[Solved] Wireguarde site2site script - firewall zone problem

I am using the wireguard site2site guide.
https://openwrt.org/docs/guide-user/services/vpn/wireguard/site-to-site

the script generates two new scripts which run on each site.
these two new scripts show errors while running,
in the "WAN ingress" section of the scripts

The section of the script with the error looks like this:

echo -n Creating firewall rule for WAN ingress...
uci del_list firewall.vpn.network="wg_s2s_b"
uci add_list firewall.vpn.network="wg_s2s_b"
uci -q delete firewall.wg_s2s_51821
uci set firewall.wg_s2s_51821="rule"
uci set firewall.wg_s2s_51821.name="Allow-WireGuard-51821"
uci set firewall.wg_s2s_51821.src="wan"
uci set firewall.wg_s2s_51821.dest_port="51821"
uci set firewall.wg_s2s_51821.proto="udp"
uci set firewall.wg_s2s_51821.target="ACCEPT"
uci commit firewall
service firewall restart
echo Done

Terminal Output:

======================================
|     Automated WireGuard Script     |
|          Site-to-Site VPN          |
|           Configuration            |
======================================
Generated to configure j.myds.me to tunnel with e.di.me
Creating firewall rule for WAN ingress...uci: Invalid argument
uci: Invalid argument
Done
Configure wireguard interface wg_s2s_a...Done
Configure peer Site B, e.di.me...
Done
======================================
|             Next steps             |
======================================
Remove this script: /root/site-j.sh
It contains copies of your secret keys that
you do not need anymore, because they are now in the network
configuration files. Delete the script to avoid key theft.
root@sznet_archerc6-192:~#

What i see as result is that the wireguard site2site connection IS working,
BUT there seems to be a problem with the firewall zones.
The script does not create or assign a firewall zone for the wireguard interface, the wireguard interface does not route/connect to lan.

If I assign the firwall zone "lan" to the wireguard interface, the whole thing is working. But I do not think it works as designed.

Authors of this script are
@atownlede and @vgaetera

last remark .. this scipt is GREAT stuff, openWrt / Wireguard - great Team!

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

this is one side of the wireguard setting, the Archer C6.
some issue on the other side, an R7800

ubus call system board

root@sznet_archerc6-192:~# ubus call system board
{
        "kernel": "5.15.134",
        "hostname": "sznet_archerc6-192",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer C6 v2 (EU/RU/JP)",
        "board_name": "tplink,archer-c6-v2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}
root@sznet_archerc6-192:~#

cat /etc/config/network

root@sznet_archerc6-192:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd48:9492:0fec::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.253.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'wg_s2s_a'
        option proto 'wireguard'
        option private_key 'GCJ******mM='
        option listen_port '51821'

config wireguard_wg_s2s_a 's2s_vpn_site_b'
        option public_key '11uox9f+1********GA='
        option preshared_key 'aYI*******+SFgCvKY='
        option description 'Site B, engin.din.me'
        list allowed_ips '192.168.112.0/24'
        list allowed_ips 'fdee:eeee:eeee::/48'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'engin.din.me'
        option endpoint_port '51821'

root@sznet_archerc6-192:~#

cat /etc/config/network

root@sznet_archerc6-192:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd48:9492:0fec::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.253.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'wg_s2s_a'
        option proto 'wireguard'
        option private_key 'GCJ1sXKup46XR7ElYCZLJYpN8SnFh1EgZaeYMr3L8mM='
        option listen_port '51821'

config wireguard_wg_s2s_a 's2s_vpn_site_b'
        option public_key '11uox9f+0tyUsnF7dnKjWLh8G41m/tjbBDk1bcoxLGA='
        option preshared_key 'aYIunLEFIJRwvDNTUmmXiKkAYT15Dw695+0+SFgCvKY='
        option description 'Site B, enginyra2.diskstation.me'
        list allowed_ips '192.168.112.0/24'
        list allowed_ips 'fdee:eeee:eeee::/48'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'enginyra2.diskstation.me'
        option endpoint_port '51821'

root@sznet_archerc6-192:~# ^C

root@sznet_archerc6-192:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '3389 3.223'
        option src 'wan'
        option src_dport '3389'
        option dest_ip '192.168.253.223'
        option dest_port '3389'

config rule 'wg_s2s_51821'
        option name 'Allow-WireGuard-51821'
        option src 'wan'
        option dest_port '51821'
        option proto 'udp'
        option target 'ACCEPT'

@mopsza I experienced this issue - and found others also affected: Problem with Script Automated WireGuard site-to-site VPN. Also resolved with the forwarding zone fix recommendation as you've done. Not sure the process to get the script permanently fixed, perhaps it can be posted to git by admins for review/enhancement.

