Hi all,
I´m running a Wireguard router as server with OpenWrt and another Wireguard OpenWrt router as client. The client router is connected with a Fritzbox over LAN. The server is in another location. Handshake between the server and client is working.
When I´m connected with the client router over Wifi, I have the Fritzbox IP. So the traffic is not routed to the Wireguard router. Please find my Zone config below. I´m running out of ideas and your help is highly appreciated!
This doesn't look right. But it's hard to understand the details of what might be going on here since we need more details.
Can you show us a diagram of the 'client' side network topology, and please post the following configs:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
Hi psherman, thanks very much for your reply. Please find the output below:
network:
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd1a:9076:d51e::/48'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
config interface 'wan'
option proto 'dhcp'
option peerdns '0'
option device 'wan'
config interface 'wan6'
option proto 'dhcpv6'
option device 'wan'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'trm_wwan'
option proto 'dhcp'
option metric '100'
option device 'wlan1'
option peerdns '0'
config interface 'trm_wwan6'
option device '@trm_wwan'
option proto 'dhcpv6'
config interface 'WG'
option proto 'wireguard'
option private_key 'XXXXXXXX'
list addresses '192.168.9.20/24'
option peerdns '0'
list dns '192.168.9.1'
config wireguard_WG
option description 'RouterNL'
option public_key 'XXXXXXX'
option route_allowed_ips '1'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
option endpoint_host 'XXXXX.ddnss.de'
config route
option interface 'WG'
option target '192.168.178.1'
option netmask '255.255.255.0'
option gateway '192.168.178.1'
config route
option interface 'lan'
option target '192.168.178.1'
option netmask '255.255.255.0'
option gateway '192.168.178.1'
config interface 'lan1'
option proto 'dhcp'
option device 'lan1'
firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
option input 'ACCEPT'
list network 'wan6'
list network 'trm_wwan6'
list network 'trm_wwan'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option name 'openvpn'
list proto 'udp'
option src 'wan'
option src_dport '1194'
option dest 'lan'
option dest_ip '192.168.1.124'
config redirect
option target 'DNAT'
option name 'martini2'
list proto 'udp'
option src 'wan'
option src_dport '1194'
option dest 'lan'
option dest_port '1194'
option dest_ip '192.168.1.124'
config redirect
option target 'DNAT'
option name 'martini3'
list proto 'udp'
option src 'lan'
option src_dport '1194'
option dest 'wan'
option dest_ip '192.168.1.124'
config zone
option name 'WGFW'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'WG'
config forwarding
option src 'lan'
option dest 'WGFW'
config zone
option name 'lan1'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'WGFW'
option dest 'lan'
config forwarding
option src 'wan'
option dest 'WGFW'
config forwarding
option src 'wan'
option dest 'lan'
config forwarding
option src 'lan1'
option dest 'WGFW'
config forwarding
option src 'lan1'
option dest 'lan'
I think there are a lot of entries wrong... hope it helps. Thanks again for helping me here!!
Yeah... looking at this, there are probalby lots of things that should be changed.
Can you describe your goal with this device? Is it a road-warrior type configuration that will connect to an upstream network (such as at a hotel or cafe) and create a tunnel back to your home (or wherever the remote endpoint is located)?
I have 2 devices. 1 OpenWrt Wireguard endpoint at my home (Location 1) and it is connected to the Internet. And 1 OpenWrt Wireguard client which is behind a Fritzbox (connected with network / lan cable) in another place (Location 2) and also connected to the Internet. I would like to establish a Wireguard tunnel so that my IP in Location 2 is the home IP (Location 1). Wireguard handshake between the two devices is working already.
But when I connect with my phone or laptop via wifi to the OpenWrt client (Location 2), I get the IP of the Fritzbox (Location 2). So the traffic is not routed to Location 1.
Hope this makes it more clear. Thanks very much psherman for your support here
any ideas here?
But do you want the internal ip you get to be from location 1 or not?
yes exactly, I want the IP from Location 1, so that all Devices which are connected to the router in Location 2 have the IP from Location 1.
If you want to create a layer 2 bridge between the physical ports+wifi and server over VPN then you can't use WireGuard or OpenVPN in tun mode directly. You either need to use
OpenVPN in tap mode, or
you need to add a layer 2 tunnel such as GRETAP or VXLAN inside WireGuard or OpenVPN in tun mode.
Then just brige a vlan on the switch and the wifi with the vpn tap interface, remember to left one port so you are able to manage the openwrt router
Sorry for the delay in my response. I had a day of travel followed by a day of all the catchup from travel.
Let's see the configs of both of these devices. Please make it clear which is from location 1 and location 2.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
I would not recommend using an L2 bridge. This is inefficient, and it is also unnecessary in the vast majority of cases. The OP's desired configuration suggests an L3 (routed) configuration should be sufficient.
But from what i see he needs a L2 brige
I’m interpreting this as the apparent wan IP. Maybe the op can clarify.
