Yes, that's right.
Changed it accordingly, still no difference.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
This is client router (192.168.1.1)
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
"kernel": "5.4.80",
"hostname": "OpenWrt",
"system": "Intel(R) Celeron(R) CPU 3965U @ 2.20GHz",
"model": "Default string Default string",
"board_name": "default-string-default-string",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r15081-9c2eceef90",
"target": "x86/64",
"description": "OpenWrt SNAPSHOT r15081-9c2eceef90"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3f:57d2:bab6::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth1 eth2 eth3 eth4 eth5'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
config interface 'wan6'
option proto 'dhcpv6'
option ifname 'eth0'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'wg0'
option proto 'wireguard'
option private_key '*********'
option listen_port '51820'
list addresses '10.9.0.2/24'
config wireguard_wg0
option description 'WireGuard_wg0'
option public_key '*********'
option route_allowed_ips '1'
option endpoint_port '51820'
option endpoint_host '*****.duckdns.org'
option persistent_keepalive '25'
list allowed_ips '192.168.2.0/24'
list allowed_ips '10.9.0.1/32'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wg0'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config rule
option name 'Allow-WireGuard'
option src 'wan'
option proto 'udp'
option dest_port '51820'
option target 'ACCEPT'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'wan'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
inet 192.168.0.170/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
10: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
inet 10.9.0.2/24 brd 10.9.0.255 scope global wg0
valid_lft forever preferred_lft forever
default via 192.168.0.1 dev eth0 src 192.168.0.170
10.9.0.0/24 dev wg0 scope link src 10.9.0.2
10.9.0.1 dev wg0 scope link
192.168.0.0/24 dev eth0 scope link src 192.168.0.170
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
192.168.2.0/24 dev wg0 scope link
****98.216 via 192.168.0.1 dev eth0
broadcast 10.9.0.0 dev wg0 table local scope link src 10.9.0.2
local 10.9.0.2 dev wg0 table local scope host src 10.9.0.2
broadcast 10.9.0.255 dev wg0 table local scope link src 10.9.0.2
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.0.0 dev eth0 table local scope link src 192.168.0.170
local 192.168.0.170 dev eth0 table local scope host src 192.168.0.170
broadcast 192.168.0.255 dev eth0 table local scope link src 192.168.0.170
broadcast 192.168.1.0 dev br-lan table local scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link src 192.168.1.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@OpenWrt:~# e or paste code here
This one is sever (192.168.2.1)
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
"kernel": "5.4.80",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Linksys EA7500 v2",
"board_name": "linksys,ea7500-v2",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r15129-d346beb08c",
"target": "ramips/mt7621",
"description": "OpenWrt SNAPSHOT r15129-d346beb08c"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd69:814f:cc52::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
option ifname 'eth0 lan1 lan2 lan3 lan4'
config device 'lan_lan1_dev'
option name 'lan1'
option macaddr '58:ef:68:*:*:*'
config device 'lan_lan2_dev'
option name 'lan2'
option macaddr '58:ef:68:*:*:*'
config device 'lan_lan3_dev'
option name 'lan3'
option macaddr '58:ef:68:*:*:*'
config device 'lan_lan4_dev'
option name 'lan4'
option macaddr '58:ef:68:*:*:*'
config interface 'wan'
option ifname 'wan'
option proto 'dhcp'
config device 'wan_wan_dev'
option name 'wan'
option macaddr '58:ef:68:*:*:*'
config interface 'wan6'
option ifname 'wan'
option proto 'dhcpv6'
config interface 'wg0'