Are you setting the values of

# The firewall zone names at each site (the VPN tunnel endpoints are placed
# in these zones)
WG_SITE_A_VPN_ZONE=vpn
WG_SITE_B_VPN_ZONE=vpn

in the s2s_combined.sh script to match existing firewall zones at the two sites, before you run the script?

Hi,
thanx for asking, I forgot to tell.
I tried both ways.
After analysing the script,
I think I did find the part in the script where firewall zone "vpn" is defined,
same lines where the script seems not to work

uci del_list firewall.vpn.network="wg_s2s_b"
uci add_list firewall.vpn.network="wg_s2s_b"

I am missing the part in script where the WG Interface is attached to "vpn" and
where the forwarding rules reagrding "vpn" are defined.
But I must confess I am not a good script reader at all.

So i tried to define vpn firwall zones myself before running the script.

Both ways did not work.

Now reading your question I also tried to send the uci commands manually via putty to the router:

root@szne_nighthawk1_rumpel_195:~# uci del_list firewall.vpn.network="wg_s2s_amo
psz"
uci: Invalid argument
root@szne_nighthawk1_rumpel_195:~# uci add_list firewall.vpn.network="wg_s2s_amo
psz"
uci: Invalid argument
root@szne_nighthawk1_rumpel_195:

also not working. on an openWrt 23.05 / R7800
Firwall zone "vpn" does exist on this router

1Unbenannt1464×720 68.2 KB

Currently I think this script does not run on my config,
and I am still missing the parts where WG Interface is attached to Firwall "vpn" Zone and forwarding rules vpn-lan are defined.

This is the whole script for one site:

#!/bin/sh
clear
echo ======================================
echo "|     Automated WireGuard Script     |"
echo "|          Site-to-Site VPN          |"
echo "|           Configuration            |"
echo ======================================
echo Generated to configure "m.hopto.org" to tunnel with "e.diskstation.me"
echo -n Creating firewall rule for WAN ingress...
uci del_list firewall.vpn.network="wg_s2s_amopsz"
uci add_list firewall.vpn.network="wg_s2s_amopsz"
uci -q delete firewall.wg_s2s_51823
uci set firewall.wg_s2s_51823="rule"
uci set firewall.wg_s2s_51823.name="Allow-WireGuard-51823"
uci set firewall.wg_s2s_51823.src="wan"
uci set firewall.wg_s2s_51823.dest_port="51823"
uci set firewall.wg_s2s_51823.proto="udp"
uci set firewall.wg_s2s_51823.target="ACCEPT"
uci commit firewall
service firewall restart
echo Done
echo -n Configure wireguard interface "wg_s2s_amopsz"...
uci -q delete network.wg_s2s_amopsz
uci set network.wg_s2s_amopsz="interface"
uci set network.wg_s2s_amopsz.proto="wireguard"
uci set network.wg_s2s_amopsz.private_key="OBRE="
uci set network.wg_s2s_amopsz.listen_port="51823"
echo Done
echo -n Configure peer "Site B, e.diskstation.me"...
uci -q delete network.s2s_vpn_site_bmopsz
uci set network.s2s_vpn_site_bmopsz="wireguard_wg_s2s_amopsz"
uci set network.s2s_vpn_site_bmopsz.public_key="6TRg="
uci set network.s2s_vpn_site_bmopsz.preshared_key="4sxx="
uci set network.s2s_vpn_site_bmopsz.description="Site B, e.diskstation.me"
uci add_list network.s2s_vpn_site_bmopsz.allowed_ips="192.168.112.0/24"
uci add_list network.s2s_vpn_site_bmopsz.allowed_ips="fdee:eeee:efff::/48"
uci set network.s2s_vpn_site_bmopsz.route_allowed_ips='1'
uci set network.s2s_vpn_site_bmopsz.persistent_keepalive='25'
uci set network.s2s_vpn_site_bmopsz.endpoint_host="e.diskstation.me"
uci set network.s2s_vpn_site_bmopsz.endpoint_port="51823"
uci commit network
service network restart
echo Done
echo ======================================
echo "|             Next steps             |"
echo ======================================
echo Remove this script: "$0"
echo It contains copies of your secret keys that
echo you do not need anymore, because they are now in the network
echo configuration files.  Delete the script to avoid key theft.

