Hi everyone!
In Previous topic I asked for help about dump AP setup.
To clarify, it is a different device, but I have similar network config on this server.
I'm trying to setup OpenWrt as a WireGuard server behind OPNsense but currently failed.
The topic will be pretty long. So I use the "Hide Details" function to clean up the topic. Hope it makes you comfortable.
Also the situation will be complicated as it involves OPNsense and OpenWrt, so thank you!
(It's ok to not to read) Why I choose to setup a server rather than just use the plugin in OPNsense?
The reason I don't set WireGuard in OPNsense is because of the convenience of adding client.
OPNsense don't generate QR code after create a peer, it is quite inconvenient to transfer the config to peer devices. Therefore I consider to setup a individual WG server. I think OpenWrt is a great platform for the purpose.
(OpenWrt's LuCI not only support WireGuard UI like wg-easy but also the system management. Otherwise Maybe Alpine+docker+wg-easy if I want to keep the size small or just use a distro like debian or almalinux but both of them seems go too far IMO).
Here's the setup I want:
Network explain:
-
lan (192.168.1.X, .1.1 is router): The most trusted area network.
I want this network be the only network that able to manage
the OpenWRT with LuCI or ssh but nothing else. -
user (192.168.10.X, .10.1 is router): This network is support
specific users' devices access networks, and able to access services
inside my lan.
I don't use VLAN for some reason...
Before the current situation:
-
Install OpenWrt and follow the dump AP wiki instruction, but without wireless part.
dhcp, firewall, dnsmasqare disabled. -
Setup DDNS client, seems successful. (I really spend a lot of times on it!)
-
Config my network
/etc/config/network before setup WireGuard
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config device
option name 'br-user'
option type 'bridge'
list ports 'eth1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.10'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
list dns '192.168.1.1'
config interface 'user'
option proto 'none'
option device 'br-user'
To note that, when I set user's proto as dhcp, it did get ip address.
Also both of them didn't get RX, hope this is informative for you.
- Setup Wireguard Server (I setup just in LuCI)
/etc/config/network after setup WireGuard
carry on the above:
config interface 'wg0_USER'
option proto 'wireguard'
option private_key 'SeVeRpRiVaTeKeYsEvErPrIvAtEkEySeVeRpRiVaTe='
option listen_port '51820'
list addresses '10.10.10.1/24'
list dns '192.168.10.1'
config wireguard_wg0_USER
option public_key 'PeErPuBlIcKeYpEeRpUbLiCkEyPeErPuBlIcKeYpEeR='
option private_key 'PeErPrIvAtEkEyPeErPrIvAtEkEyPeErPrIvAtEkEyP='
option description 'test_peer'
option preshared_key 'PrEsHaReDkEyPrEsHaReDkEyPrEsHaReDkEyPrEsHaR='
list allowed_ips '10.10.10.2/32'
Then I scan the QR code, try to connect, and it just doesn't work.
- Wrong rules/further configuration needed on OPNsense
- Wrong network config on OpenWRT
I'm sure one of those have trouble, or both of them.
I need help...and I need to take a break... Thank you.
Other maybe useful stuff:
ubus call system board
{
"kernel": "5.15.137",
"hostname": "OpenWRT",
"system": "Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz",
"model": "Xen HVM domU",
"board_name": "xen-hvm-domu",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "x86/64",
"description": "OpenWrt 23.05.2 r23630-842932a63d"
}
}