Simple steps to import wireguard config file

So you believe connection was established to the sever. But I can't route my traffic through it.
Last year I trying to setup openvpn on my device and share the connection as a new wireless network (see this topic).
Now I want to do the same thing using wireguard; setup a wireguard client on my router and share it separately from primary wan, as a new wireless connection.

here my current interface status:

and my current firewall conf:

also, according to this post (#6), I add this options into my /etc/config/network:

using this steps, everything was fine with openvpn. but it doesn't work for wireguard!

First of all refrain from posting the screenshots and better post the config files as psherman suggested.
Second the route that you have applied in wgvpn table for default is sending everything out of the wan interface and not the wireguard.

4 Likes

sure. sorry. here my /etc/config/network & firewall as @psherman says:


config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd55:9844:27f7::/48'

config atm-bridge 'atm'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'
        option vci '**'
        option vpi '*'

config dsl 'dsl'
        option annex 'a'
        option tone 'av'
        option ds_snr_offset '0'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ip6assign '60'
        option netmask '255.255.255.224'
        option ipaddr '192.168.220.1'
        list dns '9.9.9.9'
        list dns '8.8.8.8'

config interface 'wan'
        option ifname 'dsl0'
        option proto 'pppoe'
        option username '*'
        option password '*'
        option ipv6 '1'
        list dns '9.9.9.9'
        option peerdns '0'
        option pppd_options 'debug'

config device 'wan_dsl0_dev'
        option name 'dsl0'
        option macaddr '*'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 2 4 5 6t'

config interface 'CloudFlare'
        option proto 'wireguard'
        option private_key '*'
        list addresses '*'
        list addresses '*'
        option listen_port '5342'

config wireguard_CloudFlare
        option public_key '*'
        option persistent_keepalive '23'
        option endpoint_host '*.*.192.1'
        option endpoint_port '2408'
        list allowed_ips '0.0.0.0/1'
        list allowed_ips '128.0.0.0/1'

config interface 'wgNet'
        option proto 'static'
        option ipaddr '192.168.230.1'
        option netmask '255.255.255.0'

config route
        option interface 'wan'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option table 'wgvpn'

config rule
        option in 'WGNET'
        option src '192.168.230.0/24'
        option lookup 'wgvpn'

And /etc/config/firewall:

config defaults
        option input 'DROP'
        option forward 'DROP'
        option output 'DROP'
        option syn_flood '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'DROP'
        option forward 'DROP'
        option network 'wan'

config include
        option path '/etc/firewall.user'

config zone
        option name 'wgzone'
        option mtu_fix '1'
        option masq '1'
        option output 'ACCEPT'
        option input 'DROP'
        option forward 'DROP'
        option network 'CloudFlare'

config zone
        option name 'Lan2'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'Lan2 wgNet'

config forwarding
        option dest 'wgzone'
        option src 'Lan2'

config forwarding
        option dest 'wan'
        option src 'lan'

and here my /etc/iproute2/rt_tables:

#
# reserved values
#
128     prelocal
255     local
254     main
253     default
10      wgvpn
0       unspec
#
# local
#
#1      inr.ruhep

PS: I tried to connect using Winscp and copy the whole file, but it seems openwrt refusing the SCP connections!

Don't use public nameservers on the LAN interface. Use them in the WAN instead.

VPI/VCI in the ATM is not something secret that needs to be redacted.
The addresses of the interface Cloudflare are most likely private (192.168.X.Y, 10.X.Y.Z, 172.16-31.X.Y), so you can leave them. No need to assign a listen_port, unless you are sure that it can be reached. For example I don't see any firewall rule to allow udp/5342 on the wan.
On the Cloudflare peer config you are listing the allowed IPs in two /1 ranges, but you don't route them. If you don't want to route them you can use the 0.0.0.0/0, but my guess is that you want to route them.
The static route points everything coming from the WGNET interface to the WAN. This is not allowed according to the firewall forwardings that you have in place.