and finally, this is my current WORKING configuration, after I did define firewall zone manually und added forwarding rules. I think this config should be the goal of the site2site script, more or less:

Firewall

root@szne_nighthawk1_rumpel_195:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'guest'
        option name 'guest'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'guest1'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option src_port '68'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config forwarding
        option dest 'lan'

config forwarding
        option src 'guest'
        option dest 'lan'

config rule
        option name 'dhcp ok'
        option dest 'lan'
        option dest_port '53'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'dns ok'
        list dest_ip '192.168.0.1'
        list dest_ip '192.168.0.171'
        option dest_port '67'
        option target 'ACCEPT'
        option dest 'lan'
        option enabled '0'

config rule
        option dest 'lan'
        option target 'DROP'
        option name 'drop all guest traffic'
        option enabled '0'

config rule
        option name 'drop guest'
        option src 'guest'
        list src_ip '192.168.195.0/24'
        option dest 'lan'
        list dest_ip '192.168.0.0/24'
        option target 'REJECT'
        list proto 'all'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg_s2s_amopsz'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'vpn'

config rule
        option name 'allow acces vpn'
        option src 'vpn'
        option dest 'lan'
        list dest_ip '192.168.0.1'
        list dest_ip '192.168.0.2'
        list dest_ip '192.168.0.171'
        list dest_ip '192.168.0.195'
        option target 'ACCEPT'

config rule
        option name 'block lan acces SA WG'
        option src 'vpn'
        option dest 'lan'
        option target 'REJECT'

Network

root@szne_nighthawk1_rumpel_195:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option ipv6 '0'
        option proto 'static'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        option ipaddr '192.168.0.195'
        list dns '192.168.0.171'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 4 3 2 1 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0t'

config interface 'guest1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.195.1'
        option device 'wifi_bridge'

config device
        option type 'bridge'
        option name 'wifi_bridge'

config interface 'wg_s2s_amopsz'
        option proto 'wireguard'
        option private_key 'OBRE='
        option listen_port '51823'
        list addresses '10.10.10.2/24'


config wireguard_wg_s2s_amopsz 's2s_vpn_site_bmopsz'
        option public_key '6TRg='
        option preshared_key '4sxx='
        option description 'Site B, e.diskstation.me'
        list allowed_ips '192.168.112.0/24'
        list allowed_ips 'fdee:eeee:efff::/48'
        list allowed_ips '10.10.10.1/32'
        option persistent_keepalive '25'
        option endpoint_host 'e.diskstation.me'
        option endpoint_port '51823'
        option route_allowed_ips '1'

OK, I think I've fixed it. The script was assuming that the firewall zones had a UCI-level name on them like this in /etc/config/firewall:

config zone 'lan'
	option name 'lan'

but the default configurations don't have such a name:

config zone
	option name 'lan'

which means you can't use uci add_list firewall.lan.network="wg_s2s_a", you have to use a zone index like uci add_list firewall.@zone[0].network="wg_s2s_a". I didn't see an easy way to get the zone index based on the matching option name 'xyz' so I added a loop to search for it among all the defined zones.
The generated script firewall zone section now looks like this (with WG_SITE_A_VPN_ZONE=vpn):

echo -n Creating firewall rule for WAN ingress...
i=0
zone=
while uci -q get firewall.@zone[$i].name >/dev/null; do
    if [ "$(uci -q get firewall.@zone[$i].name)" = "vpn" ]; then
        zone=$i
        break
    fi
    i=$((i + 1))
done
if [ -z "$zone" ]; then
    echo firewall zone vpn not found
    exit 1
fi
uci del_list firewall.@zone[$zone].network="wg_s2s_a"
uci add_list firewall.@zone[$zone].network="wg_s2s_a"

Hi John ( @atownlede ),
thats great news !!
thx for analysing and fixing.

