Hello, i am a complete noob trying to connect to my network via VPN for remote access to my devices.
i followed basic tutorials for Wireguard and it worked like a charm, but then i moved on to configure a batman-adv mesh like shown here with 3 identical ZyXEL WSM20, 2 acting as dumb AP/mesh point and one as an AP/mesh point & router. This resulted my network to be separated into 3 vlans: 99 (lan), 4 (guest) and 3 (iot) by assigning the batman device (bat0) to the corresponding bridges via bat0.99, bat0.4... etc. My question is whether my understanding that actually this should be working is correct or i am simply overlooking something really obvious?
My wg0 interface connects and the logs of the wireguard app show the handshake works, but i dont have any access to the internet on my peer (iphone12) nor can access any local device. The interface also shows only minor traffic of a few KB.
firewall config
config defaults
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option synflood_protect '1'
option drop_invalid '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg0'
config zone 'wan'
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '10666'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
list network 'GUEST'
option masq '1'
config zone
option name 'iot'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
list network 'IOT'
config rule
option name 'Allow-GUEST-DHCPDNS'
option src 'guest'
option dest_port '67 68 53'
option target 'ACCEPT'
config rule
option name 'Allow-IOT-DHCPDNS'
option src 'iot'
option dest_port '67 68 53'
option target 'ACCEPT'
config forwarding
option src 'guest'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'iot'
network config
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '[REDACTED]'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'bat0.99'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option defaultroute '0'
config interface 'wan'
option device 'wan'
option proto 'pppoe'
option username '[REDACTED].de'
option password '[REDACTED]'
option ipv6 'auto'
option peerdns '0'
list dns '1.1.1.1'
list dns '9.9.9.9'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '2606:4700:4700::1111'
list dns '2620:fe::fe'
config interface 'wg0'
option proto 'wireguard'
option private_key '[REDACTED]'
option listen_port '10666'
list addresses '192.168.9.1/24'
config wireguard_wg0 'wgclient'
option public_key '[REDACTED]'
option preshared_key '[REDACTED]'
option description 'iphone12'
option private_key '[REDACTED]'
option persistent_keepalive '25'
option route_allowed_ips '1'
list allowed_ips '192.168.9.9/32'
config device
option type 'bridge'
option name 'br-guest'
list ports 'lan1'
list ports 'bat0.4'
config device
option type 'bridge'
option name 'br-iot'
list ports 'bat0.3'
config interface 'GUEST'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
option defaultroute '0'
config interface 'IOT'
option proto 'static'
option device 'br-iot'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option defaultroute '0'
config interface 'bat0'
option proto 'batadv'
option routing_algo 'BATMAN_IV'
option bridge_loop_avoidance '1'
option gw_mode 'server'
option hop_penalty '30'
config interface 'batmesh'
option proto 'batadv_hardif'
option master 'bat0'
Do we understand properly that it worked in the beginning and after you configured the separate vlans and the batman it stopped working?
What are the allowed IPs on the client device?
allowed IPs on the peers tab in openwrt is 192.168.9.9/32 and the VPN connection on the client also shows 192.168.9.9 as the assigned IP.
