Setting up VPN Tunnel issues

Hi there,

I'm trying to setup an OpenWRT router to act as a 'VPN bridge to the office network like this:

client <-wifi-> VPN bridge <-wifi-> residential AP <-> Office router <-----> office network

Where the VPN bridge will connect to my residential AP for internet access and provide an wireless network for clients to connect to. The VPN is realized using Wireguard.

Most of this setup is working but one problem remains: when the Wireguard connection is setup, a client connecting to the VPN bridge router is unable to use the VPN.

The reason why I want this setup is because I have a client running VMs in combination with Windows, which gives lots of troubles using Wireguard.

Here is what I do:

1. Configure the VPN Brdige to connect to my residential AP and provide an wireless network:

/etc/config/wireless:
config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/10300000.wmac'
        option country 'NL'
        option legacy_rates '1'
        option hwmode '11g'
        option htmode 'HT20'
        option disabled '0'

config wifi-iface
        option network 'wwan'
        option device 'radio0'
        option mode 'sta'
        option ssid 'residential AP'
        option encryption 'psk2'
        option key 'Secret
        option disabled '0'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option encryption 'psk2'
        option network 'lan'
        option ssid 'Tunnel'
        option key 'Secret2'
        option disassoc_low_ack '0'
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group defaul                              t qlen 1000
    link/ether 0c:cf:89:69:d8:45 brd ff:ff:ff:ff:ff:ff
5: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qle                              n 1000
    link/ether 0c:cf:89:69:d8:44 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.155/24 brd 192.168.2.255 scope global wlan0
       valid_lft forever preferred_lft forever
6: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default q                              len 1000
    link/ether 0e:cf:89:69:d8:44 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.254/24 brd 10.10.10.255 scope global wlan0-1
       valid_lft forever preferred_lft forever

At this point, any client can connect to the "Tunnel" wifi-network and access internet as well as my residential LAN.

2. Setup the Wireguard tunnel
Next, to setup Wireguard client on the OpenWrt VPN Tunnel device, I run this script:

#!/bin/sh


export WG_IF="VPN"
export WG_SERV="**SERVER PUBLIC IP**"
export WG_PORT="500"
export WG_ADDR="192.168.2.30/24"

export WG_KEY="**MY PRIVATE KEY**"
export WG_PSK=""
export WG_CLT_PUB="**MY PUBLIC KEY**"
export WG_SRV_PUB="**SERVER PUBLIC KEY**"


uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wwan"
uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.wan.network="${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart


# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci set network.${WG_IF}.public_key="${WG_CLT_PUB}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"

# Add VPN peers
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${WG_IF}"
uci set network.wgserver.public_key="${WG_SRV_PUB}"
#uci set network.wgserver.preshared_key="${WG_PSK}"
uci set network.wgserver.endpoint_host="${WG_SERV}"
uci set network.wgserver.endpoint_port="${WG_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips="0.0.0.0/0"
uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restart
wifi

The output is:

# ./setup.sh
uci: Invalid argument
uci: Invalid argument
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section 'wwan' cannot resolve device of network 'wan6'
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'

At this point, from the console / CLI of the OpenWRT VPN Tunnel, the Wireguard VPN is setup and I can access the office LAN:

 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 0c:cf:89:69:d8:45 brd ff:ff:ff:ff:ff:ff
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 0c:cf:89:69:d8:44 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.155/24 brd 192.168.2.255 scope global wlan0
       valid_lft forever preferred_lft forever
11: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 0e:cf:89:69:d8:44 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.254/24 brd 10.10.10.255 scope global wlan0-1
       valid_lft forever preferred_lft forever
12: VPN: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 192.168.2.30/24 brd 192.168.2.255 scope global VPN
       valid_lft forever preferred_lft forever

ping google.com
PING google.com (142.250.179.174): 56 data bytes
64 bytes from 142.250.179.174: seq=0 ttl=118 time=9.673 ms
64 bytes from 142.250.179.174: seq=1 ttl=118 time=9.309 ms
64 bytes from 142.250.179.174: seq=2 ttl=118 time=9.362 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 9.309/9.448/9.673 ms
~# ping 192.168.188.1
PING 192.168.188.1 (192.168.188.1): 56 data bytes
64 bytes from 192.168.188.1: seq=0 ttl=64 time=7.519 ms
64 bytes from 192.168.188.1: seq=1 ttl=64 time=8.757 ms
64 bytes from 192.168.188.1: seq=2 ttl=64 time=9.962 ms
^C
--- 192.168.188.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 7.519/8.746/9.962 ms
# ping 192.168.188.226
PING 192.168.188.226 (192.168.188.226): 56 data bytes
64 bytes from 192.168.188.226: seq=0 ttl=63 time=125.081 ms
64 bytes from 192.168.188.226: seq=1 ttl=63 time=146.614 ms
^C
--- 192.168.188.226 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 125.081/135.847/146.614 ms

But clients connected to the Tunnel network can only access my local LAN and internet via IP-addresses (so DNS not working obviously).

Seems like I am almost there, any idea what to do next or what I have done wrong?

