chx
September 9, 2021, 7:36am
1
I have my home network set up like this:
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan'
config interface 'wan'
option proto 'dhcp'
option device 'eth0.2'
Now, 192.168.1.184 is sharing a network connection:
config route
option interface 'lan'
option target '10.0.0.0'
option netmask '255.0.0.0'
option gateway '192.168.1.184'
This works wonders. I'd like to access this 10.x network via 192.168.1.184 wherever I am. To this end, I have installed DDNS and configured it and indeed home.example.com has my IPv4 address. So far so good. Very simple setup and I have reasonable confidence in it.
I added Wireguard. My experience at this point, on the other hand is zero. I never set up a VPN server. I just... never needed to.
config interface 'wg0'
option proto 'wireguard'
option private_key '--deleted--'
option listen_port '51820'
list addresses '192.168.9.1/24'
list addresses 'fdf1:7610:d152:3a9c::1/64'
config wireguard_wg0 'wgclient'
option public_key '--deleted--'
list allowed_ips '192.168.9.0/24'
list allowed_ips 'fdf1:7610:d152:3a9c::1/64'
option description 'Pixel 2'
In /etc/config/firewall
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
This I have pulled together from various tutorials.
On pixel2 wireguard, I have added an interface , with 192.168.9.0/24 in Addresses (reminder: I do not know what I am doing and unhappy about it). In Peer Public key we have the same Public key as listed above in the Pixel 2 section. Allowed IPS is 0.0.0.0/0, :/0 and the endpoint is home.example.com:51820 .
I switched the VPN on and tried to connect to 192.168.1.1 which is the router. It didn't work. Please help.
trendy
September 9, 2021, 10:17am
2
Use 192.168.9.2/24
config wireguard_wg0 'wgclient'
option public_key '--deleted--'
list allowed_ips '192.168.9.2/32'
Finally make sure that the 1.184 router has a static route for 192.168.9.0/24 same way it does for 192.168.1.0/24.
2 Likes
The same is also relevant for IPv6.
1 Like
chx
September 26, 2021, 3:44am
4
So Pixel2 has Addresses 192.168.9.2/24 , DNS servers 8.8.8.8, Allowed IPs 0.0.0.0/0
config interface 'wg0' has list addresses '192.168.9.1/24' and config wireguard_wg0 'wgclient' has list allowed_ips '192.168.9.2/32'
When I connect, I have no Internet connection. Something is still broken
Not enough information to help. Please post your latest configuration files (complete, with the exception of redacting private info).
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
chx
September 26, 2021, 7:32am
6
Thanks for the speedy response. But what does wireless have to do with any of this? Here's firewall:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
list network 'lan'
list network 'wg0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
list network 'lan'
list network 'wg0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
Here's network:
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option ula_prefix 'fd48:3293:4751::/48'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan'
config interface 'wan'
option proto 'dhcp'
option device 'eth0.2'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth0.2'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config route
option interface 'lan'
option target '10.0.0.0'
option netmask '255.0.0.0'
option gateway '192.168.1.217'
config interface 'wg0'
option proto 'wireguard'
option private_key '--deleted--'
option listen_port '51820'
list addresses '192.168.9.1/24'
list addresses 'fdf1:7610:d152:3a9c::1/64'
config wireguard_wg0 'wgclient'
option public_key '--deleted--'
option description 'Pixel 2'
list allowed_ips 'fdf1:7610:d152:3a9c::1/64'
list allowed_ips '192.168.9.2/32'
here's dhcp:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name '--deleted--'
option ip '192.168.1.217'
option mac '--deleted--'
1 Like
Try to establish the VPN connection from outside.
wg show; \
iptables-save -c | grep -e WireGuard; \
ip6tables-save -c | grep -e WireGuard
2 Likes
Missing from the peer section of the wg config:
option route_allowed_ips '1'
Add that and try again. (You may need to restart your wg interface or simply reboot the entire router).
And, yes, wireless config isn’t necessary here. Asked for that one by accident.
To be fair, that option is redundant in this case.
1 Like
chx
September 26, 2021, 6:56pm
10
wg show doesn't show any peers
trendy
September 26, 2021, 8:30pm
11
Do you have hits on the firewall?
1 Like
chx
November 25, 2021, 5:24am
12
Sorry I dropped the ball on this one.
root@OpenWrt:~# wg show; \
> iptables-save -c | grep -e WireGuard; \
> ip6tables-save -c | grep -e WireGuard
interface: wg0
public key: -snip-
private key: (hidden)
listening port: 51820
[319:56047] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: Allow-WireGuard" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: Allow-WireGuard" -j ACCEPT
1 Like
You'd best use the automated script to avoid human-related errors/typos:https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#automated
Transfer the generated VPN profile and import it on the client.
If 10.0.0.0/8 is still unreachable, enable masquerading on the LAN firewall zone.
1 Like