option proto 'wireguard'
option private_key '*********'
option listen_port '51820'
list addresses '10.9.0.1/24'
config wireguard_wg0
option description 'WireGuard_wg0'
option public_key '**********'
option route_allowed_ips '1'
option endpoint_port '51820'
option endpoint_host '*****.duckdns.org'
list allowed_ips '10.9.0.2/32'
list allowed_ips '192.168.1.0/24'
option persistent_keepalive '25'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option network 'lan wg0'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'lan'
config redirect
option target 'DNAT'
option name 'wireguard'
option src 'wan'
option src_dport '51820'
option dest 'lan'
option dest_port '51820'
config forwarding
option src 'wan'
option dest 'lan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet *.*.98.216/18 brd *.*.127.255 scope global wan
valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
valid_lft forever preferred_lft forever
18: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
inet 10.9.0.1/24 brd 10.9.0.255 scope global wg0
valid_lft forever preferred_lft forever
default via *.*.64.1 dev wan src *.*.98.216
10.9.0.0/24 dev wg0 scope link src 10.9.0.1
10.9.0.2 dev wg0 scope link
192.168.1.0/24 dev wg0 scope link
192.168.2.0/24 dev br-lan scope link src 192.168.2.1
*.*.6.121 via *.*.64.1 dev wan
*.*.64.0/18 dev wan scope link src *.*.98.216
broadcast 10.9.0.0 dev wg0 table local scope link src 10.9.0.1
local 10.9.0.1 dev wg0 table local scope host src 10.9.0.1
broadcast 10.9.0.255 dev wg0 table local scope link src 10.9.0.1
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.2.0 dev br-lan table local scope link src 192.168.2.1
local 192.168.2.1 dev br-lan table local scope host src 192.168.2.1
broadcast 192.168.2.255 dev br-lan table local scope link src 192.168.2.1
broadcast *.*.64.0 dev wan table local scope link src *.*.98.216
local *.*.98.216 dev wan table local scope host src *.*.98.216
broadcast *.*.127.255 dev wan table local scope link src *.*.98.216
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@OpenWrt:~#
# Client
uci -q delete network.wg0.listen_port
uci commit network
/etc/init.d/network restart
# Server
uci -q delete network.@wireguard_wg0[0].endpoint_port
uci -q delete network.@wireguard_wg0[0].endpoint_host
uci commit network
/etc/init.d/network restart
Decrease MTU on the VPN interface if the issue persists.
Disable masquerading in the VPN and LAN zones.
No luck. When I make these changes, the network goes down.
You'll need to initiate traffic from the client first.
When remove the endpoint host & port on the server, the network goes down and I can't ping from client or server. So I reverted back adding the endpoint host & port. What working strangely is when I add 0.0.0.0/0 to server's peer, the server is acting like client and there's data passing through tunnel (client to server). However, the client cannot achieve the same when reversed. This not what I want to achieve.
Just a note that client router wan port is connected with another router's lan port for internet access. I am not sure this may cause some issues.
You must also remove the listen_port from client.
That is expected. The server should only have the peer IP and the subnet behind the peer in the allowed IPs.
No, it doesn't.
In addition to fixes posted above, apply the following workarounds:
-
Dynamic connection on the client with allowed IPs
0.0.0.0/0
. - Dynamic IP on the client which endpoint host is using DDNS.
-
Race conditions on the client with allowed IPs
0.0.0.0/0
. - Random generator on both client and server.
Then restart both server and client.
Do this four things needed on both, server & client?
I've added them in both, server & client. The only difference is the network does not go down but I still can't ping and the handshake from client as follows.
