[SOLVED] Need help routing traffic

Installing and Using OpenWrt
1

So I have proxmox setup with a few lxc's and a lxc dedicated to openwrt with nordvpn already setup with wireguard. The vpn seems to work because I can go to status/wireguard and it shows the connection with the ip address its receiving. However for the life of me I cannot figure out how to route specific lxc's through this vpn.

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.1.7.150'
        option gateway '10.1.7.1'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option device 'br-lan'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'wg'
        option proto 'wireguard'
        option private_key 'REDACTED='
        list addresses '10.5.0.2'
        option mtu '1420'

config wireguard_wg
        option description 'nordvpn-uk2036.conf'
        option public_key 'REDACTED='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'uk2036.nordvpn.com'
        option endpoint_port '51820'





root@openwrt-lxc:/# cat /etc/config/network 

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.1.7.150'
        option gateway '10.1.7.1'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option device 'br-lan'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'wg'
        option proto 'wireguard'
        option private_key 'REDACTED='
        list addresses '10.5.0.2'
        option mtu '1420'

config wireguard_wg
        option description 'nordvpn-uk2036.conf'
        option public_key 'REDACTED='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'uk2036.nordvpn.com'
        option endpoint_port '51820'

config defaults
        option input 'DROP'
        option output 'DROP'
        option forward 'DROP'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wg'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'wgfirewall'
        option input 'DROP'
        option output 'DROP'
        option forward 'DROP'
        list network 'wg'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wgfirewall'

config rule
        option name 'Allow_DNS_OUT'
        option target 'ACCEPT'
        option dest 'wgfirewall'
        option dest_port '53'

config rule
        option name 'Allow_HTTP(S)_OUT'
        list proto 'tcp'
        option target 'ACCEPT'
        option dest 'wgfirewall'
        option dest_port '80-443'

config rule
        option name 'qbt'
        option dest 'wgfirewall'
        option dest_port '57399'
        option target 'ACCEPT'
2

Before looking at any of the details, I have (as an admin) taken the liberty to redact your WG keys. Live/real keys should never be posted publically. Although I've reduced the exposure, you should consider the keys as compromised and create new keys for security reasons.

I'll take a quick look at your configs now.

3

Thank you very much and I'm sorry about that. I've been beating my head against the wall over this for the last few days.

4

So this is not the main router, correct? It looks like the main router is 10.1.7.1 and this device is 10.1.7.150.

While there are other issues to address in your config, they are all irrelevant unless you can steer the hosts on your network to use this device (10.1.7.150) as their gateway. This can be done in three ways:

  1. Adjust the DHCP server (presumably on the main router) to specify a gateway address of 10.1.7.150 (normally it would specify 10.1.7.1).
  2. Manually configure the hosts to use this device as the gateway. This usually means setting a static IP configuration (fully manual) on each individual host.
  3. Run this lxc VM as a router and put all hosts behind this device. This would potentially require some additional hardware, depending on the physical infrastructure/topology you've currently got.
6

I have the lxc's setup to use the gateway of 10.1.7.150

7

Is it only the other LXC contaiers that need to use the WG tunnel, or do you want other hosts (i.e. phones, computers, etc.) on your network to be using the tunnel?

8

Just a few other lxc's

9

You have both the wan and br-lan using eth0. If you're not using the wan interfaces, remove either the entire section or at least the device line:

add route allowed_ips '1' to the wg peer stanza:

Remove the wan network from the lan zone:

Remove the wg network from the wan zone.

Set the ouput rule to accept on the wgfirewall zone:

These are all unnecessary and can be deleted:

Then restart and test again.

10

I got everything taken care of, but on this part do you mean to just add that to the config wireguard_wg section?

I did the following for that one section. I restarted after applying all the changes, but my lxc is still receiving a public ip and not being routed through the vpn.

config wireguard_wg
        route allowed_ips '1'
        option description 'nordvpn-uk2036.conf'
        option public_key 'K53l2wOIHU3262sX5N/5kAvCvt4r55lNui30EbvaDlE='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'uk2036.nordvpn.com'
        option endpoint_port '51820'
11

oh... I'm sorry... it should look like this:

config wireguard_wg
        option route_allowed_ips '1'
        option description 'nordvpn-uk2036.conf'
        option public_key 'K53l2wOIHU3262sX5N/5kAvCvt4r55lNui30EbvaDlE='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'uk2036.nordvpn.com'
        option endpoint_port '51820'

Then restart and try again.

12

Still the same thing. I have the other lxc as the following
ip addr 10.1.7.100
gateway 10.1.7.150

I'm using curl icanhazip.com to check and it keeps showing my public ip instead of the vpn ip

13

from the router, what is the output of

wg show

And if you run a traceroute to a public site, what do you see -- does it go through the tunnel or straight out the regular public IP?

14

interface: wg
public key: =
private key: (hidden)
listening port: 42318

peer: =
endpoint: 109.70.144.26:51820
allowed ips: 0.0.0.0/0

root@qbittorrent:~# traceroute cnn.com
traceroute to cnn.com (151.101.3.5), 30 hops max, 60 byte packets
1 10.1.7.150 (10.1.7.150) 0.428 ms 0.343 ms 0.326 ms
2 www.routerlogin.com (10.1.7.1) 0.537 ms 0.494 ms 0.585 ms
3 209x183x160x160.static.newroadstelecom.net (209.183.160.160) 4.993 ms 4.970 ms 5.058 ms
4 * * *
5 209x183x160x110.static.newroadstelecom.net (209.183.160.110) 5.562 ms 5.542 ms 5.549 ms
6 216.198.176.233 (216.198.176.233) 32.750 ms 30.406 ms 30.373 ms
7 static73-216-198-168.dobsontechnologies.net (216.198.168.73) 13.145 ms 11.941 ms 12.035 ms
8 static26-216-198-168.dobsontechnologies.net (216.198.168.26) 14.865 ms 15.395 ms 15.365 ms
9 ca-3-1-c11.ter1.dfw2.us.zip.zayo.com (64.124.65.129) 15.440 ms 15.281 ms 15.396 ms

15

There is no handshake for WG. This means your tunnel isn't actually working.

You may have an issue with the keys or something else... the best way to handle this is to look at the VPN provider's documentation and support articles. Also, since you need to create new keys, do that and make sure they're configured properly.

16

I thought I had a handshake because the ip 109.70.144.26 got resolved. Sorry, i know very little about networking

17

This is a public IP, so it should be resolvable... that's the endpoint to which you need to connect to establish the tunnel.

If there was a handshake, you would see something like this:

peer: REDACTED=
  preshared key: (hidden)
  endpoint: REDACTED
  allowed ips: 10.0.21.2/32
  latest handshake: 5 seconds ago
  transfer: 1.17 MiB received, 71.34 MiB sent
  persistent keepalive: every 25 seconds
18

ohhh ok. I guess I need to work on that first lol. Thank you so much. I'll let you know what I get worked out