Trouble configuring WireGuard

richb-hanover-priv · June 8, 2020, 4:27pm

I'm using openwrt-19.07 branch - git-20.006.26738-35aa527 (I hadn't intentionally flashed a development snapshot, but there you are...)

I am using these Wireguard packages:
wireguard 1.0.20200506-1
wireguard-tools 1.0.20191226-1
kmod-wireguard 4.14.162+0.0.20190702-1
luci-app-wireguard git-20.150.62258-217d331-1
luci-proto-wireguard git-20.150.62258-217d331-1

My question: The LuCI -> Status -> WireGuard Status page does not reflect what is shown in the /etc/config/network file. Specifically, both peers have two allowed_ips addresses - a /24 and a /32. The screen shot (below) shows only one.

What's going on here? What other information could I provide to troubleshoot Thanks.

Update: The overlapping subnet between the two peer config's causes the problem. But there's a second question later on.

... /etc/config/network ...

config wireguard_wg

config interface 'wg0'
	option proto 'wireguard'
	list addresses '10.0.0.1/24'
	option private_key '(hidden)'
	option listen_port '5182'

config wireguard_wg0
	option description 'Router at LLL'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	option endpoint_host 'richb-lll.mooo.com'
	option endpoint_port '5182'
	option public_key 'LLL/HEcds6QhZ9RxT6L+1heqaQxs2bOYjuy3dltq9FY='
	list allowed_ips '172.30.42.10/32'
	list allowed_ips '172.30.42.1/24'  <-- this subnet overlaps with the other peer & causes the problem

config wireguard_wg0
	option public_key 'RICHFd7l+IOQqMNsuBc9k10Qw3/9NILtKO4s2Ugztwc='
	option endpoint_port '5182'
	option route_allowed_ips '1'
	option endpoint_host 'richb-lll.mooo.com'
	list allowed_ips '172.30.42.11/32'
	list allowed_ips '172.30.42.1/24'
	option description 'Rich MBP to LLL'

krazeh · June 8, 2020, 4:32pm

Why do they both have two allowed_ip entries? Having two peers with the same /24 subnet as an allowed_ip isn't a great idea and will fail if you try to use both peers at the same time. Also, the /32 is unnecessary as it's covered by the /24.

richb-hanover-priv · June 8, 2020, 4:50pm

The "allowed_ips" is the part that most confuses me.

I have seen examples that go both ways. For example, the Wireguard home page lists two addresses in the AllowedIPs for its peers.
But more importantly, with the config file showing two address ranges for each peer, why does the GUI WireGuard Status page only show one? (Or is this a bug that cropped up because I'm using a development snapshot?)

Thanks.

krazeh · June 8, 2020, 4:57pm

The 'allowed_ips' are the source and destination IPs that are allowed in and out of the tunnel.

I'm guessing it's because you've used the same allowed_ip twice but Wireguard only allows it to be used once so it's been assigned to the latter peer.

richb-hanover-priv · June 8, 2020, 5:41pm

Maybe I'm being dense (I've read this statement on a dozen sites) and it still doesn't quite make sense to me. Let me get specific:

At one of my sites, the subnet is 172.30.42.0/24. In the OpenWrt LuCI GUI, I see two places I need to enter addresses to accomplish the routing:

In the server's "IP Addresses" field
In the Peer's Allowed_IPs field

What is the best practice for filling those fields, and why choose those values? Thanks.

krazeh · June 8, 2020, 5:47pm

It goes in the peer's 'allowed_ips' field and you would select 'Route allowed IPs'. The wireguard instance on OpenWRT doesn't need an IP address allocating to it.

The peer is going to receive traffic from the 172.30.42.0/24 subnet and send traffic back to it. So having the subnet in the 'allowed_ips' field tells wireguard to accept traffic destined for that subnet into the tunnel and accept traffic from that subnet out of the tunnel.

lleachii · June 9, 2020, 5:53pm

Your allowed IPs are all the same subnet and declare the same range. It's not possible to assign the same Layer 3 network to different peers (under the concept of Cryptokey Routing). The link you provided does not display conflicting IP ranges.

The only 2 valid IPs were the two /32's.

Correct!

richb-hanover-priv · June 10, 2020, 2:07am

Ahah! I think I see... The example on the WireGuard home page does not have overlapping subnets. (It assigns one peer a /32 and 10.192.124.1/24, the second peer gets a different /32 address and 192.168.0.0/16...)

I changed my second peer to use a different /24 (I used 172.30.43.1/24) and restarted the network service (Save in the WireGuard LuCI GUI, then Save&Apply, then ssh and service network restart to reload the Wireguard configs) This solved the problem - the WireGuard Status page shows the expected information.

This leads me to a second question: Why would it be useful to assign the peer a /32 address plus a network (/24) address range? What does that address range enable, or what problem does it solve? Thanks.

lleachii · June 10, 2020, 2:11am

You can do one or both, they just can't overlap...just recall, only the ALLOWED will can be used (per peer). E.g.:

You allow IPs to the OpenWrt and peers, you can masquerade
You allow only subnets, then those IPs will be allowed

richb-hanover-priv · June 10, 2020, 2:14am

Yes, I (now) understand that the allowed_ips cannot overlap for different peers.

But why is it helpful (what are the situations where it matters) to specify both a specific address (a /32) and a network range (a /24) as an allowed_ips for any peer. Why not just a /32? Thanks again.

lleachii · June 10, 2020, 2:19am

I gave an example use case:

The masquerade is the /32 option you state.
The subnet option alone doesn't require you to declare it

Also depends on your firewall.

You could zone them all differently in FW3 the former
In at least one device, the subnet case is a FORWARD in the later example

Access peer router to manage; but not allow traffic

trendy · June 10, 2020, 8:36am

/32 will be the tunnel endpoint of the peer. It will belong in the bigger network that you have on the wg interface, for example /24
Now if this peer has another network attached and you want to route natively without masquerade, then you can add it in the allowed IPs.
For example:

config interface 'roadwarrior'
        option proto 'wireguard'
        option private_key 'xxxxx'
        option listen_port '1200'
        list addresses '10.0.10.1/24'

config wireguard_roadwarrior
        option persistent_keepalive '25'
        option public_key 'xxxxxx'
        option description 'Redmi Note4 trendy'
        list allowed_ips '10.0.10.2/32'

config wireguard_roadwarrior
        option description 'RoadWarrior Carambola2'
        list allowed_ips '10.0.10.3/32'
        list allowed_ips '10.0.3.0/24'
        option persistent_keepalive '25'
        option public_key 'xxxxxxx'

My Redmi doesn't have any other network behind it. But Carambola2 does have the 10.0.3.0/24.