Could it be that the WG client is setup on a dumb AP?
Connected devices will then just bypass the WG client (unless have their gateway set to the dumb AP or there are unbridged interfaces)
Hi all, thanks very much for your support. I appreciate it!
I try to make it easier. Wireguard does work between Location 2 -> Location 1. My problem is, that when I connect with my phone or laptop to the router in Location 2 (which is already connected successfully via Wireguard to Location 1) my devices use the Internet connection (and therefore the IP) from Location 2. But I want all the traffic routed over Wireguard to Location 1.
In Location 2 I have a modem and an OpenWrt router with Wireguard (connected via LAN with the modem). My devices in Location 2 connect via wifi with my OpenWrt router.
Hope I can make it more clear. So from my point of view it is just a routing issue here, because I can see that Location 2 and Location 1 are connected via Wireguard.
Can you post your configurations? Without then, it is not possible to debug (aside from guessing)
Hi psherman, I posted the configurations of my Location 2 router above (post 3) and the router is connected successfully with Location 1 router. Wireguard is working.
The only help I need is how to tell Location 2 router to route all the wifi traffic through Wireguard and not through the Location 2 Internet connection
Ok... so I see a few things here:
This suggests that the WG router in location 2 is not the main router. Instead, it seems it is a host on an existing network. Can you confirm this?
Next, assuming that this isn't the main router, what is the upstream connection -- is it via the lan1 or lan2 ethernet ports, or wifi under the Travelmate wan?
You can remove the DNS related entries here. They don't do anything.
Delete these routes -- they are malformed and don't do anything, but they are also not necessary.
Delete this -- you already have br-lan defined with the lan1 port (and the lan network uses br-lan and DHCP client). You can't have the lan1 port assigned to multiple interfaces.
If the device in question here is the not the main router, these would have no purpose whatsoever. You can delete them.
Delete this since it is dealing with lan1 which is not useful (and should be deleted per my above comments).
You probably don't want this here... delete this.
And finally, this is not likely necessary unless the other end of the WG tunnel needs to connect to the local lan. (it sounds like it is the other way around).
Fix these things and post your revised network and firewall files for review (please put them in your next post -- don't edit your previous post).
Then, answer the various questions I've asked and we'll figure out the rest (we're cleaning up at the moment, but it still isn't going to change the overall situation... that's coming soon)
my bad.... I deleted too much and now I don´t have access to my router anymore. Need to reset everything and build new. I´ll come back here, when it´s finished but no idea when I have the time to do so. Thanks again all for your help
Hi guys, I did everything new. Here are my client configs. Handshake is working again but traffic still not routed through Wireguard.
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'WLAN0'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
and the network config:
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd8a:5de2:5558::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'WLAN0'
option proto 'dhcp'
option device 'wlan0'
option peerdns '0'
list dns '172.16.9.1'
config interface 'WireGuard'
option proto 'wireguard'
option private_key 'XXXXXXXX'
option listen_port '51820'
list addresses '192.168.9.23/24'
list dns '192.168.9.1'
config wireguard_WireGuard
option description 'XYZ'
option public_key 'XXXXX'
list allowed_ips '0.0.0.0/24'
option route_allowed_ips '1'
option endpoint_host 'XXXXX.ddnss.de'
option endpoint_port '51820'
option persistent_keepalive '25'
There are a whole lot of issues here...
You seem to have the lan and WLAN0 networks as DHCP clients, so there is no practical way to connect or route properly.
You may be best off making a backup (mainly for the sake of the WG config stanzas of the network file), and then resetting to defaults. But let's start with the answers to the questions I've just asked.
EDIT: Some more thoughts and explanation of the issues I'm seeing right now...
Starting with your wlan0 network...
The wlan devices should never be referenced in the network config file. You'll specify the network that a given SSID should use in the wireless config file.
If this network will be used on dual band (i.e. 2 radios, 2.4G and 5G) and/or will be used on ethernet, you'll need to create a bridge (outside the network interface stanza) to use here. If it's only being used on a single band and not being used on ethernet at all, you don't need a bridge
DNS won't do anything here, so remove both the peer dns and dns entry you've put in (where did that come from, anyway?).
If this is a network that will be used for the clients to connect, it needs an address, and it also will need a DHCP server (in the vast majority of cases).
On the lan:
same deal here -- if clients should be able to connect to your lan (via wireless and/or wired), it needs an address and a DHCP server.
Is the uplink on the wan or the lan? If the lan, your firewall needs masquerading enabled on the lan zone. And for that to work, you'd also have to split out the wlan0 network into a different zone. If it's on the wan, this is fine.
If you intend to route all traffic through the tunnel, the correct allowed_ips is 0.0.0.0/0
Also, your wireguard network is not associated with a firewall zone. You need to have it in a zone and then allow forwarding from the zone where the 'clients' connect to the wireguard zone.
We also haven't seen your DHCP or wireless files.
My guess is that a reset to defaults will be the best approach here... but we need to understand the questions I asked above.