Hello,
I set up Wireguard on my OpenWRT and it worked for some days, but now it does not anymore.
I rebooted my Router and I had no Internet access for an hour.
I set it up as here:
I can still connect and it shows my Wireguard connection in LuCIs Wireguard-App, but only some Bytes are transmitted.
I can also not ping any IP in my local network, when connected via Wireguarde as I could before.
I already restarted the Rotuer and the Wireguard Itnerface.
What could be the Issue here?
Thanks.
Hello,
please post here the contents of
/etc/config/network
/etc/config/firewall
as well as the output of commands
ip -4 addr
ip -4 ro
ip -4 ru
root@OpenWrt:~# cat /etc/config/network;cat /etc/config/firewall; ip -4 addr;ip -4 ro;ip -4 ru
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda0:53cd:c74f::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
option dns '9.9.9.9'
config interface 'wan'
option ifname 'eth0.2'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
option broadcast '192.168.1.255'
option dns '9.9.9.9'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
option auto '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 5t'
config interface 'wg0'
option proto 'wireguard'
option listen_port '1234'
list addresses '192.168.10.1/24'
option route_allowed_ips '1'
option private_key 'xxx='
config wireguard_wg0
option public_key 'xxx='
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option persistent_keepalive '25'
option description 'Android Handy'
config wireguard_wg0
option public_key 'xxx='
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option description 'Arbeit'
config wireguard_wg0
option public_key 'xxx='
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option description 'Laptop Linux'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '5001'
option dest_ip '192.168.2.101'
option dest_port '5001'
option name 'DSM_218p'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '5022'
option dest_ip '192.168.2.101'
option dest_port '22'
option name 'SSH_218p'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '5006'
option dest_ip '192.168.2.101'
option dest_port '5006'
option name 'WebDAV_218p'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '1195'
option dest_ip '192.168.2.101'
option dest_port '1194'
option name 'OVPN_218p'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '192.168.2.101'
option name 'Nextcloud_218p'
option dest_port '8080'
option src_dport '80'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '5003'
option dest_port '5001'
option name 'DockerDSM_218p'
option dest_ip '192.168.2.109'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '443'
option dest_port '443'
option name 'HTTPS_218p'
option dest_ip '192.168.2.101'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '5002'
option dest_ip '192.168.2.102'
option dest_port '5001'
option name 'DSM_218p_VM'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '6001'
option dest_ip '192.168.2.103'
option dest_port '5001'
option name 'DSM_213j'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '6022'
option dest_ip '192.168.2.103'
option dest_port '22'
option name 'SSH_213j'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '192.168.2.1'
option dest_port '22'
option name 'SSH_OpenWRT'
option src_dport '1122'
config redirect
option target 'DNAT'
option src 'wan'
option proto 'udp'
option src_dport '1234'
option dest_ip '192.168.2.1'
option dest_port '1234'
option name 'WireGuard_OpenWRT'
option dest 'lan'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '2200'
option name 'ssh-test'
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src '*'
option proto 'udp'
option dest_port '1194'
config rule
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'tcp udp'
option target 'ACCEPT'
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '1234'
option name 'Allow-Wireguard-Inbound'
config zone
option name 'wg'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wg0'
option input 'ACCEPT'
config route
option interface 'wg0'
option target '192.168.10.0'
option netmask '255.255.255.0'
config forwarding
option src 'wg'
option dest 'wan'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wg'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
valid_lft forever preferred_lft forever
7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1
inet 192.168.10.1/24 brd 192.168.10.255 scope global wg0
valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0.2
valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0.2 proto static
192.168.1.0/24 dev eth0.2 proto kernel scope link src 192.168.1.2
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1
192.168.10.0/24 dev wg0 proto kernel scope link src 192.168.10.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
config redirect
option target 'DNAT'
option src 'wan'
option proto 'udp'
option src_dport '1234'
option dest_ip '192.168.2.1'
option dest_port '1234'
option name 'WireGuard_OpenWRT'
option dest 'lan'
This is not needed, you have a rule to accept udp/1234 on WAN interface.
config zone
option name 'wg'
option masq '1'
option mtu_fix '1'
Remove masq and mtu.
