[Solved] How to allow all traffic to be forwarded through WireGuard?

synzr · January 25, 2025, 1:08pm

Context

I have working WireGuard client on my OpenWRT LXC container. I need to route all LAN traffic via that.

I tried to create a WireGuard's zone and edit the forwarding options, but it doesn't work as it should. The firewall allows traffic only to the LAN network (10.20.20.0/24) and the internal VPN network (10.66.66.0/24), but not to the external network (it does return the "Destination Port Unreachable" error).

Ping results

root@test:~# ping -t 10 -c 10 10.20.20.1
PING 10.20.20.1 (10.20.20.1) 56(84) bytes of data.
64 bytes from 10.20.20.1: icmp_seq=1 ttl=64 time=0.108 ms
64 bytes from 10.20.20.1: icmp_seq=2 ttl=64 time=0.098 ms
64 bytes from 10.20.20.1: icmp_seq=3 ttl=64 time=0.099 ms
64 bytes from 10.20.20.1: icmp_seq=4 ttl=64 time=0.099 ms
64 bytes from 10.20.20.1: icmp_seq=5 ttl=64 time=0.086 ms
64 bytes from 10.20.20.1: icmp_seq=6 ttl=64 time=0.087 ms
64 bytes from 10.20.20.1: icmp_seq=7 ttl=64 time=0.095 ms
64 bytes from 10.20.20.1: icmp_seq=8 ttl=64 time=0.102 ms
64 bytes from 10.20.20.1: icmp_seq=9 ttl=64 time=0.105 ms
64 bytes from 10.20.20.1: icmp_seq=10 ttl=64 time=0.090 ms

--- 10.20.20.1 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9226ms
rtt min/avg/max/mdev = 0.086/0.096/0.108/0.007 ms
root@test:~# ping -t 10 -c 10 10.66.66.1
PING 10.66.66.1 (10.66.66.1) 56(84) bytes of data.
64 bytes from 10.66.66.1: icmp_seq=1 ttl=63 time=77.9 ms
64 bytes from 10.66.66.1: icmp_seq=2 ttl=63 time=78.5 ms
64 bytes from 10.66.66.1: icmp_seq=3 ttl=63 time=78.3 ms
64 bytes from 10.66.66.1: icmp_seq=4 ttl=63 time=77.4 ms
64 bytes from 10.66.66.1: icmp_seq=5 ttl=63 time=78.4 ms
64 bytes from 10.66.66.1: icmp_seq=6 ttl=63 time=76.8 ms
64 bytes from 10.66.66.1: icmp_seq=7 ttl=63 time=78.4 ms
64 bytes from 10.66.66.1: icmp_seq=8 ttl=63 time=78.5 ms
64 bytes from 10.66.66.1: icmp_seq=9 ttl=63 time=78.4 ms
64 bytes from 10.66.66.1: icmp_seq=10 ttl=63 time=78.3 ms

--- 10.66.66.1 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9014ms
rtt min/avg/max/mdev = 76.831/78.084/78.547/0.531 ms
root@test:~# ping -t 10 -c 10 64.226.122.113 # IP of the "openwrt.org" domain
PING 64.226.122.113 (64.226.122.11dfg3) 56(84) bytes of data.
From 10.20.20.1 icmp_seq=1 Destination Port Unreachable
From 10.20.20.1 icmp_seq=2 Destination Port Unreachable
From 10.20.20.1 icmp_seq=3 Destination Port Unreachable
From 10.20.20.1 icmp_seq=4 Destination Port Unreachable
From 10.20.20.1 icmp_seq=5 Destination Port Unreachable
From 10.20.20.1 icmp_seq=6 Destination Port Unreachable
From 10.20.20.1 icmp_seq=7 Destination Port Unreachable
From 10.20.20.1 icmp_seq=8 Destination Port Unreachable
From 10.20.20.1 icmp_seq=9 Destination Port Unreachable
From 10.20.20.1 icmp_seq=10 Destination Port Unreachable

--- 64.226.122.113 ping statistics ---
10 packets transmitted, 0 received, +10 errors, 100% packet loss, time 9256ms

