Site to site wireguard on OpenWrt

Installing and Using OpenWrt Network and Wireless Configuration
22

Server:

BusyBox v1.31.1 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt SNAPSHOT, r15129-d346beb08c
 -----------------------------------------------------
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
	"kernel": "5.4.80",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Linksys EA7500 v2",
	"board_name": "linksys,ea7500-v2",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r15129-d346beb08c",
		"target": "ramips/mt7621",
		"description": "OpenWrt SNAPSHOT r15129-d346beb08c"
	}
}
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd69:814f:cc52::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'
	option ifname 'eth0 lan1 lan2 lan3 lan4'

config device 'lan_lan1_dev'
	option name 'lan1'
	option macaddr 'xx:xx:xx:26:62:66'

config device 'lan_lan2_dev'
	option name 'lan2'
	option macaddr 'xx:xx:xx:26:62:66'

config device 'lan_lan3_dev'
	option name 'lan3'
	option macaddr 'xx:xx:xx:26:62:66'

config device 'lan_lan4_dev'
	option name 'lan4'
	option macaddr 'xx:xx:xx:26:62:66'

config interface 'wan'
	option ifname 'wan'
	option proto 'dhcp'
	option metric '100'

config device 'wan_wan_dev'
	option name 'wan'
	option macaddr 'xx:xx:xx:26:62:66'

config interface 'wan6'
	option ifname 'wan'
	option proto 'dhcpv6'
	option metric '100'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '<redacted>'
	option listen_port '51820'
	list addresses '10.9.0.1/24'
	option mtu '1280'

config wireguard_wg0
	option description 'WireGuard_wg0'
	option public_key '<redacted>'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '10.9.0.2/32'
	list allowed_ips '192.168.1.0/24'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option network 'wan wan6'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'vpn'
	option dest 'lan'

config redirect
	option target 'DNAT'
	option name 'wireguard'
	option src 'wan'
	option src_dport '51820'
	option dest 'lan'
	option dest_port '51820'

config forwarding
	option src 'wan'
	option dest 'lan'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet xxx.xxx.82.24/18 brd xxx.xxx.127.255 scope global wan
       valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
12: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.9.0.1/24 brd 10.9.0.255 scope global wg0
       valid_lft forever preferred_lft forever
default via xxx.xxx.64.1 dev wan  src xxx.xxx.82.24  metric 100 
10.9.0.0/24 dev wg0 scope link  src 10.9.0.1 
10.9.0.2 dev wg0 scope link 
192.168.1.0/24 dev wg0 scope link 
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1 
xxx.xxx.64.0/18 dev wan scope link  metric 100 
broadcast 10.9.0.0 dev wg0 table local scope link  src 10.9.0.1 
local 10.9.0.1 dev wg0 table local scope host  src 10.9.0.1 
broadcast 10.9.0.255 dev wg0 table local scope link  src 10.9.0.1 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.2.0 dev br-lan table local scope link  src 192.168.2.1 
local 192.168.2.1 dev br-lan table local scope host  src 192.168.2.1 
broadcast 192.168.2.255 dev br-lan table local scope link  src 192.168.2.1 
broadcast xxx.xxx.64.0 dev wan table local scope link  src xxx.xxx.82.24 
local xxx.xxx.82.24 dev wan table local scope host  src xxx.xxx.82.24 
broadcast xxx.xxx.127.255 dev wan table local scope link  src xxx.xxx.82.24 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
root@OpenWrt:~#
1 Like
23

This doesn't look right:

Why eth0 is in the lan bridge?

Why the peer IP on the client doesn't match the WAN IP on the server?

24

@vgaetera

Can please help to blank out my public ip. I missed that, lol. Thanks

Update: It's been done. Thanks

25

Why eth0 is in the lan bridge?

This has been done. eth0 removed for lan bridge.

Why the peer IP on the client doesn't match the WAN IP on the server?

Not sure why, it matches now.