interface: wg0
public key:
private key: (hidden)
listening port: 54653
peer:
endpoint: XXX.XXX.107.38:51820
allowed ips: 192.168.2.0/24, 10.9.0.1/32
transfer: 0 B received, 30.21 KiB sent
persistent keepalive: every 25 seconds
Check on both server and client:
opkg update
opkg install tcpdump
date; tcpdump -evni any udp port 51820
Server:
root@OpenWrt:~# date; tcpdump -evni any udp port 51820
Thu Dec 10 13:14:22 UTC 2020
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
13:14:23.967348 In xx:xx:xx:05:98:e4 ethertype IPv4 (0x0800), length 192: (tos 0x88, ttl 62, id 27789, offset 0, flags [none], proto UDP (17), length 176)
xxx.xxx.6.121.53991 > xxx.xxx.107.38.51820: UDP, length 148
13:14:29.343083 In xx:xx:xx:05:98:e4 ethertype IPv4 (0x0800), length 192: (tos 0x88, ttl 62, id 27988, offset 0, flags [none], proto UDP (17), length 176)
xxx.xxx.6.121.53991 > xxx.xxx.107.38.51820: UDP, length 148
13:14:34.719173 In xx:xx:xx:05:98:e4 ethertype IPv4 (0x0800), length 192: (tos 0x88, ttl 62, id 29304, offset 0, flags [none], proto UDP (17), length 176)
xxx.xxx.6.121.53991 > xxx.xxx.107.38.51820: UDP, length 148
^C
3 packets captured
9 packets received by filter
0 packets dropped by kernel
root@OpenWrt:~#
Client
root@OpenWrt:~# date; tcpdump -evni any udp port 51820
Thu Dec 10 13:13:21 UTC 2020
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
13:13:26.114327 Out xx:xx:xx:f0:03:ca ethertype IPv4 (0x0800), length 192: (tos 0x88, ttl 64, id 20984, offset 0, flags [none], proto UDP (17), length 176)
192.168.0.170.53991 > xxx.xxx.107.38.51820: UDP, length 148
13:13:31.234333 Out xx:xx:xx:f0:03:ca ethertype IPv4 (0x0800), length 192: (tos 0x88, ttl 64, id 21488, offset 0, flags [none], proto UDP (17), length 176)
192.168.0.170.53991 > xxx.xxx.107.38.51820: UDP, length 148
13:13:36.610332 Out xx:xx:xx:f0:03:ca ethertype IPv4 (0x0800), length 192: (tos 0x88, ttl 64, id 21931, offset 0, flags [none], proto UDP (17), length 176)
192.168.0.170.53991 > xxx.xxx.107.38.51820: UDP, length 148
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel
root@OpenWrt:~#
Seems that there is no answer from server. Can you post once again the commands from this post?
Client:
BusyBox v1.31.1 () built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt SNAPSHOT, r15081-9c2eceef90
-----------------------------------------------------
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
"kernel": "5.4.80",
"hostname": "OpenWrt",
"system": "Intel(R) Celeron(R) CPU 3965U @ 2.20GHz",
"model": "Default string Default string",
"board_name": "default-string-default-string",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r15081-9c2eceef90",
"target": "x86/64",
"description": "OpenWrt SNAPSHOT r15081-9c2eceef90"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3f:57d2:bab6::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth1 eth2 eth3 eth4 eth5'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
option metric '100'
config interface 'wan6'
option proto 'dhcpv6'
option ifname 'eth0'
option reqaddress 'try'
option reqprefix 'auto'
option metric '100'
config interface 'wg0'
option proto 'wireguard'
option private_key '<redacted>'
option mtu '1280'
list addresses '10.9.0.2/24'
list addresses '192.168.0.144/24'
config wireguard_wg0
option description 'WireGuard_wg0'
option public_key '<redacted>'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_host '******.duckdns.org'
option endpoint_port '51820'
list allowed_ips '192.168.2.0/24'
list allowed_ips '10.9.0.1/32'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wg0'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option network 'wan wan6'
option masq '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config rule
option name 'Allow-WireGuard'
option src 'wan'
option proto 'udp'
option dest_port '51820'
option target 'ACCEPT'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'wan'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
inet 192.168.0.170/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
10: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN qlen 1000
inet 10.9.0.2/24 brd 10.9.0.255 scope global wg0
valid_lft forever preferred_lft forever
inet 192.168.0.144/24 brd 192.168.0.255 scope global wg0
valid_lft forever preferred_lft forever
default via 192.168.0.1 dev eth0 src 192.168.0.170 metric 100
10.9.0.0/24 dev wg0 scope link src 10.9.0.2
10.9.0.1 dev wg0 scope link
192.168.0.0/24 dev wg0 scope link src 192.168.0.144
192.168.0.0/24 dev eth0 scope link metric 100