It still doesn't work, when I change that 
Can you ping the wg interface of openwrt?
Can you run a tcpdump on openwrt to verify that packets come and go from the wg?
No, I can not ping the IP of my Wireguard Interface when connected.
I got tcpdump running now, but it cpatured 0 packages.
When im connected via my Smartphone the wg interface says 0 bytes received in ifconfig.
Not being able to ping at least the WG interface IP is serious. I was under the impression from your first post that you can connect, but it looks like not even that is working. Did you run the tcpdump command correctly? tcpdump -i wg0 -v -n
Have you checked that your ISP modem is forwarding correctly the traffic to the Openwrt?
tcpdump -i eth0.2 -v -n udp port 1234
tcpdump -i wg0 -v -n
gives me 0 captured packages.
But the Port seems to be open:
root@OpenWrt:~# tcpdump -i eth0.2 -v -n udp port 1234
tcpdump: listening on eth0.2, link-type EN10MB (Ethernet), capture size 262144 bytes
14:36:44.657144 IP (tos 0x0, ttl 52, id 12297, offset 0, flags [none], proto UDP (17), length 176)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 148
14:36:44.679432 IP (tos 0x88, ttl 64, id 40845, offset 0, flags [none], proto UDP (17), length 120)
192.168.1.2.1234 > 78.94.46.90.58285: UDP, length 92
14:36:44.724480 IP (tos 0x0, ttl 52, id 12300, offset 0, flags [none], proto UDP (17), length 172)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 144
14:36:44.855467 IP (tos 0x0, ttl 52, id 12305, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:44.866744 IP (tos 0x0, ttl 52, id 12307, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:44.914750 IP (tos 0x0, ttl 52, id 12309, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:44.924972 IP (tos 0x0, ttl 52, id 12315, offset 0, flags [none], proto UDP (17), length 172)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 144
14:36:44.945000 IP (tos 0x0, ttl 52, id 12317, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:44.950197 IP (tos 0x0, ttl 52, id 12318, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:44.950448 IP (tos 0x0, ttl 52, id 12319, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:44.950544 IP (tos 0x0, ttl 52, id 12320, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:44.950594 IP (tos 0x0, ttl 52, id 12321, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:44.950639 IP (tos 0x0, ttl 52, id 12322, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:44.950685 IP (tos 0x0, ttl 52, id 12323, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:45.055484 IP (tos 0x0, ttl 52, id 12342, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:45.075477 IP (tos 0x0, ttl 52, id 12348, offset 0, flags [none], proto UDP (17), length 140)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 112
14:36:45.099999 IP (tos 0x0, ttl 52, id 12353, offset 0, flags [none], proto UDP (17), length 268)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 240
14:36:45.214979 IP (tos 0x0, ttl 52, id 12366, offset 0, flags [none], proto UDP (17), length 172)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 144
14:36:45.298770 IP (tos 0x0, ttl 52, id 12383, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:45.434016 IP (tos 0x0, ttl 52, id 12413, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:45.758479 IP (tos 0x0, ttl 52, id 12463, offset 0, flags [none], proto UDP (17), length 172)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 144
14:36:45.795984 IP (tos 0x0, ttl 52, id 12464, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:46.103258 IP (tos 0x0, ttl 52, id 12505, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:46.103448 IP (tos 0x0, ttl 52, id 12506, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:46.103515 IP (tos 0x0, ttl 52, id 12507, offset 0, flags [none], proto UDP (17), length 268)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 240
14:36:46.103565 IP (tos 0x0, ttl 52, id 12508, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:46.770013 IP (tos 0x0, ttl 52, id 12554, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:46.770199 IP (tos 0x0, ttl 52, id 12555, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:46.774499 IP (tos 0x0, ttl 52, id 12556, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:46.801759 IP (tos 0x0, ttl 52, id 12563, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:46.813536 IP (tos 0x0, ttl 52, id 12564, offset 0, flags [none], proto UDP (17), length 172)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 144
14:36:46.864784 IP (tos 0x0, ttl 52, id 12577, offset 0, flags [none], proto UDP (17), length 124)
78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:55.164112 IP (tos 0x0, ttl 64, id 41344, offset 0, flags [none], proto UDP (17), length 60)
192.168.1.2.1234 > 78.94.46.90.58285: UDP, length 32
It seems open but you should be able to see packets in the capture of wg0 interface. I am not sure why is this happening.