1 Like
26

Client

interface: wg0
public key:
private key: (hidden)
listening port: 43246

peer:
endpoint: xxx.xxx.8.48:51820
allowed ips: 192.168.2.0/24, 10.9.0.1/32
transfer: 0 B received, 1.73 KiB sent
persistent keepalive: every 25 seconds

Server

interface: wg0
public key:
private key: (hidden)
listening port: 51820

peer:
allowed ips: 10.9.0.2/32, 192.168.1.0/24
persistent keepalive: every 25 seconds

1 Like
27

It looks like the client is trying to connect to the server, but the server doesn't see the packets.
Did anything ever work? You mentioned in the first post:

Were you able to ping 10.9.0.X at any point?
Because if it never worked, I'd suspect also the keys.

1 Like
28

There was a successful handshake in the OP.
It looks like some of the modifications resulted in a negative effect.
We can try to revert them for the time being to isolate the issue.

I suggest to comment out the sysntpd workaround and the mtu option on both client and server.
And restart the devices to apply changes.

But keep the wireguard_watchdog script to update IPs for peers that use DDNS.

29

It still don't work but does when I add 0.0.0.0/0 to the server's peer and add the other router's ddns and endpoint port. It still behaves the same as last time. The server becomes client and data pass through wireguard interface. However, on the client router no data is going through for connected devices. This is the only possible way it works, which I am not expecting it to.

But I am able to ping the other router and allowed IP's on both router.

Client

root@OpenWrt:~# ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: seq=0 ttl=64 time=5.000 ms
64 bytes from 192.168.2.1: seq=1 ttl=64 time=5.726 ms
64 bytes from 192.168.2.1: seq=2 ttl=64 time=5.846 ms
64 bytes from 192.168.2.1: seq=3 ttl=64 time=5.868 ms
64 bytes from 192.168.2.1: seq=4 ttl=64 time=5.609 ms
^C
--- 192.168.2.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 5.000/5.609/5.868 ms

root@OpenWrt:~# ping 192.168.2.152
PING 192.168.2.152 (192.168.2.152): 56 data bytes
64 bytes from 192.168.2.152: seq=0 ttl=63 time=944.357 ms
64 bytes from 192.168.2.152: seq=1 ttl=63 time=10.658 ms
64 bytes from 192.168.2.152: seq=2 ttl=63 time=837.502 ms
64 bytes from 192.168.2.152: seq=3 ttl=63 time=8.976 ms
^C
--- 192.168.2.152 ping statistics ---
37 packets transmitted, 35 packets received, 5% packet loss
round-trip min/avg/max = 8.884/240.686/944.357 ms

root@OpenWrt:~# ping 10.9.0.1
PING 10.9.0.1 (10.9.0.1): 56 data bytes
64 bytes from 10.9.0.1: seq=0 ttl=64 time=6.015 ms
64 bytes from 10.9.0.1: seq=1 ttl=64 time=6.244 ms
64 bytes from 10.9.0.1: seq=2 ttl=64 time=5.907 ms
64 bytes from 10.9.0.1: seq=3 ttl=64 time=5.925 ms
64 bytes from 10.9.0.1: seq=4 ttl=64 time=5.680 ms
64 bytes from 10.9.0.1: seq=5 ttl=64 time=6.000 ms
^C
--- 10.9.0.1 ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 5.680/5.961/6.244 ms

root@OpenWrt:~# wg
interface: wg0
  public key: <new client private key>
  private key: (hidden)
  listening port: 51820

peer: <new server public key>
  endpoint: xxx.xxx.101.90:51820
  allowed ips: 192.168.2.0/24, 10.9.0.1/32
  latest handshake: 1 minute, 44 seconds ago
  transfer: 257.15 MiB received, 264.27 MiB sent
  persistent keepalive: every 25 seconds
root@OpenWrt:~# 