I will test it on my configuration as soon i find some minutes ... looks great !

thank you!
m

Hi John ( @atownlede ),
i tested the script with two R7800 on fresh installed openWrt 23.05

Good news is - script runs without errors.

• Resut is a "working" WG tunnel.
• The WG interface is attched to the existing "vpn" firwall zone
• The firewalll rule "allow WAN traffic to VPN from WAN on WG port (51820) is present / working

What is still an issue .. this whole procedure sets up an working WG tunnel site2site. But traffic can not flow from "lan Site1" to "lan Site 2", because there are no firewall settings ( i do not see them in the script) set allow that.

I just checked the description of the site2site Guide.
In the testing section it says that the two lans of the systems should be connected.
So either I am missing the point or the scipts are missing the section where the vpn firwall zone and the lan firewall zone are allowed to talk to each other (exchange traffic) (on each side).

As far as I can see this part is stil missing in the site2site scripts.

thx 4 your great work, openWrt (script gurus, developers). its so interesting to learn more and more here.

If you want the LANs to communicate, then you can configure the script to put the VPN interfaces into the LAN firewall zones.

Hi John,
yes, i fully agree.
Problem is, that the current guide makes a promise in point 3

The VPN connection auto-establishes when the network is started on each system. Verify the traffic is routed from each site through the VPN to the tunneled addresses at the other site.

traceroute <some-site-b-LAN-IPv4-address>

The scripts are curretly not desigend to fullfill that promise.
I think - as you said - the generated scripts need a section where the firwall zone "vpn" is allowed to communicate with "lan" , forwarding / accepting traffic, both sides.
I would edit the scripts myself if I this would not be my first time ever I edit a script.
Anyway .. if you think a beginner is capable to find the uci commands needed to fullfill this firewall zone settings and is able to add them to the existing scripts .. I could try to.

Most important thing for me is that it is clear that the current state of the guide is missleading. Just letting the script doing its work does not lead to the result that the two networks are conneted and this command will work:

traceroute <some-site-b-LAN-IPv4-address>

I see some solutions:

1. Edit the guide and make clear to the user / reader, that there is some firwall zone stuff that must be done manually before the WG site2site (Test, traceroute) works.
   -> EDIT: Already done. But I think solution 2 and 3 would be better

2. Edit the guide and add a "code" box (new point 3, putting "test" to point 4)
   New point 3 is a code box with some uci firwall commands. explaining that this needs to be executed to connect "vpn" and "lan" and that it must be edited if the networks have different names.
   EDIT: -> see answer from John Kohl / @atownlede, work in progress

3. Edit the main script and add the firwall stuff from 2) with the result, that the "traceroute test" is working already after executing all three scripts properly.
   EDIT: currently no follow up for this solution

I like solution 3) best but currently I only feel save to achive solution 1).

I already edited two other guides succesfully I think ( dumb AP + Guest), I am starting to understand the wireguad settings / steps needed ... with a little help we / I will get this site2site guide done as well. Maybe its time to learn how to work with uci commands in scripts, how to generate scripts from a script.

thanks for all the work you already put in the site2site script, John.
I use it currently to connect two sites, works super stable / beautiful after I did the firwall settings manually.

I'd go for a variant of 2: explain more clearly that the firewall zone names that they declare in the script configuration section must be for zones that exist and allow the desired network traffic transit. If a user doesn't care to or doesn't already know how to set up a new firewall zone (vpn or any other name) and set up its transit rules, then they should use the lan firewall zone.

Thank you for your advise.
I will try to develop the code box / the text. Maybe you can check teh content when I think I am ready .. if its ok i'll PM you

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.