[Solved] WireGuard Client is up but I can't ping

I have a WireGuard client setup in my Openwrt and it works:

# cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='23.05.2'
DISTRIB_REVISION='r23630-842932a63d'
DISTRIB_TARGET='mvebu/cortexa9'
DISTRIB_ARCH='arm_cortex-a9_vfpv3-d16'
DISTRIB_DESCRIPTION='OpenWrt 23.05.2 r23630-842932a63d'
DISTRIB_TAINTS=''

Before applying any PBR rule I am getting this from a client:

curl ipinfo.io/ip                                                                                                                                                                                                                                                         ✔ 
188.216.xx.xx%

and listening with tcpdump I am getting:

# tcpdump -i any src 192.168.1.111 and dst host ipinfo.io
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
11:21:58.181179 lan3  In  IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [S], seq 2694821548, win 32120, options [mss 1460,sackOK,TS val 2508056377 ecr 0,nop,wscale 7], length 0
11:21:58.181179 br-lan In  IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [S], seq 2694821548, win 32120, options [mss 1460,sackOK,TS val 2508056377 ecr 0,nop,wscale 7], length 0
11:21:58.195881 lan3  In  IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [.], ack 1704521063, win 251, options [nop,nop,TS val 2508056392 ecr 363589084], length 0
11:21:58.195881 br-lan In  IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [.], ack 1, win 251, options [nop,nop,TS val 2508056392 ecr 363589084], length 0
11:21:58.196019 lan3  In  IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [P.], seq 0:74, ack 1, win 251, options [nop,nop,TS val 2508056392 ecr 363589084], length 74: HTTP: GET /ip HTTP/1.1
11:21:58.196019 br-lan In  IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [P.], seq 0:74, ack 1, win 251, options [nop,nop,TS val 2508056392 ecr 363589084], length 74: HTTP: GET /ip HTTP/1.1
11:21:58.332581 lan3  In  IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [.], ack 300, win 249, options [nop,nop,TS val 2508056528 ecr 363589221], length 0
11:21:58.332581 br-lan In  IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [.], ack 300, win 249, options [nop,nop,TS val 2508056528 ecr 363589221], length 0
11:21:58.332911 lan3  In  IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [F.], seq 74, ack 300, win 249, options [nop,nop,TS val 2508056529 ecr 363589221], length 0
11:21:58.332911 br-lan In  IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [F.], seq 74, ack 300, win 249, options [nop,nop,TS val 2508056529 ecr 363589221], length 0
11:21:58.348123 lan3  In  IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [.], ack 301, win 249, options [nop,nop,TS val 2508056544 ecr 363589237], length 0
11:21:58.348123 br-lan In  IP 192.168.1.111.35828 > 192.186.117.34.bc.googleusercontent.com.80: Flags [.], ack 301, win 249, options [nop,nop,TS val 2508056544 ecr 363589237], length 0

Now I want to use PBR to redirect some traffic through the WG interface, for instance:

config policy
       option name 'ipinfo.io'
       option dest_addr 'ipinfo.io'
       option interface 'WG0'
       option enabled '1

After I applied this I am getting:

curl ipinfo.io/ip                                                                                                                                                                                                                                                         ✔ 
curl: (7) Failed to connect to ipinfo.io port 80 after 2 ms: Couldn't connect to server
# tcpdump -i any src 192.168.1.111 and dst host ipinfo.io
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
11:22:57.632046 lan3  In  IP 192.168.1.111.49992 > 192.186.117.34.bc.googleusercontent.com.80: Flags [S], seq 2893199098, win 32120, options [mss 1460,sackOK,TS val 2508115827 ecr 0,nop,wscale 7], length 0
11:22:57.632046 br-lan In  IP 192.168.1.111.49992 > 192.186.117.34.bc.googleusercontent.com.80: Flags [S], seq 2893199098, win 32120, options [mss 1460,sackOK,TS val 2508115827 ecr 0,nop,wscale 7], length 0

To help you better, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
wg show

Could we please guide the (new) users properly and avoid useless abbreviation? ip route show and ip rule show....

1 Like

Here you go:

#ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "mglinksys01",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT1900ACS",
        "board_name": "linksys,wrt1900acs",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

#cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7a:069a:a2c5::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr '62:11:11:11:11:ff'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'WG0'
        option proto 'wireguard'
        option private_key 'private'
        option defaultroute '0'
        list addresses '10.1.1.253/24'

config wireguard_WG0
        option description 'Imported peer configuration'
        option public_key 'public'
        option preshared_key 'preshared'
        option persistent_keepalive '25'
        option endpoint_host 'xx.x.xx.xx'
        option endpoint_port 'yyyyy'
        option route_allowed_ips '1'
        option private_key 'preshared'
        list allowed_ips '10.1.1.0/24'


#cat /etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'mgnet.net'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain
        option name 'mgcl1n2'
        option ip '192.168.1.109'

config domain
        option name 'mgcl1n1'
        option ip '192.168.1.110'



#cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'WG0'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'WG0'
        option masq '1'
        option mtu_fix '1'
        option log '1'
        option log_limit '100/minute'

config forwarding
        option src 'lan'
        option dest 'WG0'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

#ip ro
default via 192.168.0.1 dev wan proto static src 192.168.0.3 
10.1.1.0/24 dev WG0 proto static scope link 
xx.x.xx.xx via 192.168.0.1 dev wan proto static 
192.168.0.0/24 dev wan proto kernel scope link src 192.168.0.3 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1