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
192.168.2.0/24 dev wg0 scope link
xxx.xxx.107.38 via 192.168.0.1 dev eth0 metric 100
broadcast 10.9.0.0 dev wg0 table local scope link src 10.9.0.2
local 10.9.0.2 dev wg0 table local scope host src 10.9.0.2
broadcast 10.9.0.255 dev wg0 table local scope link src 10.9.0.2
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.0.0 dev eth0 table local scope link src 192.168.0.170
broadcast 192.168.0.0 dev wg0 table local scope link src 192.168.0.144
local 192.168.0.144 dev wg0 table local scope host src 192.168.0.144
local 192.168.0.170 dev eth0 table local scope host src 192.168.0.170
broadcast 192.168.0.255 dev eth0 table local scope link src 192.168.0.170
broadcast 192.168.0.255 dev wg0 table local scope link src 192.168.0.144
broadcast 192.168.1.0 dev br-lan table local scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link src 192.168.1.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@OpenWrt:~#
Server:
BusyBox v1.31.1 () built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt SNAPSHOT, r15129-d346beb08c
-----------------------------------------------------
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
"kernel": "5.4.80",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Linksys EA7500 v2",
"board_name": "linksys,ea7500-v2",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r15129-d346beb08c",
"target": "ramips/mt7621",
"description": "OpenWrt SNAPSHOT r15129-d346beb08c"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd69:814f:cc52::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
option ifname 'eth0 lan1 lan2 lan3 lan4'
config device 'lan_lan1_dev'
option name 'lan1'
option macaddr 'xx:xx:xx:26:62:66'
config device 'lan_lan2_dev'
option name 'lan2'
option macaddr 'xx:xx:xx:26:62:66'
config device 'lan_lan3_dev'
option name 'lan3'
option macaddr 'xx:xx:xx:26:62:66'
config device 'lan_lan4_dev'
option name 'lan4'
option macaddr 'xx:xx:xx:26:62:66'
config interface 'wan'
option ifname 'wan'
option proto 'dhcp'
option metric '100'
config device 'wan_wan_dev'
option name 'wan'
option macaddr 'xx:xx:xx:26:62:66'
config interface 'wan6'
option ifname 'wan'
option proto 'dhcpv6'
option metric '100'
config interface 'wg0'
option proto 'wireguard'
option private_key '<redacted>'
option listen_port '51820'
list addresses '10.9.0.1/24'
option mtu '1280'
config wireguard_wg0
option description 'WireGuard_wg0'
option public_key '<redacted>'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '10.9.0.2/32'
list allowed_ips '192.168.1.0/24'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wg0'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option network 'wan wan6'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'lan'
config redirect
option target 'DNAT'
option name 'wireguard'
option src 'wan'
option src_dport '51820'
option dest 'lan'
option dest_port '51820'
config forwarding
option src 'wan'
option dest 'lan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet xxx.xxx.82.24/18 brd xxx.xxx.127.255 scope global wan
valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
valid_lft forever preferred_lft forever
12: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN qlen 1000
inet 10.9.0.1/24 brd 10.9.0.255 scope global wg0
valid_lft forever preferred_lft forever
default via xxx.xxx.64.1 dev wan src xxx.xxx.82.24 metric 100
10.9.0.0/24 dev wg0 scope link src 10.9.0.1
10.9.0.2 dev wg0 scope link
192.168.1.0/24 dev wg0 scope link
192.168.2.0/24 dev br-lan scope link src 192.168.2.1
xxx.xxx.64.0/18 dev wan scope link metric 100
broadcast 10.9.0.0 dev wg0 table local scope link src 10.9.0.1
local 10.9.0.1 dev wg0 table local scope host src 10.9.0.1
broadcast 10.9.0.255 dev wg0 table local scope link src 10.9.0.1
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.2.0 dev br-lan table local scope link src 192.168.2.1
local 192.168.2.1 dev br-lan table local scope host src 192.168.2.1
broadcast 192.168.2.255 dev br-lan table local scope link src 192.168.2.1
broadcast xxx.xxx.64.0 dev wan table local scope link src xxx.xxx.82.24
local xxx.xxx.82.24 dev wan table local scope host src xxx.xxx.82.24
broadcast xxx.xxx.127.255 dev wan table local scope link src xxx.xxx.82.24
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@OpenWrt:~#
This doesn't look right:
Why eth0
is in the lan
bridge?
Why the peer IP on the client doesn't match the WAN IP on the server?
Can please help to blank out my public ip. I missed that, lol. Thanks
Update: It's been done. Thanks