Router to Router Wireguard - Seting up routes?

bluonek · February 26, 2019, 6:39am

I have successfully setup wireguard on two openwrt routers. Each shows a recent "Latest handshake".

The trouble I'm having is the ability to access resources from one network to the other.

Network A: 172.16.10.0/24 (Wireguard IP 10.1.1.1)
Network B: 192.168.1.0/24 (Wiregaurd IP 10.1.1.2)
Laptop: 172.16.10.100
Server: 192.168.1.100

From Laptop I can ping 10.1.1.1 successfully.
From Laptop I can not ping 10.1.1.2 or 192.168.1.100

Is there something additional (static routes?) that needs to be setup for Laptop to access anything on Network B?

Let me know if I left anything helpful details out.

Network Diagram: https://i.postimg.cc/bv9JdQXw/2019-02-25-Open-WRT-Wireguard-Diagram.png

trendy · February 26, 2019, 10:06am

Yes, you need to define for each peer the allowed IPs and tick the route allowed IPs.
At home router you need to allow 10.1.1.2/32 and 192.168.1.0/24
At office router 10.1.1.1/32 and 172.16.10.0/24

bluonek · February 27, 2019, 6:29am

I tried that with "route allowed IPs" - after running into issues I decided to use 0.0.0.0/0, ::/0 on both routers for troubleshooting but received the same results.

While I don't think I'm a complete noob at networking it certainly isn't my strongest point. I'm at a loss for why a fairly basic setup wouldn't allow communication via the wireguard vpn.

Any other common gotchas with this sort of setup?

I have the firewall zone for the WG interfaces (on each router) using the "LAN" firewall zone.

trendy · February 27, 2019, 8:18am

One step at a time.
Apply the routes as I mentioned in my previous post and issue the following commands on both routers and post here the output.

ip -4 addr
ip -4 ro
ip -4 ru
cat /etc/config/network
cat /etc/config/firewall

lleachii · February 27, 2019, 9:51am

You should not use 0.0.0.0/0 for allowed IPs on a peer, unless it's your VPN to the entire Internet.

mikma · February 27, 2019, 10:03am

You could if you don't have more than one peer and don't use "route allowed IPs" and configure routes another way, statically or using a dynamic routing protocol.

bluonek · February 28, 2019, 12:00am

Ok - that works for me, one step at a time =)

Regarding applying routes, you are only referring to the "route allowed IPs" checkbox, yes? This is the only type of routes I have added thus far - e.g. no static routes have been manually added.

ip -4 addr:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 172.16.10.1/24 brd 172.16.10.255 scope global br-lan
       valid_lft forever preferred_lft forever
13: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet XX.XX.XX.XX/23 brd XX.XX.XX.255 scope global eth1.2
       valid_lft forever preferred_lft forever
14: WG: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.1.1.1/32 brd 255.255.255.255 scope global WG
       valid_lft forever preferred_lft forever

ip -4 ro:

default via XX.XX.XX.1 dev eth1.2 proto static src XX.XX.XX.XX 
XX.XX.XX.0/23 dev eth1.2 proto kernel scope link src XX.XX.XX.XX 
172.16.10.0/24 dev br-lan proto kernel scope link src 172.16.10.1

ip -4 ru:

0:  from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default

/etc/config/network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'XX:XX:XX::/48'

config interface 'wan'
    option proto 'dhcp'
    option delegate '0'
    option peerdns '0'
    option dns '9.9.9.9 149.112.112.112'
    option hostname 'HomeRouter'
    option broadcast '1'
    option macaddr 'XX:XX:XX:XX:XX:XX'
    option ifname 'eth1.2'

config interface 'wan6'
    option ifname 'eth1.2'
    option proto 'dhcpv6'
    option auto '0'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option vid '1'
    option ports '0 1 2 3 5t'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '4 6t'
    option vid '2'

config interface 'lan'
    option type 'bridge'
    option proto 'static'
    option ifname 'eth0.1'
    option ipaddr '172.16.10.1'
    option netmask '255.255.255.0'
    option macaddr 'XX:XX:XX:XX:XX:XX'
    option ip6assign '64'

config interface 'WG'
    option proto 'wireguard'
    option private_key 'XXX-HOME='
    option listen_port '51820'
    list addresses '10.1.1.1'

config wireguard_WG
    option public_key 'XXX-OFFICE='
    list allowed_ips '0.0.0.0/0'
    list allowed_ips '::/0'
    option endpoint_port '51820'
    option persistent_keepalive '25'

/etc/config/firewall

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option drop_invalid '1'
    option forward 'REJECT'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option masq '1'
    option mtu_fix '1'
    option network 'wan wan6'
    option forward 'REJECT'

config include
    option path '/etc/firewall.user'

config include 'miniupnpd'
    option type 'script'
    option path '/usr/share/miniupnpd/firewall.include'
    option family 'any'
    option reload '1'

config include 'bcp38'
    option type 'script'
    option path '/usr/lib/bcp38/run.sh'
    option family 'IPv4'
    option reload '1'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan wg WG'

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'udp'
    option src_dport '51820'
    option dest_ip '10.1.1.1'
    option dest_port '51820'
    option name 'wg'

config forwarding
    option dest 'wan'
    option src 'lan'

trendy · February 28, 2019, 9:07am

Correct

This needs to change to something bigger, e.g 10.1.1.1/24 (or at least /30)
So in config/network under WG interface change

into list addresses '10.1.1.1/24'
Also in config wireguard_WG
in list allowed_ips remove the 0.0.0.0/0 and ::0, add 10.1.1.2/24 and 192.168.1.0/24. Also tick the route allowed ips.

Finally remove all this redirect

config redirect
    option target 'DNAT'
    option src 'wan'
    option dest 'lan'
    option proto 'udp'
    option src_dport '51820'
    option dest_ip '10.1.1.1'
    option dest_port '51820'
    option name 'wg'

You need a rule

config rule
    option name 'wg'
    option src 'wan'
    option proto 'udp'
    option dest_port '51820'
    option target 'ACCEPT'
    option family 'ipv4'

Do the appropriate changes in both sides and try again.
If it doesn't work, post again the same list of things to see what may be wrong.