Routing wireguard peer traffic through another peer

Installing and Using OpenWrt
1

Alpha2Delta
Alpha2Delta775×522 71.1 KB

I'm trying to use my home(Delta) Internet from a remote router(Alpha) but the Delta internet provider is IPV6 only and in many cases not reachable from Alpha, so I thought adding another IPV4 Openwrt instance in the middle would help.

I ran this script (https://openwrt.org/docs/guide-user/services/vpn/wireguard/automated#a_named_peers_with_ids) on another OpenWrt VM instance,
and have my both ends connected to the that router as peers Alpha and Delta. but so far I can only reach the peers on their 10.0.5.x interface with no success on routing the Alpha traffic through Delta.

my-ddns.no-ip. com 
root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'XXXXX::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        option bridge_empty '1'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.21.1'
        option netmask '255.255.255.0'
        option ip6assign '60'


config interface 'wg_lan'
        option proto 'wireguard'
        option private_key 'QPF3GBCd5MOvl5Dhi4Px6Sae9g2hosOBrm/hSeNnLkM='
        option listen_port '51820'
        list addresses '10.0.5.1/24'
        option mtu '1420'

config wireguard_wg_lan
        option public_key 'GSLqPH66wpwIbHzqqIxPtEEpfopubH5LGpAwfd5yHQ4='
        option preshared_key '5Zhc9wFyQ03FpR6/5uQCtSVanNytq4d6DE53E3Wimj4='
        option description '1_lan_Alpha'
        list allowed_ips '10.0.5.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key 'A+nUkjsS2zEutnCBFyQhZqZVuqJnS4+NE0U5+2NVv0A='
        option preshared_key 'xeF1VkFcBk3T/CJxCp5B/+Dxws0LRoS8ZAKr+Fqogz0='
        option description '2_lan_Bravo'
        list allowed_ips '10.0.5.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key 'JLvnIeSu/wLigD68RwOP6G/dn7Sj+4e2HQ2xBvjrumc='
        option preshared_key '2NFsPwJztXIY4JeWoMbNxIbad3BiHl1fVlnooJZe8oQ='
        option description '3_lan_Charlie'
        list allowed_ips '10.0.5.4/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key 'pip1S9W6waKHzkA/jDrUx7bcaJEDMqXVFK/qNdwZwWo='
        option preshared_key 'c1fhfkGWMwQPoOAGH4QzYIpAlgOv+GRr6v2QN/yrn+k='
        option description '4_lan_Delta'
        list allowed_ips '10.0.5.5/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

root@OpenWrt:~# head -n14 /etc/config/firewall 

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option network 'lan wg_lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

root@OpenWrt:~# tail -n8 /etc/config/firewall 

config rule 'wg'
        option name 'Allow-WireGuard-lan'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

root@OpenWrt:~#
Delta 
root@Delta:~# cat /etc/config/network 

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'X:x:X:X::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'vm'
        option proto 'wireguard'
        option private_key '0KJARXFuNkRKAsuMJPJ1B26mlhM29jZn/99fZFoivH4='
        list addresses '10.0.5.5/32'
        list dns '10.0.5.1'

config wireguard_vm
        option description 'Imported peer configuration'
        option public_key '5o2sR834UUZWPfuqRjSLo+Gi2FZ9jqoZ8NshgqmDcA8='
        option preshared_key 'c1fhfkGWMwQPoOAGH4QzYIpAlgOv+GRr6v2QN/yrn+k='
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option persistent_keepalive '25'
        option endpoint_host 'my-ddns.no-ip.com'
        option endpoint_port '51820'

root@Delta:~# head -n15 /etc/config/firewall 

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vm'

root@Delta:~#
Alpha 
root@Delta:~# cat /etc/config/network 

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'X:x:X:X::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.200.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'


config interface 'vm'
        option proto 'wireguard'
        option private_key 'UKQ4bAEGzd1u+X8Now2jACBoSGy4xXw9aiGD9aUZ4nQ='
        list addresses '10.0.5.2/32'
        list dns '10.0.5.1'

config wireguard_vm
        option description 'Imported peer configuration'
        option public_key '5o2sR834UUZWPfuqRjSLo+Gi2FZ9jqoZ8NshgqmDcA8='
        option preshared_key '5Zhc9wFyQ03FpR6/5uQCtSVanNytq4d6DE53E3Wimj4='
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option persistent_keepalive '25'
        option endpoint_host 'my-ddns.no-ip.com'
        option endpoint_port '51820'

root@Alpha:~# head -n25 /etc/config/firewall 

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'vm'

root@Alpha:~#
2

On Lan alpha add the routers subnet as allowed_ips (192.168.200.0/24) this will not anly allow traffic from Alpha but als make a route to it

On delta do the same so add 192.168.1.0/24 as allowed IPs

Your Firewall is not complete so there might be show stoppers there, make sure option forward is set to ACCEPT in the wg zone of the main router (that allows forwarding between peers), masquerading should also be disabled on your main router.
Also make sure both delta and alpha have opened up their firewall for WG traffic

3

At the middle router (maybe name it Zeta?) you need a separate independent Wireguard tunnel to Delta. This is because its only peer (Delta) may be forwarding from anywhere on the Internet, so the allowed_ips from Delta to Zeta need to be 0.0.0.0/0. Allowed_ip ranges cannot overlap.
[Technically you could write a bunch of non-overlapping allowed_ips that eventually cover the whole public v4 Internet but exclude the RFC1918 subnets that Alpha and Wireguard itself are using, but no one does that.]

Additional fixed or mobile sites like Alpha can be multiple peers of the same Wireguard interface at Zeta, however if they have LANs behind them those LANs need to be allowed_ips and they cannot overlap.

At a peer like Alpha that is tunneling users to the Internet, allowed_ips need to be 0.0.0.0/0 but at Delta allowed_ips should only be IPs that are seen from the other end of the tunnel, i.e. Alpha and its LAN, and Zeta. Though on a point to point link (Delta <> Zeta) you could also set /0 on both ends and control routing separately (do not set route_allowed_ips).

4

-on VM(Main Router) I‌ added 192.168.1.0/24 to allowed list of Delta node ( ip owner )and turned of masquerading:

image
image1190×147 21.8 KB

image
image1123×541 42.3 KB

image
image1214×302 24.7 KB

-on Delta (supposed exit node) [192.168.1.1, 10.0.5.5] :
route and allow the following ips :

image
image1201×194 23.2 KB

image
image1123×211 21.6 KB

image
image1206×799 62.5 KB

-on Alpha(remote Router) :

I want all my traffic to go through wg tunnel so I‌ added 0.0.0.0/0 to allow-list and route them

image
image1080×272 33.3 KB

image
image1018×149 12.1 KB

image
image1099×202 21.8 KB

I can now reach my clients on Delta Lan but no Internet access.

5

It helps if you show the actual configs of all three involved routers. please show the output of:

cat /etc/config/network
cat /etc/config/firewall
ip route show
ip -6 route show
ip rule show
wg show
6

Thank you, I should’ve added :

This was the important part and it turned out I could have overlapped allowed_ips, no routing enabled though.

The rest have their wg 10.0.5.X/32 allowed_ips with routing enabled on VM.

This helped me realize using a source address pbr policy can do the job as well.

root@VM:~# uci show pbr.@policy[2]
pbr.cfg096ff5=policy
pbr.cfg096ff5.interface='wg_lan'
pbr.cfg096ff5.src_addr='10.0.5.5'
root@VM:~#

Again, Thank you both.

1 Like