One more thing I noticed, remove the static route for 192.168.10.0/24. You have the wg0 interface in that network so the route exists as directly connected (proto kernel).
Are you pinging an IP or a hostname? Make sure it is an IP v4 so to rule out IPv6.
Last but not least post the firewall configuration in case there is something missing
iptables -L -vn
iptables -t nat -L -vn
iptables -t mangle -L -vn
I tried pinging the wireguard interfaces IP and the routers IP, both don't work for some reason.
Before the reboot it has worked.
heres the iptables rules:
root@OpenWrt:~# iptables -L -vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
35 2585 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
9685 841K input_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom input rule chain */
9176 800K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
142 5884 syn_flood tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 /* !fw3 */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 /* !fw3: Allow-OpenVPN-Inbound */
1 176 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1234 /* !fw3: Allow-Wireguard-Inbound */
366 33841 zone_lan_input all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
142 7176 zone_wan_input all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wg_input all -- wg0 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
18846 9011K forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom forwarding rule chain */
18300 8942K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
498 65686 zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
48 2820 zone_wan_forward all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wg_forward all -- wg0 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
35 2585 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
9571 2198K output_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom output rule chain */
9326 2179K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
54 6174 zone_lan_output all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
191 13554 zone_wan_output all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wg_output all -- * wg0 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain forwarding_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wg_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wg_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_wg_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (4 references)
pkts bytes target prot opt in out source destination
137 5584 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ reject-with tcp-reset
5 1592 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
142 5884 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_dest_ACCEPT (3 references)
pkts bytes target prot opt in out source destination
54 6174 ACCEPT all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
498 65686 forwarding_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan forwarding rule chain */
498 65686 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Zone lan to wan forwarding policy */
0 0 zone_wg_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Zone lan to wg forwarding policy */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_input (1 references)
pkts bytes target prot opt in out source destination
366 33841 input_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan input rule chain */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
366 33841 zone_lan_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_output (1 references)
pkts bytes target prot opt in out source destination
54 6174 output_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan output rule chain */
54 6174 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
366 33841 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_wan_dest_ACCEPT (3 references)
pkts bytes target prot opt in out source destination
9 592 DROP all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage */
680 78648 ACCEPT all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
48 2820 forwarding_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan forwarding rule chain */
48 2820 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_wan_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_input (1 references)
pkts bytes target prot opt in out source destination
142 7176 input_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan input rule chain */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 /* !fw3: Allow-DHCP-Renew */
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* !fw3: Allow-Ping */
0 0 ACCEPT 2 -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Allow-IGMP */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2200 /* !fw3: ssh-test */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194 /* !fw3: Allow-OpenVPN */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 /* !fw3: Allow-OpenVPN */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