Server

root@OpenWrt:~# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=6.112 ms
64 bytes from 192.168.1.1: seq=1 ttl=64 time=5.535 ms
64 bytes from 192.168.1.1: seq=2 ttl=64 time=6.276 ms
^C
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 5.535/5.974/6.276 ms

root@OpenWrt:~# ping 192.168.1.211
PING 192.168.1.211 (192.168.1.211): 56 data bytes
64 bytes from 192.168.1.211: seq=0 ttl=63 time=87.072 ms
64 bytes from 192.168.1.211: seq=1 ttl=63 time=97.303 ms
64 bytes from 192.168.1.211: seq=2 ttl=63 time=14.101 ms
^C
--- 192.168.1.211 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 14.101/66.158/97.303 ms

root@OpenWrt:~# ping 10.9.0.2
PING 10.9.0.2 (10.9.0.2): 56 data bytes
64 bytes from 10.9.0.2: seq=0 ttl=64 time=5.865 ms
64 bytes from 10.9.0.2: seq=1 ttl=64 time=5.909 ms
64 bytes from 10.9.0.2: seq=2 ttl=64 time=5.791 ms
64 bytes from 10.9.0.2: seq=3 ttl=64 time=5.648 ms
^C
--- 10.9.0.2 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 5.648/5.803/5.909 ms

root@OpenWrt:~# wg
interface: wg0
  public key: <new server private key>
  private key: (hidden)
  listening port: 51820

peer: <new client public key>
  endpoint: xxx.xxx.6.121:51820
  allowed ips: 10.9.0.2/32, 192.168.1.0/24, 0.0.0.0/0
  latest handshake: 1 minute, 57 seconds ago
  transfer: 264.64 MiB received, 260.23 MiB sent
  persistent keepalive: every 25 seconds
1 Like
30

The WG client doesn't appear to have any public IP.
Have you configured port forwarding on the upstream router?

Doesn't it pass ICMP pings?

Verify that destination host firewalls allows incoming traffic from outside the local subnet.

31

The 0.0.0.0/0 is definitely not needed on the server and certainly diverts all traffic to the client, which you don't want.
I have the feeling that traffic on the server is not routed properly back to the client for some reason, because we were able to see the incoming packets, but nothing going back.
It doesn't really matter which router will be server and which one client, they are all called peers in wireguard.
What I would try is to make the now server a client and vice versa. If this doesn't work, start from scratch following the guides in wiki and don't use the:

uci add_list network.wgserver.allowed_ips="0.0.0.0/0"
uci add_list network.wgserver.allowed_ips="::/0"

on client.



1 Like
32

I will reset everything and start over again. Will try to setup two routers on same network first. If it works then will proceed to set it up on separate networks.

33

I hope this is okay. Please help to check.

Server

config interface 'wg0'
	option proto 'wireguard'
	option listen_port '51820'
	list addresses '10.9.0.1/24'
	option private_key '*****cUw='
	option mtu '1400'

config wireguard_wg0
	option description 'WireGuard_wg0'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option public_key '****cY0A='
	list allowed_ips '10.9.0.2/32'
	list allowed_ips '192.168.1.0/24'

root@OpenWrt:~# wg
interface: wg0
  public key: ****UIg4=
  private key: (hidden)
  listening port: 51820

peer: ****cY0A=
  endpoint: xxx.xxx.6.121:34271
  allowed ips: 10.9.0.2/32, 192.168.1.0/24
  latest handshake: 1 minute, 56 seconds ago
  transfer: 55.05 MiB received, 1.65 GiB sent
  persistent keepalive: every 25 seconds


root@OpenWrt:~# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=1.571 ms
64 bytes from 192.168.1.1: seq=1 ttl=64 time=0.848 ms
64 bytes from 192.168.1.1: seq=2 ttl=64 time=0.972 ms
64 bytes from 192.168.1.1: seq=3 ttl=64 time=0.966 ms
^C
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.848/1.089/1.571 ms


root@OpenWrt:~# ping 10.9.0.2
PING 10.9.0.2 (10.9.0.2): 56 data bytes
64 bytes from 10.9.0.2: seq=0 ttl=64 time=1.167 ms
64 bytes from 10.9.0.2: seq=1 ttl=64 time=0.835 ms
64 bytes from 10.9.0.2: seq=2 ttl=64 time=1.142 ms
64 bytes from 10.9.0.2: seq=3 ttl=64 time=0.984 ms
^C
--- 10.9.0.2 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.835/1.032/1.167 ms