So first explain to us in simple words what flows do you want to allow, e.g lan->wan only, wgNet->Cloudflare only or lan->wan primary/ Cloudaflare some hosts.

2 Likes

+1 to everything @trendy said.

Another idea would be the following: remove all VPN configs, routes, and firewall rules and essentially start fresh. Get the router to connect to the WG based VPN and pass all traffic through the tunnel. Once that is done, you can setup more granular configurations to handle traffic steering/policies, etc. This way, you ensure there is a known working configuration as a starting point and you can be certain that your tunnel is properly established. With any policy based routing, additional granular firewall rules and routes, and so on, you could end up chasing your tail. If you have an extra router to play with (or setup a VM), you can get the general config up without disruption of your existing router. And you can take backups before and at any interesting points along the way to grab a snapshot of working sub-configuration details.

1 Like

Thanks for the tips. this is the whole story:
I have openwrt 19.07.1 installed on my device (TP-Link TD-W8970). I using my device as Modem/Router & AccessPoint. I connect to the Internet using DSL Line (PPPoE protocol) using this device. To bypass Net restrections and Net blocking, I had to use one of the VPN solutions on my PC/Laptop/Mobile phone and etc... this is why I want to use a VPN server. Last year I tried to setup openvpn directly on my openwrt, so when I connected to my Modem, I don't need enable VPN on my Phone or Laptop. you can see my last year topic here
I just wanna do the same thing as I done last year, this time using wireguard protocol: My 8970 connect to the WAN (Internet) Using DSL and I access to the internet by connecting to the 'wifi1'. now I want to setup a wireguard client on my 8970 and share tunneled connection as a new network/wifi named 'wifi2'. that's it.

Then change the exit interface in the static route you have to CloudFlare merge the allowed IPs to 0.0.0.0/0, and don't route them.

1 Like

I still doesn't neither Internet or tunneled VPN access on 'wifi2' network! here my current /etc/config/network related rules:

config interface 'CloudFlare'
	option proto 'wireguard'
	option private_key 'OFg1eVOaU7JjUTiIu5VzOEQCprdtM9ObLYgIh9MNqmA='

config wireguard_CloudFlare
	option public_key '*'
	option persistent_keepalive '23'
	option endpoint_host '*.*.192.1'
	option endpoint_port '2408'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

config interface 'wgNet'
	option proto 'static'
	option ipaddr '192.168.230.1'
	option netmask '255.255.255.0'

config route
	option interface 'CLOUDFLARE'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table 'wgvpn'

config rule
	option in 'WGNET'
	option src '192.168.230.0/24'
	option lookup 'wgvpn'

And, my firewall:

config zone
	option name 'wgzone'
	option output 'ACCEPT'
	option network 'CloudFlare'
	option input 'DROP'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'

config zone
	option name 'Lan2'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'Lan2 wgNet'

config forwarding
	option dest 'wgzone'
	option src 'Lan2'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'wgzone'
  1. In linux names are case sensitive. wgNet is not the same as WGNET
  2. In Cloudflare interface there is no IP.
1 Like

ok. so this one is correct, I think:

config interface 'wgNet'
	option proto 'static'
	option ipaddr '192.168.230.1'
	option netmask '255.255.255.0'

config route
	option interface 'CLOUDFLARE'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table 'wgvpn'

config rule
	option in 'wgNet'
	option src '192.168.230.0/24'
	option lookup 'wgvpn'

Which one? here?

config route
	option interface 'CLOUDFLARE'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table 'wgvpn'

or here? because you told me to clear IP and Port from this one.

config interface 'CloudFlare'
	option proto 'wireguard'
	option private_key '*'

also here my entire wireguard config file [ * = redacted ]:

[Interface]
PrivateKey = *
DNS = 1.1.1.1
Address = 172.16.0.2/32
Address = fd01:5ca1:ab1e:8f32:d504:87c5:43d0:6002/128

[Peer]
PublicKey = *
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0
Endpoint = *.*.192.1:2408

Yes it looks better.

