[SOLVED] Wireguard - Firewall (Actually routing)

gt_twig · September 30, 2018, 10:54am

G'day OpenWRT forum people!

I have a wireguard peer setup and I can connect to it via the Android and Linux wireguard applications and I currently use this peer as exit for internet traffic.

I have currently deployed it on OpenWRT (18.06.1) and I can get a connection correctly with the current setup (I am able to ping from the VPN interface to a resolved host name, google.com, and I can see the RX/TX counters go up accordingly). Setup currently has 2 bridge interfaces with one going directly out the WAN and other going out the VPN.

What do not seem to be able to do is route LAN2 traffic connected to the router via the VPN interface.

Summary:

Remote Wireguard peer works for other clients (Android, Linux)
Internet bound traffic going directly out the WAN interface from LAN works fine.
Internet bound traffic going directly from the WG interface directly works fine. (eg. ping -I wg google.com) and it has associated correctly with the remote wireguard peer.
Internet bound traffic from LAN2 to the WG interface does not work.

Diagram:

WLAN1 --- LAN  (br-lan) |       ->      |WAN --- ISP  
                        (OpenWRT-18.06.1)
WLAN2 --- LAN2 (br-lan2)|       ->      |WG --- Remote Wireguard Peer --- ISP

Firewall config

config zone
	option name 'lan'
	option input 'ACCEPT'`
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option family 'ipv4'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config zone
	option output 'ACCEPT'
	option name 'wg'
	option masq '1'
	option mtu_fix '1'
	option input 'ACCEPT'
	option forward 'REJECT'
	option network 'wg'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'lan2'
	option forward 'ACCEPT'
	option family 'ipv4'
	option network 'lan2'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'wg'
	option src 'lan2'

Or in picture format

Screenshot_2018-09-30_18-32-35

I have seen a few topics on this in these forums, however none of the configuration they applied seemed to do the trick. Any help would be much appreciated.

iplaywithtoys · September 30, 2018, 11:00am

What's your routing table?

The firewall merely dictates what traffic is permitted. It doesn't dictate where that traffic goes.

iplaywithtoys · September 30, 2018, 11:06am

Also, what's your local WireGuard configuration?

gt_twig · September 30, 2018, 11:35am

Thanks a lot for the very quick response. WG config is as follows:

[Interface]
ListenPort = 51280
PrivateKey = <key>

[Peer]
PublicKey = <key>
AllowedIPs = 0.0.0.0/0
Endpoint = <ipv4>:<remote_port>
PersistentKeepalive = 25

As stated, I do seem to be able to utilise the interface directly. I did configure this via the LuCI interface rather than CLI.

lleachii · September 30, 2018, 11:59am

As @iplaywithtoys noted, please show your routing table.

It seems you may still need to create a route rule and route policy for LAN2 to use Wireguard.

Also see:

gt_twig · September 30, 2018, 2:19pm

Yes, my apologies, routing table is below. I had a look at that post, and I went through the process of creating another table.

route

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         <isp_dhcp_gw>   0.0.0.0         UG    0      0        0 eth1
10.88.88.0      *               255.255.255.0   U     0      0        0 br-lan
10.99.99.0      *               255.255.255.0   U     0      0        0 br-lan2
<isp_net>       *               255.255.255.0   U     0      0        0 eth1
<remote_wg_ip>  <isp_dhcp_gw>   255.255.255.255 UGH   0      0        0 eth1

ip route show

default via <isp_dhcp_gw> dev eth1 proto static src <isp_dhcp_ip> 
10.88.88.0/24 dev br-lan proto kernel scope link src 10.88.88.1 
10.99.99.0/24 dev br-lan2 proto kernel scope link src 10.99.99.1 
<isp_net>     dev eth1 proto kernel scope link src <isp_dhcp_ip>
<remote_wg_ip> via <isp_dhcp_gw> dev eth1 proto static

I am assuming I am missing a route from lan2 to wg, I'll have a fiddle with that.

vgaetera · September 30, 2018, 4:35pm

brctl show

?

gt_twig · October 1, 2018, 1:46am

br-lan		7fff.5aef68b9719c	no		eth0.88
							wlan0
br-lan2		7fff.5aef68b9719c	no		eth0.99
							wlan1

LAN works fine, so I think it must be the routing component.

gt_twig · October 2, 2018, 10:34am

Ok, so was the routing issue. Thanks everyone for your assistance.

I ended up fixing it with vpn-policy-routing and luci-app-vpn-policy-routing and as has been stated putting in a route for LAN2 subnet -> WG.

Used the following repo for the software listed https://stangri.github.io/openwrt-repo/.

iplaywithtoys · October 2, 2018, 3:48pm

You're welcome!

system · February 4, 2019, 11:58am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.