Router configuration

root@tails:~# ubus call system board
{
        "kernel": "6.8.12-5-pve",
        "hostname": "tails.routers.xxx",
        "system": "AMD FX(tm)-6300 Six-Core Processor",
        "model": "ASUSTeK Computer INC. M5A78L-M LX3",
        "board_name": "asustek-computer-inc-m5a78l-m-lx3",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",возвращается ошибка 
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "x86/64",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}
root@tails:~# cat /etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0'

config device 'lan_br'
        option type 'bridge'
        option name 'br-lan'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.20.20.1'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxx'
        option mtu '1300'
        list addresses '10.66.66.2/24'

config wireguard_wg0
        option description 'xxx'
        option public_key 'xxx'
        option preshared_key 'xxx'
        option endpoint_host 'xxx'
        option endpoint_port 'xxx'
        option persistent_keepalive '15'
        list allowed_ips '0.0.0.0/0'

root@tails:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-OpenWRT-SSH'
        option src 'wan'
        option proto 'tcp'
        option family 'ipv4'
        option dest_port '22'
        option target 'ACCEPT'

config rule
        option name 'Allow-OpenWRT-HTTP'
        option src 'wan'
        option proto 'tcp'
        option family 'ipv4'
        option dest_port '80'
        option target 'ACCEPT'

config rule
        option name 'Allow-OpenWRT-HTTPS'
        option src 'wan'
        option proto 'tcp'
        option family 'ipv4'
        option dest_port '443'
        option target 'ACCEPT'

config zone
        option name 'wg0'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg0'

config forwarding
        option src 'lan'
        option dest 'wg0'

egc · January 25, 2025, 1:10pm

Try this: Enable Route Allowed IPs

synzr:

config wireguard_wg0
        option description 'xxx'
        option public_key 'xxx'
        option preshared_key 'xxx'
        option endpoint_host 'xxx'
        option endpoint_port 'xxx'
        option persistent_keepalive '15'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'      <<<<< add this

lleachii · January 25, 2025, 1:13pm

synzr:

config wireguard_wg0
        option description 'xxx'
        option public_key 'xxx'
        option preshared_key 'xxx'
        option endpoint_host 'xxx'
        option endpoint_port 'xxx'
        option persistent_keepalive '15'
        list allowed_ips '0.0.0.0/0'

Make sure you use endpoint IP and not hostname (so you don't have chicken-or-the-egg DNS issue)
Add option route_allowed_ips '1'

synzr · January 25, 2025, 1:32pm

Yes, I use the endpoint IP instead of its hostname.

My bad. I forgot to set it, and now it works.

root@test:~# ping -c 10 64.226.122.113
PING 64.226.122.113 (64.226.122.113) 56(84) bytes of data.
64 bytes from 64.226.122.113: icmp_seq=1 ttl=51 time=81.9 ms
64 bytes from 64.226.122.113: icmp_seq=2 ttl=51 time=82.5 ms
64 bytes from 64.226.122.113: icmp_seq=3 ttl=51 time=83.5 ms
64 bytes from 64.226.122.113: icmp_seq=4 ttl=51 time=82.5 ms
64 bytes from 64.226.122.113: icmp_seq=5 ttl=51 time=83.1 ms
64 bytes from 64.226.122.113: icmp_seq=6 ttl=51 time=82.5 ms
64 bytes from 64.226.122.113: icmp_seq=7 ttl=51 time=82.7 ms
64 bytes from 64.226.122.113: icmp_seq=8 ttl=51 time=82.2 ms
64 bytes from 64.226.122.113: icmp_seq=9 ttl=51 time=82.5 ms
64 bytes from 64.226.122.113: icmp_seq=10 ttl=51 time=82.2 ms

--- 64.226.122.113 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9014ms
rtt min/avg/max/mdev = 81.882/82.567/83.526/0.447 ms

Thanks for pointing out such a silly mistake guys.

wilsonyan · January 25, 2025, 1:36pm

you need a route specifically to allow the connection to the vpn endpoint

config route
        option interface 'wan'
        option target '[ip of endpoint]/32'
        option gateway '[ip of wan gateway]'

I guess you must have already done it for it to work

synzr · January 25, 2025, 1:40pm

In my case, it won't work due to endpoint IP being localhost (connection to endpoint is proxied via Xray).

Yes.

egc · January 25, 2025, 2:05pm

Glad to hear you solved it

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

lleachii · January 25, 2025, 5:08pm

OP asked about Wireguard

0.0.0.0/0 would be the entire Internet.

Layer 3 interfaces don't use this parameter.

But yes, a route network config could be made instead of checking a simple box (or changing a config to 1 on the command line).

system · February 4, 2025, 5:08pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.