Here, I told you to clear the port. For the addresses I said to leave them because they are private, meaning that they don't need to be redacted. Sorry if I wasn't clear. Use the Addresses from the config file. I don't like the masks /32 and /128. If it still doesn't work, consider changing them to match the mask of the server, for example /24 and /64.

1 Like

nope! it's still not working! I also changed /32 and /128 to /24 and /64.
/etc/config/network:

config interface 'CloudFlare'
	option proto 'wireguard'
	option private_key '*'
	list addresses '172.16.0.2/24'
	list addresses 'fd01:5ca1:ab1e:8f32:d504:87c5:43d0:6002/64'

config wireguard_CloudFlare
	option public_key '*'
	option persistent_keepalive '23'
	option endpoint_host '*.*.192.1'
	option endpoint_port '2408'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

config interface 'wgNet'
	option proto 'static'
	option ipaddr '192.168.230.1'
	option netmask '255.255.255.0'

config route
	option interface 'CLOUDFLARE'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table 'wgvpn'

config rule
	option in 'wgNet'
	option src '192.168.230.0/24'
	option lookup 'wgvpn'

Can you ping from the OpenWrt the Cloudflare? I believe the IP is 172.16.0.1
ping -c 4 172.16.0.1

1 Like

the 172.16.0.1 is a private address and I don't have any host in my private with this address. anyway this is the ping result from the ssh console:

root@OpenWrt:~# ping -c 4 172.16.0.1
PING 172.16.0.1 (172.16.0.1): 56 data bytes

--- 172.16.0.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
root@OpenWrt:~#

but here the ping result of 172.16.0.2:

root@OpenWrt:~# ping -c 4 172.16.0.2
PING 172.16.0.2 (172.16.0.2): 56 data bytes
64 bytes from 172.16.0.2: seq=0 ttl=64 time=0.665 ms
64 bytes from 172.16.0.2: seq=1 ttl=64 time=0.498 ms
64 bytes from 172.16.0.2: seq=2 ttl=64 time=0.494 ms
64 bytes from 172.16.0.2: seq=3 ttl=64 time=0.497 ms

--- 172.16.0.2 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.494/0.538/0.665 ms
root@OpenWrt:~#

also the ping result of the public endpoint is positive, and it's reachable:

root@OpenWrt:~# ping -c 4 *.*.192.1
PING *.*.192.1 (*.*.192.1): 56 data bytes
64 bytes from *.*.192.1: seq=0 ttl=55 time=93.733 ms
64 bytes from *.*.192.1: seq=1 ttl=55 time=89.787 ms
64 bytes from *.*.192.1: seq=2 ttl=55 time=89.752 ms
64 bytes from *.*.192.1: seq=3 ttl=55 time=88.724 ms

--- *.*.192.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 88.724/90.499/93.733 ms
root@OpenWrt:~#

Alright, then which is the IP of the Wireguard interface on Cloudflare?

1 Like

I guess 172.16.0.2, based on the configurations:

config interface 'CloudFlare'
	option proto 'wireguard'
	option private_key '*'
	list addresses '172.16.0.2/24'
	list addresses 'fd01:5ca1:ab1e:8f32:d504:87c5:43d0:6002/64'

No, .2 is the address that the Wireguard tunnel has on the OpenWrt side.
On the Cloudflare side you have a different one.
Do you have the Wireguard configuration of the Cloudflare server?

1 Like

you right. it's weird because when I successfully connect using this .conf on my windows, 172.16.0.1 still unreachable to me, even though my traffic pass through VPN and my Public IP changed.

Yes. also I posted it before too:

[Interface]
PrivateKey = *
DNS = 1.1.1.1
Address = 172.16.0.2/32
Address = fd01:5ca1:ab1e:8f32:d504:87c5:43d0:6002/128

[Peer]
PublicKey = *
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0
Endpoint = *.*.192.1:2408

This is the configuration of the client, the one you are using in OpenWrt and Windows.
I am asking for the configuration that you have on the other side, the Cloudflare server.

1 Like

Ummm sorry. no, obviously. server isn't mine. it's warp cloudflare servers.