142 7176 zone_wan_src_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_output (1 references)
pkts bytes target prot opt in out source destination
191 13554 output_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan output rule chain */
191 13554 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
142 7176 reject all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wg_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * wg0 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wg_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * wg0 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wg_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_wg_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wg forwarding rule chain */
0 0 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Zone wg to wan forwarding policy */
0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Zone wg to lan forwarding policy */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_wg_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wg_input (1 references)
pkts bytes target prot opt in out source destination
0 0 input_wg_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wg input rule chain */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
0 0 zone_wg_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wg_output (1 references)
pkts bytes target prot opt in out source destination
0 0 output_wg_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wg output rule chain */
0 0 zone_wg_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wg_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- wg0 * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED /* !fw3 */
root@OpenWrt:~# iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 536 packets, 39444 bytes)
pkts bytes target prot opt in out source destination
585 42440 prerouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom prerouting rule chain */
394 32268 zone_lan_prerouting all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
191 10172 zone_wan_prerouting all -- eth0.2 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wg_prerouting all -- wg0 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain INPUT (policy ACCEPT 237 packets, 21379 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 186 packets, 14970 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 86 packets, 7183 bytes)
pkts bytes target prot opt in out source destination
514 32395 postrouting_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom postrouting rule chain */
71 6443 zone_lan_postrouting all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
428 25212 zone_wan_postrouting all -- * eth0.2 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_wg_postrouting all -- * wg0 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain postrouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain postrouting_wg_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain prerouting_wg_rule (1 references)
pkts bytes target prot opt in out source destination
Chain zone_lan_postrouting (1 references)
pkts bytes target prot opt in out source destination
71 6443 postrouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan postrouting rule chain */
0 0 SNAT tcp -- * * 192.168.2.0/24 192.168.2.101 tcp dpt:5001 /* !fw3: DSM_218p (reflection) */ to:192.168.2.1
0 0 SNAT udp -- * * 192.168.2.0/24 192.168.2.101 udp dpt:1194 /* !fw3: OVPN_218p (reflection) */ to:192.168.2.1
0 0 SNAT tcp -- * * 192.168.2.0/24 192.168.2.101 tcp dpt:8080 /* !fw3: Nextcloud_218p (reflection) */ to:192.168.2.1
0 0 SNAT tcp -- * * 192.168.2.0/24 192.168.2.101 tcp dpt:443 /* !fw3: HTTPS_218p (reflection) */ to:192.168.2.1
0 0 SNAT tcp -- * * 192.168.2.0/24 192.168.2.102 tcp dpt:5001 /* !fw3: DSM_218p_VM (reflection) */ to:192.168.2.1
0 0 SNAT tcp -- * * 192.168.2.0/24 192.168.2.1 tcp dpt:22 /* !fw3: SSH_OpenWRT (reflection) */ to:192.168.2.1
0 0 SNAT udp -- * * 192.168.2.0/24 192.168.2.1 udp dpt:1234 /* !fw3: WireGuard_OpenWRT (reflection) */ to:192.168.2.1
Chain zone_lan_prerouting (1 references)
pkts bytes target prot opt in out source destination
394 32268 prerouting_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan prerouting rule chain */
0 0 DNAT tcp -- * * 192.168.2.0/24 192.168.1.2 tcp dpt:5001 /* !fw3: DSM_218p (reflection) */ to:192.168.2.101:5001
0 0 DNAT udp -- * * 192.168.2.0/24 192.168.1.2 udp dpt:1195 /* !fw3: OVPN_218p (reflection) */ to:192.168.2.101:1194
0 0 DNAT tcp -- * * 192.168.2.0/24 192.168.1.2 tcp dpt:80 /* !fw3: Nextcloud_218p (reflection) */ to:192.168.2.101:8080
0 0 DNAT tcp -- * * 192.168.2.0/24 192.168.1.2 tcp dpt:443 /* !fw3: HTTPS_218p (reflection) */ to:192.168.2.101:443
0 0 DNAT tcp -- * * 192.168.2.0/24 192.168.1.2 tcp dpt:5002 /* !fw3: DSM_218p_VM (reflection) */ to:192.168.2.102:5001
0 0 DNAT tcp -- * * 192.168.2.0/24 192.168.1.2 tcp dpt:1122 /* !fw3: SSH_OpenWRT (reflection) */ to:192.168.2.1:22
