When I set 0.0.0.0/0 in Peer config on VPS side, it also sets the default gateway for tun0 and then I loose connection to VPS.
Option 1: Source NAT the Public IP's on the VPS before you put it in the tunnel
Option 2: Add table = off to the wireguard config and then set the route on the NAS individual
I think I don't understand option 1.
How can I set route manually on OpenWrt and tell it depends on specific network interface? I can add table = off parameter, but I cannot add route before enabling the tunnel.
Well you can source nat the Public IP on the VPS to a private IP of the VPS LAN before you put it in the tunnel.
You would just set a route on the NAS to sent all traffic to the VPS. But it would not be the best solution. Either suggest the Option 1 or the Proxy solution that @mikma suggested.
The tunnel end is set on router, not on NAS, so I need some routing table on OpenWrt.
You can set it after the tunnel comes up via script.
See https://openwrt.org/docs/guide-user/network/ip_rules for ideas
1 Like
OK, one more question. Are you sure that the problem is related to AllowedIPs = 192.168.1.0/24 config line on VPS side? According to the documentation - "From the server's point of view, the AllowedIPs are IPs that a peer is allowed to use as source IP addresses." and it seems to affect only a routing table. But routing table has specified how to reach 192.168.1.0/24. Why DNAT simply does not work with that setup?
I might have wrote that misleading. But @mikma wrote it more clear that it is the router config side that need change.
But as you figured out you would need to avoid the automatic route creation on your router.
DNAT works as your Destination IP is changed, but the Tunnel just reject your package as it is not coming from an allowed IP
OK, this seems to really work this way. I just cannot find how to set the postup and predown scripts in /etc/config/network ... OpenWrt wiki is not describing wireguard well I think.
I browsed the /lib/netifd/proto/wireguard.sh and seems it does not support such scripts 
I think it can be solved without postup/predown scripts.
Is it possible to add a second IP address to the NAS? If you have a separate IP address that's only used with the WireGuard tunnel it will be easy to write the ip rule that's required (use "from ").
I think the destination IP (NAS) is not a problem, but the source public IP addresses that are forwarded by VPS to my LAN. And since I hae to specify 0.0.0.0/0 to make this working, I also have to disable automatic route creation. This means, that I miss the route.
Normally I could use postup and predown scripts to solve that, but they seems are not supported by OpenWrt. So I am actually thinking about netif script in /etc/hotplug.d that will add/remove route for me.
uci set network.@wireguard_tun0[0].route_allowed_ips="1"
uci -q delete network.@wireguard_tun0[0].allowed_ips
uci add_list network.@wireguard_tun0[0].allowed_ips="0.0.0.0/0"
uci set network.lan.ip4table="1"
uci set network.tun0.ip4table="2"
uci -q delete network.lan_vpn
uci set network.lan_vpn="rule"
uci set network.lan_vpn.in="lan"
uci set network.lan_vpn.src="192.168.1.100/32"
uci set network.lan_vpn.lookup="2"
uci set network.lan_vpn.priority="30000"
uci commit network
/etc/init.d/network restart
2 Likes
When I manually add a route by executing ip r a 192.168.0.0/16 dev tun0 then VPN works as expected and when I try to connect via SSH to public IP, I see packets on my router - but I don't see them on my NAS anyway.
When I reconfigure network as @vgaetera suggested, then I have no internet access from my NAS and when I try to to connect via SSH to public IP, I successfully connect to VPS - like the traffic goes from VPS to my router and then goes back to VPS somehow?
Collect the diagnostics from both router and VPS and post it to pastebin.com redacting the private parts:
uci show network; uci show firewall; uci show dhcp; \
wg show; ip address show; ip route show table all; \
ip rule show; iptables-save -c; nft list ruleset
2 Likes
Do you have any ideas what is wrong?
Your VPS and router firewalls restrict traffic and port forwarding:
# VPS
iptables -A FORWARD -i tun0 -j ACCEPT
# OpenWrt
uci -q delete firewall.lan_vpn
uci set firewall.lan_vpn="forwarding"
uci set firewall.lan_vpn.src="lan"
uci set firewall.lan_vpn.dest="vpn"
uci -q delete firewall.vpn_lan
uci set firewall.vpn_lan="forwarding"
uci set firewall.vpn_lan.src="vpn"
uci set firewall.vpn_lan.dest="lan"
uci commit firewall
/etc/init.d/firewall restart
The config can be simplified if you assign both LAN and VPN networks to the LAN firewall zone.
1 Like
After adding these on both router and VPN, I have Internet access on my NAS, and curl -s checkip.dyndns.org shows that my IP is one assigned to VPS, so this seems to work, but unfortunately, I don't have Internet on all other devices connected to router. I think, that there is a problem with routing tables:
config interface 'lan'
option ip4table '1'
config interface 'vpn'
option ip4table '2'
config rule 'lan_vpn'
option in 'lan'
option src '192.168.1.100'
option lookup '2'
option priority '30000'
When I set route_allowed_ips to 0, I again have Internet working, but NAS is as well inaccesible via VPS's public IP address. Should I do anything else to make it working? The actual problem is that it want to route all traffic via VPN or none.
1 Like
I have one more question. After adding /32 netmask everything works correctly now, except 1 thing.
When I try to reach NAS from LAN (i.e. my computer) I got connection timed out. Tcpdump shows traffic on router, but not on NAS. On router it says that all packets are dropped by interface. What else do I miss?
When I try to check IP from NAS, I got the IP from VPS and when I try to access NAS via VPS's IP from outside of my network, everything works perfectly. Also traffic from other devices are not routed via VPN.
Access the NAS with its internal IP (192.168.1.100) not by the public IP you are forwarding from the VPS.
1 Like