Problems configuring Wireguard with Luci

sklv · December 24, 2018, 4:12pm

Hi all.
I initially tried to configure a commercial wireguard provider with luci but after getting stuck I set up a droplet to help troubleshoot.
When I stop and start the interface in luci, it creates a route for each peer endpoint via 10.0.0.1(my router ip) which results in me being unable to ping the peer:

default via 82.**.**.1 dev eth0.2 
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1 
82.**.**.0/22 dev eth0.2 proto kernel scope link src 82.**.**.102 
142.93.147.106 via 10.0.0.1 dev br-lan proto static

After asking in the IRC, I established that this is supposed to happen, but I need some clarification on how it works, because if I delete the route, my interface is able to make a handshake and pass traffic:

interface: wg0
  public key: 55Z3kc49q/Whg7FSXMUku1/bMeRFhtuw71ho1UBzaSU=
  private key: (hidden)
  listening port: 51820

peer: TN6WsqbZIhyIs2oUSOwMyJSvGGARxsv7tJGHqP9Ugmk=
  endpoint: 142.93.147.106:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 11 seconds ago
  transfer: 92 B received, 2.05 KiB sent
  persistent keepalive: every 25 seconds

This is the server wg output:

interface: wg0
  public key: TN6WsqbZIhyIs2oUSOwMyJSvGGARxsv7tJGHqP9Ugmk=
  private key: (hidden)
  listening port: 51820

peer: noOoV2rX8RBeNC+mYNSKx1IP59Vc2e9ZyjhDrDgUQlc= <-2nd droplet to verify server works
  endpoint: 207.154.242.196:51820
  allowed ips: 10.10.0.3/32
  latest handshake: 59 seconds ago
  transfer: 4.78 MiB received, 6.78 MiB sent

peer: 55Z3kc49q/Whg7FSXMUku1/bMeRFhtuw71ho1UBzaSU= <- my router
  endpoint: 82.**.**.102:51820
  allowed ips: 10.10.0.2/32
  latest handshake: 4 minutes, 41 seconds ago
  transfer: 149.86 KiB received, 49.33 KiB sent

I suspect that route is meant to be how traffic leaves the wg0 interface, so if i tick 'Route allowed IPs' in luci, my system stops being able to access the internet as wg0 becomes the default route.
How can I configure my wg0 interface to work with the route created by default present?
Happy to provide any additional info.

lleachii · December 24, 2018, 4:23pm

To be clear:

Do you want wg0 to be for Internet, or just for 10.10.10.x/32??

sklv · December 24, 2018, 4:39pm

Yes I want wg0 to be for Internet.

lleachii · December 24, 2018, 4:55pm

OK. I suggest that you:

NOT click "Route allowed IPs"
Make static routes for 0.0.0.0/1 and 128.0.0.0/1 to the WG interface for Internet.

Screenshot%20from%202018-12-24%2011-54-59

sklv · December 24, 2018, 5:07pm

I tried this both with and without the endpoint route created by luci-wireguard, and in both cases I was unable to access wan with the new routes present.

0.0.0.0/1 dev wg0 proto static scope link 
default via 82.**.**.1 dev eth0.2 
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1 
82.**.**.0/22 dev eth0.2 proto kernel scope link src 82.**.**.102 
128.0.0.0/1 dev wg0 proto static scope link
142.93.147.106 via 10.0.0.1 dev br-lan proto static <- also tried without this

lleachii · December 24, 2018, 5:35pm

Did you enable masquerade?

What is this????

sklv · December 24, 2018, 5:44pm

142.93.147.106 is the IP of the wireguard endpoint host. When I stop and start the wg0 interface in luci, that route is created. I have been manually deleting it every time to allow the wireguard interface to exchange traffic.

I have masquerade enabled. My firewall looks like this:
Screenshot_2018-12-24%20OpenWrt%20-%20General%20Settings%20-%20LuCI(1)

lleachii · December 24, 2018, 5:58pm

This route is wrong unless your Wireguard server is on LAN?

This route likely should be via WAN.

sklv · December 24, 2018, 6:09pm

This route likely should be via WAN.

That's what I was missing! I see what that route is meant to do now, without it, there would be no route to the endpoint if the default route changes. With that in mind, I adjusted my routes to the following:

default dev wg0 scope link 
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1 
82.**.**.0/22 dev eth0.2 proto kernel scope link src 82.**.**.102 
142.93.147.106 via 82.30.88.1 dev eth0.2

And my traffic is going over the wireguard interface. This is a big improvement.
So if i can configure it to create

142.93.147.106 via 82.**.**.1 dev eth0.2

instead of

142.93.147.106 via 10.0.0.1

It should work with "Route allowed IPs" enabled, which is what I want, so I guess I'm now looking for a way to do that.

lleachii · December 24, 2018, 6:34pm

OK. In order to use route allowed IPs:

Change this WG entry to the following 2 entires:

0.0.0.0/1
128.0.0.0/1

You should then be able to check "Route allowed IPs."

sklv · December 24, 2018, 8:32pm

I added those routes, but the luci is still creating the incorrect route via 10.0.0.1:

0.0.0.0/1 dev wg0 proto static scope link 
default dev wg0 proto static scope link 
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1 
82.**.**.0/22 dev eth0.2 proto kernel scope link src 82.**.**.102 
107.181.189.206 via 10.0.0.1 dev br-lan proto static 
128.0.0.0/1 dev wg0 proto static scope link

If I manually correct the route, to

107.181.189.206 via 82.**.**.1

Then everything works with "Route allowed IPs" selected, but that's also the case without the 0.0.0.0/1 and 128.0.0.0/1 routes.

Thanks a lot for your help so far by the way, I have been struggling with this for a long time. Aside from the minor inconvenience of changing the routes, I am at least able to use the VPN.

sklv · December 25, 2018, 12:47am

I found the root cause of the issue. The route is created to the IP Luci thinks is the default gateway. My LAN bridge had the gateway manually specified to 10.0.0.1. Removing this made Luci use the WAN devices' route which resulted in the correct route being created and my issue being fully resolved
Thanks for your help lleachii.

system · January 4, 2019, 12:48am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.