Routing setup for WG-VPN setup

gamma-577 · May 9, 2024, 2:57pm

Hello Experts!

I would like to invite your opinions on a working WG-VPN setup.

I installed a wireguard vpn server on my LinkSys-EA8300 running OpenWrt 23.05.3. The vpn is working well. I didn't want to mix it with br-lan. So I created a separate network interface wglan. I included it in br-lan's firewall zone lanfwz.

I wanted the wglan's and br-lan's clients to communicate with eachother. When I began testing, I found that wglan's clients did not see eachother. So I added a pbr rule wglan-2-wglan which preroutes the traffic destined to wglan to its intended destination. Now my wglan clients could see and communicate with eachother.

The next logical step would be creating another rule for the traffic originating from br-lan and destined to wglan. I just did that and the br-lan's clients began communicating with wglan's clients.

The question is, is it a correct way accomplish the goal? Is there any alternative method? Perhaps an elegent way to let br-lan and wglan see eachother....? The pbr rules look a bit messed up and somewhat cumbersome to maintain.

Thanks for reading.

-Gamma

egc · May 9, 2024, 3:01pm

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

gamma-577 · May 10, 2024, 7:20pm

Hi @egc,

Sorry for the delay. My LinkSys just crashed before I could take luci backup. Don't know why. I restored to a working profile and hence will have to manually create the wg-lan. Please bear with me.

Thank you!

-Gamma

gamma-577 · May 12, 2024, 4:43pm

Hello @egc,

Thank you for your patience. After struggling for a couple of days I am now able to achieve a semi-stable state which persists instead of crashing after a reboot.

Here are the details you requested :

ubus call system board

root@iStation:~# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "iStation.lan",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "Linksys EA8300 (Dallas)",
        "board_name": "linksys,ea8300",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

cat /etc/config/network

root@iStation:~# cat /etc/config/network

config globals 'globals'
        option ula_prefix 'fdfa:ke00:this::/48'

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr 'fa:ke:fa:ke:00:01'

config device
        option name 'lan2'
        option macaddr 'fa:ke:fa:ke:00:02'

config device
        option name 'lan3'
        option macaddr 'fa:ke:fa:ke:00:03'

config device
        option name 'lan4'
        option macaddr 'fa:ke:fa:ke:00:04'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '62'
        list ipaddr '192.168.0.1/24'
        list ip6class 'wan6'
        list ip6class 'local'
        list dns '10.0.0.1'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        list dns '192.168.0.1'

config device
        option name 'wan'
        option macaddr 'fa:ke:fa:ke:00:05'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option norelease '1'
        option reqopts '43'
        option hostname '*'
        option delegate '0'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        list dns '10.0.0.1'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqprefix '60'
        option peerdns '0'
        option reqaddress 'try'
        option device '@wan'
        option sourcefilter '0'

config device 'guest_dev'
        option type 'bridge'
        option name 'br-guest'

config interface 'guestif'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.169.999.1'
        option netmask '255.255.255.0'
        option type 'bridge'
        option delegate '0'

config interface 'tun0if'
        option proto 'none'
        option device 'tun0'
        option delegate '1'

config interface 'wgcloud'
        option proto 'wireguard'
        option private_key 'thisJisLasfakeRkeydHoEhwoverwrittenbpMtPlEI='
        list addresses '10.56.0.29'
        list dns '172.27.27.21'

config wireguard_wgcloud
        option description 'Imported peer configuration'
        option public_key '4EZOaSthisKisuaGfakenkeynoverwrittenst2E6AM='
        option preshared_key 'qlzYfakekeyi+credactedRpqvrgdTn9zfdama6aIvA='
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option endpoint_host 'icloud.dynu.com'
        option endpoint_port '51820'

config interface 'wglan'
        option proto 'wireguard'
        option private_key 'EGhSLxthislis3aJfakeDkeyZnoDuse/BUO/gDZgi3U='
        option listen_port '51820'
        option mtu '400'
        list addresses '192.168.11.1/24'

config wireguard_wglan
        option description 'iPhone'
        option public_key 'fakekeyr4u+IPLfakekeyys2mebn08fakekeypssbEo='
        option private_key 'fakekeyoomTcKv7BTnFfakekeyZpI3JY7v6UCldyVFM='
        option preshared_key 'fakekeyJredactedJforYVCGsecurityUrKRYgCZlIg='
        option persistent_keepalive '25'
        list allowed_ips '192.168.11.3/32'

cat /etc/config/firewall
I have omitted the disabled fw rules....

