Hi,
I have recently installed wireguard client on my TP-Link TL-MR3420 v5, that already has an OpenWRT. The wireguard link to my external sever works great, even all clients that conenct via wlan0 on openwrt also get connection via wireguard. What i want to achieve is a "private router". Wherever I travel I can bring it with me ad don't have to set up wireguard clients for each device.
I have three problems related to that:
Because of routing table created by wireguard module itself, connection to my wireguard server (10.0.0.1) is passing through the regular WAN interface, all other conenctions to any other IPs are actually going through wireguard server. What kind of routing (or policy based vpn routing) shall I apply to fix that ?
Signal messenger doesn't work when connected via wlan0, seems like mix of double NATing and that it's protocol switches between random UDP ports kills it (ref. Signal official page)
DNS leaks, wlan0 client obtain DNS server address of my openwrt router. This is the least problematic case, I should find it digging in various DNS options on openwrt .
Destination Gateway Genmask Flags Metric Ref Use Iface
default * 0.0.0.0 U 0 0 0 wg0
10.0.0.0 * 255.255.255.0 U 0 0 0 wg0
X.X.X.X 192.168.0.1 255.255.255.255 UGH 0 0 0 br-wan
192.168.0.0 * 255.255.255.0 U 0 0 0 br-wan
192.168.1.0 * 255.255.255.0 U 0 0 0 wlan0
where
X.X.X.X - my remote wireguard server
10.0.0.0/24 - internal wireguard ip range
192.168.0.0/24 -ISP router ip range
192.168.1.0/24 - OpenWRT router ip range
Don't set as allowed IPs the whole internet (0.0.0.0/0). Set only the IPs you want to route via the wireguard tunnel.
That is very vague to provide any solution. Double NAT should not be a problem. There could be a problem if the port Signal is trying to use is already taken, but this could happen with single NAT too.
I have tried playing with allowed ips in wireguard but no luck. Instead of 0.0.0.0/0 I have set up 192.168.1.1/24, 10.0.0.0/24, but then there is no internet connection at all. What do you suggest setting it to?
My bad, I meant 192.168.1.0/24.
If i understand correctly, that means setting allowed ips to 10.0.0.0/24 and nothing more? My whole wg network is based on iprange 10.0.0.0/24.
I tried setting allowed ips in wireguard only to 10.0.0.0/24, but that updated my routing table in such way that now no traffic is going through wireguard, all goes through WAN. Shall I maybe combine it with forwarding rules or zones in openwrt ?
My current routing table setup:
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.0.1 0.0.0.0 UG 0 0 0 br-wan
10.0.0.0 * 255.255.255.0 U 0 0 0 wg0
95.183.50.3 192.168.0.1 255.255.255.255 UGH 0 0 0 br-wan
192.168.0.0 * 255.255.255.0 U 0 0 0 br-wan
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
Actually when I read my first post now it is confusing for me as well.
I meant that this line:
I suspect it is causing that if I traceroute ANY ip address (except for my wg server ip address X.X.X.X) I get connection through wireguard, but when I want to use any service on my wg server X.X.X.X it gets connected via normal WAN (traceroute shows that it ommits internal 10.0.0.0/24 ip range and goes directly through WAN). This routing table line mentined above is probably mandatory for wireguard to work, but is there any fix for that ?
Edit. Additionally on my wireguard server I see all connections to for example apache http, as coming from ISP IP address, not wireguard.
This line is mandatory, otherwise the tunnel cannot work. Everything goes via the wg tunnel, but to reach the public IP of the wg server you must use the regular wan interface, therefor this route is installed.
You can use the tunnel IP 10.0.0.1 if you want to access the server via the tunnel. In case it doesn't work, make sure you have the wg interface in lan firewall zone (or any other zone with proper forwardings).
Right I see, then I have to live with it and use 10.0.0.1 only.
Another thing I have observed that might be related to my 2nd point (signal messenger not working when I have double NAT plus wireguard), when I try to reach my openwrt via wireguard (openwrt IP in wireguard network is 10.0.0.10), then sftp doesn't really work and I get connected to ssh terminal but I get constant interruption, it's not blocked but very limited connectivity. I'm also not able to to reach openwrt default site via wireguard at all.
What could be the cause ?