Hi all.
I initially tried to configure a commercial wireguard provider with luci but after getting stuck I set up a droplet to help troubleshoot.
When I stop and start the interface in luci, it creates a route for each peer endpoint via 10.0.0.1(my router ip) which results in me being unable to ping the peer:
default via 82.**.**.1 dev eth0.2
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1
82.**.**.0/22 dev eth0.2 proto kernel scope link src 82.**.**.102
142.93.147.106 via 10.0.0.1 dev br-lan proto static
After asking in the IRC, I established that this is supposed to happen, but I need some clarification on how it works, because if I delete the route, my interface is able to make a handshake and pass traffic:
interface: wg0
public key: 55Z3kc49q/Whg7FSXMUku1/bMeRFhtuw71ho1UBzaSU=
private key: (hidden)
listening port: 51820
peer: TN6WsqbZIhyIs2oUSOwMyJSvGGARxsv7tJGHqP9Ugmk=
endpoint: 142.93.147.106:51820
allowed ips: 0.0.0.0/0
latest handshake: 11 seconds ago
transfer: 92 B received, 2.05 KiB sent
persistent keepalive: every 25 seconds
This is the server wg output:
interface: wg0
public key: TN6WsqbZIhyIs2oUSOwMyJSvGGARxsv7tJGHqP9Ugmk=
private key: (hidden)
listening port: 51820
peer: noOoV2rX8RBeNC+mYNSKx1IP59Vc2e9ZyjhDrDgUQlc= <-2nd droplet to verify server works
endpoint: 207.154.242.196:51820
allowed ips: 10.10.0.3/32
latest handshake: 59 seconds ago
transfer: 4.78 MiB received, 6.78 MiB sent
peer: 55Z3kc49q/Whg7FSXMUku1/bMeRFhtuw71ho1UBzaSU= <- my router
endpoint: 82.**.**.102:51820
allowed ips: 10.10.0.2/32
latest handshake: 4 minutes, 41 seconds ago
transfer: 149.86 KiB received, 49.33 KiB sent
I suspect that route is meant to be how traffic leaves the wg0 interface, so if i tick 'Route allowed IPs' in luci, my system stops being able to access the internet as wg0 becomes the default route.
How can I configure my wg0 interface to work with the route created by default present?
Happy to provide any additional info.
I tried this both with and without the endpoint route created by luci-wireguard, and in both cases I was unable to access wan with the new routes present.
0.0.0.0/1 dev wg0 proto static scope link
default via 82.**.**.1 dev eth0.2
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1
82.**.**.0/22 dev eth0.2 proto kernel scope link src 82.**.**.102
128.0.0.0/1 dev wg0 proto static scope link
142.93.147.106 via 10.0.0.1 dev br-lan proto static <- also tried without this
142.93.147.106 is the IP of the wireguard endpoint host. When I stop and start the wg0 interface in luci, that route is created. I have been manually deleting it every time to allow the wireguard interface to exchange traffic.
I have masquerade enabled. My firewall looks like this:
That's what I was missing! I see what that route is meant to do now, without it, there would be no route to the endpoint if the default route changes. With that in mind, I adjusted my routes to the following:
default dev wg0 scope link
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1
82.**.**.0/22 dev eth0.2 proto kernel scope link src 82.**.**.102
142.93.147.106 via 82.30.88.1 dev eth0.2
And my traffic is going over the wireguard interface. This is a big improvement.
So if i can configure it to create
142.93.147.106 via 82.**.**.1 dev eth0.2
instead of
142.93.147.106 via 10.0.0.1
It should work with "Route allowed IPs" enabled, which is what I want, so I guess I'm now looking for a way to do that.
I added those routes, but the luci is still creating the incorrect route via 10.0.0.1:
0.0.0.0/1 dev wg0 proto static scope link
default dev wg0 proto static scope link
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1
82.**.**.0/22 dev eth0.2 proto kernel scope link src 82.**.**.102
107.181.189.206 via 10.0.0.1 dev br-lan proto static
128.0.0.0/1 dev wg0 proto static scope link
If I manually correct the route, to
107.181.189.206 via 82.**.**.1
Then everything works with "Route allowed IPs" selected, but that's also the case without the 0.0.0.0/1 and 128.0.0.0/1 routes.
Thanks a lot for your help so far by the way, I have been struggling with this for a long time. Aside from the minor inconvenience of changing the routes, I am at least able to use the VPN.
I found the root cause of the issue. The route is created to the IP Luci thinks is the default gateway. My LAN bridge had the gateway manually specified to 10.0.0.1. Removing this made Luci use the WAN devices' route which resulted in the correct route being created and my issue being fully resolved
Thanks for your help lleachii.