on the client device i have these settings:
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; ip route get 1.1.1.1 from 192.168.9.9 iif wg0 ; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
"kernel": "5.15.134",
"hostname": "ZAP-r",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "ZyXEL WSM20",
"board_name": "zyxel,wsm20",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.0",
"revision": "r23497-6637af95aa",
"target": "ramips/mt7621",
"description": "OpenWrt 23.05.0 r23497-6637af95aa"
}
}
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
9: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.4.1/24 brd 192.168.4.255 scope global br-guest
valid_lft forever preferred_lft forever
11: br-iot: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.3.1/24 brd 192.168.3.255 scope global br-iot
valid_lft forever preferred_lft forever
30: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
35: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
inet 192.168.9.1/24 brd 192.168.9.255 scope global wg0
valid_lft forever preferred_lft forever
inet 192.168.9.9/32 brd 255.255.255.255 scope global wg0
valid_lft forever preferred_lft forever
36: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
inet 88.88.88.126 peer 88.88.88.15/32 scope global pppoe-wan
valid_lft forever preferred_lft forever
default via 88.88.88.15 dev pppoe-wan
88.88.88.15 dev pppoe-wan scope link src 88.88.88.126
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
192.168.3.0/24 dev br-iot scope link src 192.168.3.1
192.168.4.0/24 dev br-guest scope link src 192.168.4.1
192.168.9.0/24 dev wg0 scope link src 192.168.9.1
192.168.9.9 dev wg0 scope link
local 88.88.88.126 dev pppoe-wan table local scope host src 88.88.88.126
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
local 192.168.1.1 dev br-lan table local scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link src 192.168.1.1
local 192.168.3.1 dev br-iot table local scope host src 192.168.3.1
broadcast 192.168.3.255 dev br-iot table local scope link src 192.168.3.1
local 192.168.4.1 dev br-guest table local scope host src 192.168.4.1
broadcast 192.168.4.255 dev br-guest table local scope link src 192.168.4.1
local 192.168.9.1 dev wg0 table local scope host src 192.168.9.1
local 192.168.9.9 dev wg0 table local scope host src 192.168.9.9
broadcast 192.168.9.255 dev wg0 table local scope link src 192.168.9.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
ip: RTNETLINK answers: Invalid argument
lrwxrwxrwx 1 root root 16 Oct 9 23:45 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 47 Nov 23 10:41 /tmp/resolv.conf
-rw-r--r-- 1 root root 72 Nov 23 15:55 /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r-- 1 root root 54 Nov 23 15:55 /tmp/resolv.conf.ppp
/tmp/resolv.conf.d:
-rw-r--r-- 1 root root 72 Nov 23 15:55 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
==> /tmp/resolv.conf.ppp <==
nameserver 217.237.150.205
nameserver 217.237.149.142
==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 1.1.1.1
nameserver 9.9.9.9
# Interface wan_6
Remove these two from the config wireguard_wg0 'wgclient'
Then verify with ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; ip route get 1.1.1.1 from 192.168.9.9 iif wg0
The config/network seems to have changed but the output of the verification command of yours is the same:
root@ZAP-r:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; ip route get 1.1.1.1 from 192.168.9.9 iif wg0
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
9: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.4.1/24 brd 192.168.4.255 scope global br-guest
valid_lft forever preferred_lft forever
11: br-iot: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.3.1/24 brd 192.168.3.255 scope global br-iot
valid_lft forever preferred_lft forever
30: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
35: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
inet 192.168.9.1/24 brd 192.168.9.255 scope global wg0
valid_lft forever preferred_lft forever
inet 192.168.9.9/32 brd 255.255.255.255 scope global wg0
valid_lft forever preferred_lft forever
36: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
inet 88.88.88.126 peer 88.88.88.15/32 scope global pppoe-wan
valid_lft forever preferred_lft forever
default via 88.88.88.15 dev pppoe-wan
88.88.88.15 dev pppoe-wan scope link src 88.88.88.126
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
192.168.3.0/24 dev br-iot scope link src 192.168.3.1
192.168.4.0/24 dev br-guest scope link src 192.168.4.1
192.168.9.0/24 dev wg0 scope link src 192.168.9.1
192.168.9.9 dev wg0 scope link
local 88.88.88.126 dev pppoe-wan table local scope host src 88.88.88.126
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
local 192.168.1.1 dev br-lan table local scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link src 192.168.1.1
local 192.168.3.1 dev br-iot table local scope host src 192.168.3.1
broadcast 192.168.3.255 dev br-iot table local scope link src 192.168.3.1
local 192.168.4.1 dev br-guest table local scope host src 192.168.4.1
broadcast 192.168.4.255 dev br-guest table local scope link src 192.168.4.1
local 192.168.9.1 dev wg0 table local scope host src 192.168.9.1
local 192.168.9.9 dev wg0 table local scope host src 192.168.9.9
broadcast 192.168.9.255 dev wg0 table local scope link src 192.168.9.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
ip: RTNETLINK answers: Invalid argument
ok well that doesnt matter because i have internet access, could confirm im surfing over the VPN connection and reach my local devices.
but shouldnt the route_allowed_ips be required? what doest it actually mean?
The problem I saw was that the wg0 interface has both 9.1 and 9.9, the latter is wrong and can explain that the traffic from the phone is not properly routed.
You already have the 192.168.9.1/24 address in wg0 interface, so a route for the whole 192.168.9.0/24 is routed through the wg0 interface. You would need it in case you had another subnet behind the IP of the phone, say 192.168.99.0/24. In this case you would need to add the subnet in the allowed IPs and also route it (or create a static route).
