-level private
lockout-policy 4 15 3
!
ip hotspot
policy Home permit
host b0:be:76:54:6b:e5 permit
host b0:be:76:54:6b:e5 priority 6
!
ipv6 subnet Default
bind Home
mode slaac
prefix length 64
number 0
!
ppe software
ppe hardware
upnp lan Home
ntce
qos category other priority 1
qos category calling priority 2
qos category gaming priority 3
qos category streaming priority 4
qos category work priority 5
qos category surfing priority 6
qos category filetransfering priority 7
!
torrent
rpc-port 8090
peer-port 51413
!
crypto engine hardware
sstp-server
interface Home
pool-range 172.16.3.33 200
lcp echo 30 3
!
vpn-server
interface Home
pool-range 172.16.1.33 200
multi-login
lcp echo 30 3
lockout-policy 3 30 5
!
service dhcp
service dns-proxy
service http
service telnet
service ssh
service ntp
service upnp
service no internet-checker
cifs
automount
permissive
!
dlna
interface Home
!
dns-proxy
rebind-protect auto
!
mdns
reflector disable
!
mws auto-ap-shutdown
mws backhaul shutdown
opkg disk storage:/
components
validity-period 604800
auto-update disable
auto-update channel stable
!
cloud control2 security-level private
!
Full disclosure: I don't really know what I'm looking at here -- not versed in the OS running on the Keenetic. So just a few guesses/thoughts.
Since this device isn't actually listening on the specified port (because it is behind NAT/CG-NAT and you can't control the port), this should be removed:
And if I'm reading this route correctly, it suggests that this is being rejected? (maybe, I don't know how this is supposed to work on this OS).
You may also want to modfiy the above route to be 192.168.1.0/24 via 10.10.10.1 (I think that the syntax for your device would look like: `ip route 192.168.1.0 255.255.255.0 10.10.10.1 auto reject' - but I'm not sure what the reject means here).
Try looking at that stuff and see if you can fix that side.
If that doesn't work, I do have another idea that may or may not help.
After entering command `ip route 192.168.1.0 255.255.255.0 10.10.10.1 auto reject' ping from keenetic to 192.168.1.1 fails. After rebooting - ping is OK agin.
root@OpenWrtTurboPlus:~# traceroute 192.168.2.1
traceroute to 192.168.2.1 (192.168.2.1), 30 hops max, 46 byte packets
1 ISPGateway (ISPGateway) 2.354 ms 0.746 ms 0.758 ms
2 10.74.1.111 (10.74.1.111) 1.665 ms 1.950 ms 1.629 ms
3 5.188.236.42 (5.188.236.42) 1.242 ms 1.254 ms 1.035 ms
4 83.171.94.89 (83.171.94.89) 1.673 ms 1.625 ms 1.601 ms
5 * * *