#ip route show table all
default via 192.168.0.1 dev wan table pbr_wan 
192.168.1.0/24 dev br-lan table pbr_wan proto kernel scope link src 192.168.1.1 
default via 10.1.1.253 dev WG0 table pbr_WG0 
192.168.1.0/24 dev br-lan table pbr_WG0 proto kernel scope link src 192.168.1.1 
default via 192.168.0.1 dev wan proto static src 192.168.0.3 
10.1.1.0/24 dev WG0 proto static scope link 
xx.x.xx.xx via 192.168.0.1 dev wan proto static 
192.168.0.0/24 dev wan proto kernel scope link src 192.168.0.3 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
local 10.1.1.253 dev WG0 table local proto kernel scope host src 10.1.1.253 
broadcast 10.1.1.255 dev WG0 table local proto kernel scope link src 10.1.1.253 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 192.168.0.3 dev wan table local proto kernel scope host src 192.168.0.3 
broadcast 192.168.0.255 dev wan table local proto kernel scope link src 192.168.0.3 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
fd7a:69a:a2c5::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd7a:69a:a2c5::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev phy1-ap0 proto kernel metric 256 pref medium
fe80::/64 dev phy0-ap0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd7a:69a:a2c5:: dev br-lan table local proto kernel metric 0 pref medium
local fd7a:69a:a2c5::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wan table local proto kernel metric 0 pref medium
anycast fe80:: dev phy1-ap0 table local proto kernel metric 0 pref medium
anycast fe80:: dev phy0-ap0 table local proto kernel metric 0 pref medium
local fe80::6038:e0ff:fe10:a6ff dev wan table local proto kernel metric 0 pref medium
local fe80::6238:e0ff:fe10:a6ff dev eth0 table local proto kernel metric 0 pref medium
local fe80::6238:e0ff:fe10:a6ff dev br-lan table local proto kernel metric 0 pref medium
local fe80::6238:e0ff:fe10:a700 dev phy1-ap0 table local proto kernel metric 0 pref medium
local fe80::6238:e0ff:fe10:a701 dev phy0-ap0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev phy1-ap0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev phy0-ap0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev WG0 table local proto kernel metric 256 pref medium


#ip ru
0:      from all lookup local
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_WG0
32766:  from all lookup main
32767:  from all lookup default

#wg show
interface: WG0
  public key: public
  private key: (hidden)
  listening port: zzzzz

peer: private
  preshared key: (hidden)
  endpoint: xx.x.xx.xx:yyyyy
  allowed ips: 10.1.1.0/24
  latest handshake: 1 minute, 16 seconds ago
  transfer: 892 B received, 2.86 KiB sent
  persistent keepalive: every 25 seconds
  

Try the following, change to:
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '0'

Reboot afterwards or do:
service network restart; service firewall restart

Could you please explain me why this?

Does it work?

I assume you're using a commercial VPN service, and they have provided you a configuration to import. When you import your private key, install the key in the main interface wg0 section. The (server's) public key and the preshared key go in the wireguard_wg0 section. There is no private key in the peer section. Moving private keys around the Internet (or anywhere outside the peer where they will be used) is not a security best practice, but if this particular service requires it there isn't any choice.

Run wg show to see if the Wireguard connection has initiated. You should see "last handshake" as part of the output. That confirms that there is a link to the server and the keys are correct.

The server's private IP of the other end of the tunnel (which is likely 10.1.1.1 here) usually answers pings and that is a good way to test the tunnel.

To reach arbitrary sites on the Internet through a Wireguard tunnel, allowed_ips must include 0.0.0.0/0. Including 0.0.0.0 makes it unnecessary to list any other, more specific, allowed IPs.

When you'll control routing externally e.g. with pbr, leave route_allowed_ips disabled.

1 Like

https://docs.openwrt.melmac.net/pbr/ paragraph 10.1

As @mk24 already explained if your have 0.0.0.0/0 in your allowed IPs and you add the allowed IPs as routes then basically you are adding a default route and that is not what you want in this case

1 Like

I will try later

I am not using a service provider and I need 10.1.1.0/24 traffic only through WG0. The rest I want to go to internet. This is already happening, but I want some other traffic going through WG0

Then set all needed subnets on allowed IPs and set the flag for route allowed IPs. No PBR needed in this case.

1 Like

To do that you that you set 0.0.0.0/0 as allowed IPs.

For what source or destination you want to travel through the tunnel you use PBR.

If it is only the destination 10.1.1.0/24 you want through the tunnel than you can use that and enable Route allowed IPs but then only return traffic from that same subnet is allowed (That is why it is called Allowed IPs :slight_smile: )

1 Like

Packets returning from an arbitrary site on the Internet may have any IP, thus all IPs (0.0.0.0/0) need to be allowed in through the tunnel. The WIreguard allowed_ips mechanism is not stateful.

I am going to try the new configuration in the next 15 minutes.
Just to clarify, this is the configuration I want to have.
For now I only have WG0 and I will have OpenVPN1 and OpenVPN2 in the future.

@_bernd I need ipinfo.io or similar traffic going through WG0

You can either set allowed ips to 0.0.0.0/0 and use PBR to route the destinations you want via the WG tunnel as indicate above or set all destinations as allowed IPs and then enable route allowed IPs.

As you cannot set an URL in allowed IPs and as the IP can change I would go for the first option as you need PBR anyway for the OpenVPN.

It works like a charm. Thanks @egc !

1 Like

If you are satisfied and have a working solution for your use case please mark that solution as solved:

May I keep it open in case I have further questions regarding OpenVPN routing and issues or should I open a new topic?