Client

config interface 'wg0'
	option proto 'wireguard'
	option private_key '****1EX8='
	list addresses '10.9.0.2/24'
	option mtu '1420'

config wireguard_wg0
	option description 'WireGuard_wg0'
	option public_key '*****UIg4='
	option route_allowed_ips '1'
	option endpoint_port '51820'
	option endpoint_host '******.duckdns.org'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	
interface: wg0
  public key: *****cY0A=
  private key: (hidden)
  listening port: 34271

peer: *****UIg4=
  endpoint: xxx.xxx.4.182:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 1 second ago
  transfer: 1.65 GiB received, 58.37 MiB sent
  persistent keepalive: every 25 seconds
  
root@OpenWrt:~# ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: seq=0 ttl=64 time=0.949 ms
64 bytes from 192.168.2.1: seq=1 ttl=64 time=0.968 ms
64 bytes from 192.168.2.1: seq=2 ttl=64 time=0.940 ms
64 bytes from 192.168.2.1: seq=3 ttl=64 time=0.979 ms
^C
--- 192.168.2.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.940/0.959/0.979 ms

root@OpenWrt:~# ping 10.9.0.1
PING 10.9.0.1 (10.9.0.1): 56 data bytes
64 bytes from 10.9.0.1: seq=0 ttl=64 time=1.099 ms
64 bytes from 10.9.0.1: seq=1 ttl=64 time=0.925 ms
64 bytes from 10.9.0.1: seq=2 ttl=64 time=1.030 ms
64 bytes from 10.9.0.1: seq=3 ttl=64 time=0.922 ms
^C
--- 10.9.0.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.922/0.994/1.099 ms


root@OpenWrt:~# traceroute openwrt.org
traceroute to openwrt.org (139.59.209.225), 30 hops max, 46 byte packets
 1  10.9.0.1 (10.9.0.1)  0.669 ms  0.804 ms  0.747 ms
 2  xxx.xxx.240.1 (xxx.xxx.240.1)  3.330 ms  3.790 ms  3.559 ms
 3  xxx.xxx.44.153 (xxx.xxx.44.153)  4.768 ms  xxx.xx.44.157 (xxx.xx.44.157)  3.668 ms  3.343 ms
 4  xxx.xx.44.177 (xxx.xx.44.177)  3.530 ms  xxx.xx.44.173 (xxx.xx.44.173)  3.040 ms  183.90.44.177 (xxx.xx.44.177)  3.822 ms
 5  xxx.xxx.7.73 (xxx.xxx.7.73)  4.280 ms  xxx.xxx.7.77 (xxx.xxx.7.77)  4.250 ms  xxx.xxx.7.73 (xxx.xxx.7.73)  4.044 ms
 6  xxx.xxx.3.37 (xxx.xxx.3.37)  3.590 ms  xxx.xxx.3.75 (xxx.xxx.3.75)  3.663 ms  4.022 ms
 7  xxxx.net (xxx.xx.106.0)  3.580 ms  4.195 ms  3.902 ms
 8  *  *  *
 9  *  *  *
10  if-ae-2-2.tcore2.wyn-marseille.as6453.net (80.231.217.2)  170.653 ms  168.115 ms  170.452 ms
11  if-ae-7-2.tcore2.fnm-frankfurt.as6453.net (80.231.200.78)  157.130 ms  155.813 ms  155.986 ms
12  if-ae-12-80.tcore1.fnm-frankfurt.as6453.net (195.219.156.135)  161.653 ms  *  if-ae-4-2.tcore1.fr0-frankfurt.as6453.net (195.219.87.18)  153.702 ms
13  wiki-01.infra.openwrt.org (139.59.209.225)  168.242 ms  if-ae-9-2.tcore2.fr0-frankfurt.as6453.net (5.23.30.17)  152.874 ms  153.458 ms
34

First it is wrong to use different mtu. Start without mtu option on both server and client and add it in case of problems.
Other than that server is fine.
Client now is routing all traffic though server. Replace allowed_ips '0.0.0.0/0' with

list allowed_ips '10.9.0.1/32'
list allowed_ips '192.168.2.0/24'
1 Like
35

When I do this

list allowed_ips '10.9.0.1/32'
list allowed_ips '192.168.2.0/24'

on client router, there's no data seen in the interface.