Thanks!

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
root@Gateway:/# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.*
/tmp/resolv.* /tmp/resolv.*/*
{
        "kernel": "4.14.221",
        "hostname": " Gateway",
        "system": "MediaTek MT7628AN ver:1 eco:2",
        "model": "MediaTek LinkIt Smart 7688",
        "board_name": "linkits7688",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.7",
                "revision": "r11306-c4a6851c72",
                "target": "ramips/mt76x8",
                "description": "OpenWrt 19.07.7 r11306-c4a6851c72"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd57:067f:f358::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.10.10.254'
        option ip4table '1'
        option ip6table '1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '0'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'
        option ip4table '2'

config interface 'wwan'
        option proto 'dhcp'

config interface 'VPN'
        option proto 'wireguard'
        option private_key '****'
        option public_key '****'
        list addresses '192.168.2.30/24'

config wireguard_VPN 'wgserver'
        option public_key '****'
        option endpoint_host '*****'
        option endpoint_port '500'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'

config route 'vpn_rt'
        option interface 'VPN'
        option target '0.0.0.0/0'

config route6 'vpn_rt6'
        option interface 'VPN'
        option target '::/0'

config rule 'lan_vpn'
        option in 'lan'
        option lookup '2'
        option priority '30000'

config rule6 'lan_vpn6'
        option in 'lan'
        option lookup '2'
        option priority '30000'

config rule 'lan_wan'
        option in 'lan'
        option lookup '2'
        option priority '40000'

config rule6 'lan_wan6'
        option in 'lan'
        option lookup '2'
        option priority '40000'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/10300000.wmac'
        option country 'NL'
        option legacy_rates '1'
        option hwmode '11g'
        option htmode 'HT20'
        option disabled '0'

config wifi-iface
        option network 'wwan'
        option device 'radio0'
        option mode 'sta'
        option ssid 'my residential WiFi'
        option encryption 'psk2'
        option key '*****'
        option disabled '0'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option encryption 'psk2'
        option network 'lan'
        option ssid 'Tunnel'
        option key '****'
        option disassoc_low_ack '0'
        option maxassoc '3'
        option disabled '0'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        list address '/gateway./10.10.10.254'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config dhcp 'wwan'
        option interface 'wwan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone 'wwan'
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 lan wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
26: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.2.155/24 brd 192.168.2.255 scope global wlan0
       valid_lft forever preferred_lft forever
27: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.10.10.254/24 brd 10.10.10.255 scope global wlan0-1
       valid_lft forever preferred_lft forever
28: VPN: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 192.168.2.30/24 brd 192.168.2.255 scope global VPN
       valid_lft forever preferred_lft forever
10.10.10.0/24 dev wlan0-1 table 1 proto static scope link
default dev VPN proto static scope link
**.**.***.*** via 192.168.2.254 dev wlan0 proto static
192.168.2.0/24 dev wlan0 proto kernel scope link src 192.168.2.155
192.168.2.0/24 dev VPN proto kernel scope link src 192.168.2.30
broadcast 10.10.10.0 dev wlan0-1 table local proto kernel scope link src 10.10.10.254
local 10.10.10.254 dev wlan0-1 table local proto kernel scope host src 10.10.10.254
broadcast 10.10.10.255 dev wlan0-1 table local proto kernel scope link src 10.10.10.254
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.2.0 dev wlan0 table local proto kernel scope link src 192.168.2.155
broadcast 192.168.2.0 dev VPN table local proto kernel scope link src 192.168.2.30
local 192.168.2.30 dev VPN table local proto kernel scope host src 192.168.2.30
local 192.168.2.155 dev wlan0 table local proto kernel scope host src 192.168.2.155
broadcast 192.168.2.255 dev wlan0 table local proto kernel scope link src 192.168.2.155
broadcast 192.168.2.255 dev VPN table local proto kernel scope link src 192.168.2.30
0:      from all lookup local
10000:  from 10.10.10.254 lookup 1
20000:  from all to 10.10.10.254/24 lookup 1
30000:  from all iif wlan0-1 lookup 2
32766:  from all lookup main
32767:  from all lookup default
40000:  from all iif wlan0-1 lookup 2
90027:  from all iif lo lookup 1
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx    1 root     root            16 Feb 15  2021 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Feb 21 15:36 /tmp/resolv.conf
-rw-r--r--    1 root     root            42 Feb 21 15:36 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wwan
nameserver 192.168.2.254
head: /tmp/resolv.*/*: No such file or directory
root@ Gateway:/#

  • You're running an outdated version of OpenWrt.
  • The firewall attempts to place lan into two firewall zones. It should only be in the lan zone.
  • The wireguard tunnel IP range overlaps and conflicts the upstream (wwan) subnet range (they are both 192.168.2.0/24). Assuming that you can't easily change that on the work server, change your upstream home router to use a different subnet. All of the subnets in use at home must be different from those at work.
  • This configuration is overly complicated. There is no need for non-default routing tables here. Also there is no need to separately declare routes when route_allowed_ips is set.
1 Like