root@iStation:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option synflood_protect '1'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'lanfwz'
        list network 'lan'
        list network 'VOIPIF'
        list network 'wglan'

config zone
        option output 'ACCEPT'
        option mtu_fix '1'
        option name 'wanfwz'
        option masq '1'
        option input 'REJECT'
        option forward 'REJECT'
        list network 'wan'
        list network 'wan6'
        list network 'wgcloud'

config forwarding
        option src 'lanfwz'
        option dest 'wanfwz'

config rule
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option src 'wanfwz'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option src 'wanfwz'

config rule
        option name 'Allow-IGMP'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'wanfwz'

config rule
        option name 'Allow-DHCPv6'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'wanfwz'

config rule
        option name 'Allow-MLD'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'wanfwz'

config rule
        option name 'Allow-ICMPv6-Input'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'wanfwz'

config rule
        option name 'Allow-ICMPv6-Forward'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'wanfwz'

config rule
        option name 'Allow-IPSec-ESP'
        option proto 'esp'
        option target 'ACCEPT'
        option dest 'lanfwz'
        option src 'wanfwz'

config rule
        option name 'Allow-ISAKMP'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option dest 'lanfwz'
        option src 'wanfwz'

config include
        option path '/etc/firewall.user'

config redirect
        option dest 'lanfwz'
        option target 'DNAT'
        option name 'temp-pc-access'
        option src 'wanfwz'
        option src_dport 'nmnm'
        option dest_ip '192.168.0.15'
        option dest_port 'nnnm'

config redirect
        option dest_port '22'
        option target 'DNAT'
        option dest_ip '192.168.0.1'
        option src_dport 'nnnn'
        option dest 'lanfwz'
        option src 'wanfwz'
        option name 'ssh-on-wan'

config zone
        option name 'tun0fwz'
        option mtu_fix '1'
        option input 'REJECT'
        option masq '1'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'tun0if'

config redirect
        option dest_port '22'
        option src 'tun0fwz'
        option name 'ssh on tun0'
        option src_dport 'nnnn'
        option target 'DNAT'
        option dest 'lanfwz'
        option dest_ip '192.168.0.1'

config zone 'guest'
        option name 'guestfwz'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'guestif'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'
        option src 'guestfwz'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'guestfwz'

config rule
        option src 'wanfwz'
        option target 'ACCEPT'
        option name 'SkyRouter1'
        option dest 'lanfwz'
        list dest_ip '::0001:0000:0000:0000:0001/::00ff:ffff:ffff:ffff:ffff'
        option family 'ipv6'
        list proto 'all'

config forwarding
        option dest 'wanfwz'
        option src 'guestfwz'

config forwarding
        option dest 'guestfwz'
        option src 'lanfwz'

config forwarding
        option dest 'tun0fwz'
        option src 'guestfwz'

config forwarding
        option src 'guestfwz'
        option dest 'lanfwz'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

config redirect
        option dest 'lanfwz'
        option target 'DNAT'
        option name 'wglan-ingress'
        list proto 'udp'
        option src 'wanfwz'
        option src_dport '51820'
        option dest_ip '192.168.11.1'
        option dest_port '51820'

I think you might need to look at pbr rules. But I am not sure which ones. Please let me know if you need any other details.

Thank you once again.

-Gamma

egc · May 13, 2024, 6:09am

I was away yesterday so could not look at it earlier but I think there are a few things which needs attention:

gamma-577:

config interface 'guestif'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.169.999.1'
        option netmask '255.255.255.0'
        option type 'bridge'
        option delegate '0'

Maybe it is a copy paste error but an ip address of '192.169.999.1' cannot be right it has to be 192.168.X.X where the X is 1-254

A simple ACCEPT rule is enough to ACCEPT the WG servers port, a DNAT rule usualy works but not always

so replace this

gamma-577:

config redirect
        option dest 'lanfwz'
        option target 'DNAT'
        option name 'wglan-ingress'
        list proto 'udp'
        option src 'wanfwz'
        option src_dport '51820'
        option dest_ip '192.168.11.1'
        option dest_port '51820'

with

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

The MTU of the WG interface is way too low:

gamma-577:

config interface 'wglan'
        option proto 'wireguard'
        option private_key 'EGhSLxthislis3aJfakeDkeyZnoDuse/BUO/gDZgi3U='
        option listen_port '51820'
        option mtu '400'
        list addresses '192.168.11.1/24'

Usual MTU is 1420 it could be too high which can result in slow or hanging connections, no streaming media and some sites not loading but I have never seen it needed to be lower than 1200

About PBR, that is necessary as you are running a WG client (wgcloud) and WG server (wglan).
You do not have Route allowed IPs enabled on the WG client so you will not have a default route which is fine as that will allow you to reach your server on the wan.
So you simply use PBR rules to shuttle traffic you want via the WG client

gamma-577 · May 14, 2024, 1:36pm

Hi @egc,

About the interface guestif : Sorry, it is out of 'production'. Should have omitted that.
About replacing my redirect with your rule : Yes, your replacement worked perfectly. But I don't get the difference. I still need the pbr routings for br-lan and wglan to see eachother. They look a bit cluttered. But no worries. They are working. I can live with them.
About the mtu : Yes, it's quite low. Onemarcfifty recommends lowering mtu if there are connection issues from mobile, lte or 4g networks. He has to reduce it to 400. I found this info perfect, as my iPhone does not connect over 4g when mtu > 400. Ref ( 20 seconds ) : https://www.youtube.com/watch?v=Bo2AsW4BMOo&t=6m40s

I appreciate your guidance !

-Gamma

egc · May 14, 2024, 2:12pm

Sure you need pbr routings.

The redirect rule usually works but is overly complicated and sometimes causes problems so why use it.

About the MTU there is a first for everything but I have never seen that an MTU lower than 1000 was necessary

P.S.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

gamma-577 · May 14, 2024, 3:55pm

Hi @egc,

Simplification always makes sense! Thank you for your inputs.

-Gamma

system · May 24, 2024, 4:01pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.