Server

interface: wg0
  public key: ****UIg4=
  private key: (hidden)
  listening port: 51820

peer: ****cY0A=
  endpoint: xxx.xxx.6.121:51798
  allowed ips: 10.9.0.2/32, 192.168.1.0/24
  latest handshake: 1 minute, 46 seconds ago
  transfer: 255.46 KiB received, 387.00 KiB sent
  persistent keepalive: every 25 seconds
  
root@OpenWrt:~# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=6.852 ms
64 bytes from 192.168.1.1: seq=1 ttl=64 time=6.035 ms
64 bytes from 192.168.1.1: seq=2 ttl=64 time=6.429 ms
^C
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 6.035/6.438/6.852 ms
root@OpenWrt:~# ping 10.9.0.2
PING 10.9.0.2 (10.9.0.2): 56 data bytes
64 bytes from 10.9.0.2: seq=0 ttl=64 time=6.829 ms
64 bytes from 10.9.0.2: seq=1 ttl=64 time=6.220 ms
64 bytes from 10.9.0.2: seq=2 ttl=64 time=6.327 ms
^C
--- 10.9.0.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 6.220/6.458/6.829 ms

Client

interface: wg0
  public key: ****cY0A=
  private key: (hidden)
  listening port: 51798

peer: ****UIg4=
  endpoint: xx.xx.115.209:51820
  allowed ips: 10.9.0.1/32, 192.168.2.0/24
  latest handshake: 13 seconds ago
  transfer: 206.75 KiB received, 60.16 KiB sent
  persistent keepalive: every 25 seconds

root@OpenWrt:~# ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: seq=0 ttl=64 time=6.481 ms
64 bytes from 192.168.2.1: seq=1 ttl=64 time=6.091 ms
64 bytes from 192.168.2.1: seq=2 ttl=64 time=6.011 ms
^C
--- 192.168.2.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 6.011/6.194/6.481 ms
root@OpenWrt:~# ping 10.9.0.1
PING 10.9.0.1 (10.9.0.1): 56 data bytes
64 bytes from 10.9.0.1: seq=0 ttl=64 time=6.265 ms
64 bytes from 10.9.0.1: seq=1 ttl=64 time=5.932 ms
64 bytes from 10.9.0.1: seq=2 ttl=64 time=6.117 ms
^C
--- 10.9.0.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 5.932/6.104/6.265 ms
36

Firewall

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'tun0 ipsec0'

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'vpn'
	option dest 'lan'

config rule
	option name 'Allow-WireGuard'
	option src 'wan'
	option proto 'udp'
	option dest_port '51820'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'Wireguard'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '192.168.1.1'
	option dest_port '51820'
	option dest 'lan'
37

This is wrong, remove it.
Other than that I don't see where the error is. Your pings are successful both ways.

1 Like
38

There's no data seen in the interface but can ping both ways. I think the only way it work is allow all traffic to pass through.

39

Check connectivity with a protocol other than ICMP.
Verify results with tcpdump running on the router.

40

This is quite technical and I am not sure how to do it. However, I just want to know any harm in allowing all traffic to pass through. I am asking this because the wiki guide stated the following for client configuration.

uci add_list network.wgserver.allowed_ips="0.0.0.0/0"
uci add_list network.wgserver.allowed_ips="::/0"

41

This is to route all client traffic to the VPN by default.
You can disable gateway redirection if you don't need it.

A site-to-site connection is used to provide connectivity between the server and client LANs.
It does not actually require to route all client traffic to the VPN.

1 Like