[SOLVED] Raspberry Pi 3 B Running Wireguard Behind Main Router

Based on the recommendation from another topic, I am trying to get a wireguard server running on a RP3B which is connected to my main router RP4. I have setup port forward on the main router to forward port 51820 to the static ip of the RP3B which was given by the RP4 router.

I installed wireguard on it and I am running into two problem. 1. When using my ddns address on the peer configuration then I get a message that says "Error bringing up tunnel: Unable to resolve DNS hostname: myddnshostname.org' However, is I just replace the hostname with my current public ip address then I am able to get a connection going. Problem 2 is that once I get a connection going (transfer rx 56.80 KiB, tx 285.83 Kib) then I cannot connect to the internet. I will just hand.

These is my current configuration:

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Raspberry Pi 3 Model B Rev 1.2",
        "board_name": "raspberrypi,3-model-b",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "bcm27xx/bcm2710",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix:XXXXXXXXXX:/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.86.3'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option dns '1.1.1.1'
        option gateway '192.168.86.1'

config interface 'Wireguard'
        option proto 'wireguard'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX’
        option listen_port '51820'
        list addresses '192.186.84.1/24'

config wireguard_Wireguard
        option description 'RP3BTRIAL'
        option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
        option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
        list allowed_ips '192.168.84.2/32'
        option route_allowed_ips '1'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'


root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'Wiregaurd'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Wireguard'

config forwarding
        option src 'lan'
        option dest 'Wiregaurd'

and this is my wireguard peer config:

[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXX
=
Address = 192.168.84.2/32
# ListenPort not defined
DNS = 1.1.1.1, 8.8.8.8

[Peer]
PublicKey = XXXXXXXXXXXXXXXXXX=
PresharedKey = XXXXXXXXXXXXXXXXXXXXXX=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = XXX.XXX.XXX.XXX:51820
# PersistentKeepAlive not defined

Does anyone know where I messed up or what would be going wrong?

My connection are like this RP4 (main router)-->switch-->RP3B (wireguard packages installed on it).

For your #1: The hostname thing might just be a lag between the DDNS and the resolver. For example using https://freedns.afraid.org/ can sometimes take 45 minutes. What if you try using dig

% dig myddnshostname.org

Does it give a record showing your public IP?

For your #2: seems like a DNS failure. Can you ping a numerical IP from the connected peer?

General observation:

This seems odd. Is your more powerful RPi4 "main router" CPU bound to other tasks?

Your list address is wrong 186 != 168

You also should allow forwarding from Wiregaurd to lan (note the typo in Wiregaurd)

config forwarding
        option src 'Wiregaurd'
        option dest 'lan'

This has now been corrected.

Corrected the mistake in the typo. However, I thought I already had forwarded from wireguard to lan. This is how my firewall looks

After making those changes. I still get same thing happening. I can see rx and tx once connected to the wireguard but get no internet in the peer device

I am using the hostname for my main router. I assume that should be okay, right? The RP3B is just for a trial so I can deploy it at a remote location once I figure out how to do it correctly.

See the above response.

You should be using the record you setup with your DDNS provider which I think you're doing. The key is this needs to resolve to your public IP address. Did you try that dig command I suggested?

Changing the firewall to this allowed the connection to start working. However, the issue of the hotname is still occuring.

Where would I run that command?

Your RPi4 or 3B or any linux client. You can try it online: https://www.digwebinterface.com/

when i run on it on the 3B I get this response "-ash %: not found"

The way I have my setup and the firewall rules for the RP3B okay, right? I am not doing anything that would leave my network exposed to the internet since the RP4 firewall is safe/trusted. right?

You must forward from LAN to WireGuard and the other way around

config forwarding
        option src 'Wireguard'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'Wireguard'

If that does not solve it lets see latest configs

This is how it look currently, is this correct?

I don't understand that output. Try from LuCi: network>diagnostics then in upper right nslookup.

I seldom use the GUI but looks good, normally you also have to forward to the wan to get internet, as internet is via the wan, but this looks like a dumb AP with only lan connected so that should not be necessary.

Furthermore you have to either set a static route on the main router to route the wg subnet via the dumb AP, OR, and that is what you have been doing (but I would not receive high marks in class for this), you enabled Masquerading on the lan interface so that should be good.

Reboot the router and if it still does not work let see the configs, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show

I would put my hostname then press Nslookup, right? I did that and the address it returned is not my public ip. However, when I look up at dynu.com my hostname is showing the correct public ip.

This is the response i get. I have no idea what it mean :man_shrugging:

Thank you. Currently, with the firewall zones as listed the I can connect to the internet with the peer WG as long as I am using the numerical public ip address rather than my hostname. If i use my hostname in the peer config, then I am still getting the " Unable to resolve DNS hostname: myddnshostname.org" error and the WG does not even start on my S24 android app, ie the toggle does not even go to the on position.

Well for that you are in the capable hands of @darksky :slight_smile:

At least one problem solved

One other thing I would set PersistentKeepAlive on the client to 25

# PersistentKeepAlive not defined
1 Like

Yes, it should resolve to the public IP. If it is not something on your ddns provider is not working properly. Try using https://freedns.afraid.org/ which is free and highly realible.

Thank you for your help once again EGC. But just to make sure, my current firewall for the RP3B is safe to leave it like that since the Pi4 firewall is taking care of everything, right?