0 0 DNAT udp -- * * 192.168.2.0/24 192.168.1.2 udp dpt:1234 /* !fw3: WireGuard_OpenWRT (reflection) */ to:192.168.2.1:1234
Chain zone_wan_postrouting (1 references)
pkts bytes target prot opt in out source destination
428 25212 postrouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan postrouting rule chain */
428 25212 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_prerouting (1 references)
pkts bytes target prot opt in out source destination
191 10172 prerouting_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan prerouting rule chain */
38 2280 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5001 /* !fw3: DSM_218p */ to:192.168.2.101:5001
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1195 /* !fw3: OVPN_218p */ to:192.168.2.101:1194
2 80 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* !fw3: Nextcloud_218p */ to:192.168.2.101:8080
8 460 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* !fw3: HTTPS_218p */ to:192.168.2.101:443
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5002 /* !fw3: DSM_218p_VM */ to:192.168.2.102:5001
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1122 /* !fw3: SSH_OpenWRT */ to:192.168.2.1:22
1 176 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1234 /* !fw3: WireGuard_OpenWRT */ to:192.168.2.1:1234
Chain zone_wg_postrouting (1 references)
pkts bytes target prot opt in out source destination
0 0 postrouting_wg_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wg postrouting rule chain */
Chain zone_wg_prerouting (1 references)
pkts bytes target prot opt in out source destination
0 0 prerouting_wg_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wg prerouting rule chain */
root@OpenWrt:~# iptables -t mangle -L -vn
Chain PREROUTING (policy ACCEPT 29896 packets, 10M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 9963 packets, 862K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 19919 packets, 9576K bytes)
pkts bytes target prot opt in out source destination
163 9652 TCPMSS tcp -- * eth0.2 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT 9809 packets, 2256K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 29774 packets, 12M bytes)
pkts bytes target prot opt in out source destination
root@OpenWrt:~#
The wg input has zero hits. Means nothing arrived to the wg0 interface.
I told you that the port forward of WG is not needed, because you have a rule to accept the traffic inbound, but it is still there and it has a hit.
0 0 DNAT tcp -- * * 192.168.2.0/24 192.168.1.2 tcp dpt:1122 /* !fw3: SSH_OpenWRT (reflection) */ to:192.168.2.1:22
0 0 DNAT udp -- * * 192.168.2.0/24 192.168.1.2 udp dpt:1234 /* !fw3: WireGuard_OpenWRT (reflection) */ to:192.168.2.1:1234:
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1122 /* !fw3: SSH_OpenWRT */ to:192.168.2.1:22
1 176 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1234 /* !fw3: WireGuard_OpenWRT */ to:192.168.2.1:1234
If you don't do what we ask here, we cannot help you, because we have faith that you do what is asked and we rule out a potential cause of the problems, while it is still there.
sorry, I guess I forgot to remove the port forward.
But it's still not working now that ive removed it and restarted the firewall..
Yes, I jsut connected with my mobile Phone via LTE and I can see it as being connected in my Wireguard Interface on Luci:
Endpoint: X.X.X.X:2372
Allowed IPs:
• (none)
Persistent Keepalive: 25s
Latest Handshake: Thu, 14 Feb 2019 17:56:43 GMT (18s ago)
Data Received: 2 KiB
Data Transmitted: 2 KiB
I tried connecting via mobile phone and from work.
There should be no blocked ports for udp 1234 from those networks, as it has already worked two weeks ago from those devices.
Is it normal, that it says allowed IPs none here?
This is likely why you have no traffic - you have no allowed IPs specified for use on the tunnel.
That isn't normal.
But I have set
::/0
and
0.0.0.0/0
set as allowed IPs for the Peers in the Luci Interface for the Wireguard interface.
I guess I will have to edit the config directly.
Which file or command is that again?
Instead of 0.0.0.0/0
For IPv4, try:
You didn't set that route on multiple peers, did you???
Such a route would be invalid (without a metric likely).
See: https://www.wireguard.com/#cryptokey-routing
It's in /etc/config.network - the same file you posted above.
Okay, and I have to set those IPs to the IPs my Peers will get (192.168.10.2/32, 192.168.10.3/32 and 192.168.10.4/32)on the wireguard interface or should I just use 0.0.0.0/1, 0.0.0.0/2, 0.0.0.0/3 ?
Or can I use the whole subnet for all like 192.168.10.1/24 ?
Like is that to allow the internal IPs of each Peer or is it to configure the Public IPs my Peer can conenct from?
Currently 0.0.0.0/0 is set for all peers for some reason.
Yes, I honestly think you should only use:
Only use 0.0.0.0/0 for a peer that's actually a VPN provider for your Internet connection.
That (/2 and /3) is invalid for your purposes. If you are not familiar with subnets, see this guide: