[Solved] Accessing network behind router cascade

Hello,

I got into some problems setting up my network the way I want it to work.
The current setup is as following:

laptop + -------wireguard----- + isp router + ----------+ open WRT + ----- + my LAN+---...

I connect from my laptop via wireguard to the isp's router (Telekom speedport with wireguard configurable). The network between the open WRT and the isp's router is owned by my girfriend. She works from home and I don't want to be responsible for her to miss work, therefore I don't touch this network (also I can't really, because the speedport can not be configured to my needs). The openWRT is the router into my personal LAN, where noone but me relies on.
To access my LAN from afar, I have set up a jump host in my girlfriend's network to connect to via wireguard and ssh. There is no way to set up a route from the isp's router to my LAN or perhaps I haven't found out how. Therefore I can not access my LAN directly from the wireguard interface.

However I want to have access to services like NAS, pihole etc. directly via wireguard. Portforwarding on openWRT works in case of pihole but fails with NAS. I also don't feel too well with the portforwarding idea.

Do you have any ideas or solutions how to solve my problem?

I tried other things like setting up a wireguard server on the jump host, but I couldn't get it to work (attempt was port forwarding the wireguard port to the jump host). What also came to mind was a GRE tunnel, but haven't found a way to reach my laptops VPN address.

Any suggestions welcome :slight_smile: I just ran out of ideas and been tinkering on this for some time now.

Why not setup Wireguard on your OpenWrt router, then port-forward from the ISP router to your OpenWrt device. This way, the WG tunnel terminates on OpenWrt and you can access either network without issue.

You should try Tailscale, which is built on top of Wireguard and can be installed on various devices including OpenWrt, Linux, Mac, Windows, iOS, Android, Docker. You can set it to advertise subnets on particular clients and not others. No port forwarding, no public internet presence, lots of options for ACLs. You can use public control servers or host your own control server using Headscale.

Edit: Or there are other similar options like zerotier, netmaker, and netbird. I believe all these have clients for OpenWrt. I have only personally used zerotier and tailscale.

Edit 2: Or nebula, made by slack but seems to be open source, but I have no experience with that either.

Edit 3: These sorts of protocols are generally called overlay networks or software defined networks. Most of the ones that I have mentioned have an external control server that makes life a lot easier. The control server is often provided by a third party but the protocol is encrypted end to end to protect you to a large extent, however you can self host Tailscale's server using Headscale, possibly similar with others like Netbird and Nebula. To self host any solution might require you to use dyndns or rent your own cheap server with a fixed IP, for instance see some discussion of this on the nebula GitHub page.

Zerotier uses its own protocol (afaik) while most others are based on Wireguard, which is in turn based on the noise protocol to some extent. Nebula says it is based on noise, so effectively it has similar roots to Wireguard and the others based on it, but I have no idea how similar it is.

I believe the Wireguard protocol has lower overhead than the zerotier protocol, so I believe in theory it can have higher throughput, though I am not sure how much difference it makes in practice.

I believe some lean away from OpenVPN purely because of the code/install size.

I am far from an expert on these matters and have only used two of these products, so please do your own research, or others may chime in and clarify or correct me.

1 Like

Thank you for the replies. I will test and try some of it.
@psherman The setup with port forwarding didn't work. So I assumed that it was because the wireguard (wg) protocol detects that it is forwarded. Then my assumption was that it couldn't work. You gave me confidence to try again, I may have made a mistake the last time.

@rygle With the external control server I could bypass my problem with NAT. I will give it a shot after I tried port forwarding.

No, it has no way to know this. In fact, my own WG VPN is running on an Pi4 (OpenWrt) that is sitting on my lan and port forwarded from my main router.

Let's see the details of what you had configured on your OpenWrt router:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

Also show us the port forward as configured on the main router.

1 Like
ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "openwrtrouter",
        "system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
        "model": "TP-Link TL-WR1043ND v2",
        "board_name": "tplink,tl-wr1043nd-v2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd8a:18a9:6a9f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.2.10'

config interface 'wan'
        option device 'eth0.2'
        option proto 'static'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        list dns '192.168.2.10'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'

config route
        option interface 'wan'
        option target '0.0.0.0/0'
        option gateway '192.168.1.1'

config interface 'wg1'
        option proto 'wireguard'
        option private_key '***********************'
        option listen_port '52279'
        list addresses '10.100.100.1/24'
        list addresses 'fd00:100::1/64'

config wireguard_wg1 'wgclient'
        option public_key '******************'
        option preshared_key '******************'
        list allowed_ips '10.100.100.2/32'
        list allowed_ips 'fd00:100::2/128'

cat /etc/config/firewall
config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        list network 'wg1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'wan'
        option dest 'lan'

config rule
        option name 'Deny-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'DROP'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src_ip '192.168.1.0/24'
        option dest_ip '192.168.2.0/24'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'allow ssh wan'
        option src 'wan'
        list dest_ip '192.168.1.2'
        list src_ip '192.168.1.0/24'
        list src_ip '10.200.200.0/24'
        list proto 'tcp'
        option dest_port '22'
        option target 'ACCEPT'

config rule
        option name 'allow icmp pass'
        option src 'wan'
        list dest_ip '192.168.2.0/24'
        list src_ip '192.168.1.0/24'
        list proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'allow luci wan interface'
        option src 'wan'
        list dest_ip '192.168.1.2'
        list src_ip '10.200.200.0/24'
        list src_ip '192.168.1.0/24'
        list proto 'tcp'
        option dest_port '80'
        option target 'ACCEPT'

config rule
        option name 'allow ssh through'
        option src 'wan'
        list dest_ip '192.168.2.0/24'
        list src_ip '192.168.1.0/24'
        list proto 'tcp'
        list dest_port '22'
        option target 'ACCEPT'

config rule
        option name 'allow dns through'
        option src 'wan'
        list dest_ip '192.168.2.10'
        list src_ip '192.168.1.0/24'
        list proto 'udp'
        list proto 'tcp'
        list dest_port '53'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '5001'
        option dest_ip '192.168.2.5'
        option dest_port '5001'
        option enabled '1'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '5022'
        option dest_ip '192.168.2.5'
        option dest_port '7807'
        option enabled '1'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '8080'
        option dest_ip '192.168.2.10'
        option dest_port '80'
        option enabled '1'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '52279'
        option proto 'udp'
        option target 'ACCEPT'

There are a lot of messy redirects and "features" like luci and ssh on wan interface. I will clean up, after I got it working :smiley:

On my isps router I forwarded port 52279. However, it seems that this isn't working. Nmap does not show this port as open on the isp router's wan interface.

remove this:

Add option route_allowed_ips '1' to the peer config:

You have a whole bunch of rules that simply won't work because of the fact that masquerading is enabled... but they shouldn't cause problems here.

Can you show us this (screenshot or text output from the main router)? Is anything else on this router using the same port?

It won't... wiregaurd doesn't respond unless the cryptographic keys are all correct. So the port appears to be closed to any scanner.

Restart your router and try agin. Report back.

Oh my gosh...
I found out my mistake! Supposedly I used a faulty key configuration and assumed that it won't work with port forwarding. My nmap 'test' made me believe that my theory was right.
The firewall rules stayed untouched so far, but now I am going to change that! Thank you very much for the recommendations and advice.

Just to make it all clear, this is the port forwarding I used:

If you have any more recommendations on firewall setup etc. let me know though I will dig through this in the coming days.

You can remove the TCP forwarding from the main router. WireGuard is UDP only.

I did and it still works. Again thank you very much!

You’re welcome!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.