Unable to connect to Kodi's webinterface (port 8080) when I come through my Wireguard interface

darksky · October 7, 2024, 7:28pm

I have a Wireguard interface setup on my router. I can connect to it and ssh into boxes behind the router just fine. One of those boxes (192.168.1.101) is running Kodi which is running a web interface on port 8080. The web UI is accessible from clients on the LAN via (http://192.168.1.101:8080/). What I do not understand is why I am unable to connect to that address when I come in from outside on the Wireguard interface. The connection times out when I try. Again, the Wireguard connection works for allowing me to ssh into other machines on that network and if I am connected, my IP address appears to be the public IP of that network as well.

Here are the configs of the router. Any thoughts are welcomed.

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd99:97d2:a14e::/48'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'
	list ports 'lan5:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config device
	option name 'br-lan.3'
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'
	option ipv6 '0'

config device
	option name 'br-lan.4'
	option type '8021q'
	option ifname 'br-lan'
	option vid '4'
	option ipv6 '0'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'eth1'
	option ipv6 '0'

config device
	option name 'lan1'
	option ipv6 '0'

config device
	option name 'lan2'
	option ipv6 '0'

config device
	option name 'lan3'
	option ipv6 '0'

config device
	option name 'lan4'
	option ipv6 '0'

config device
	option name 'lan5'
	option ipv6 '0'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'iot'
	option proto 'static'
	option device 'br-lan.4'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'lxcbr0'
	option bridge_empty '1'
	option ipv6 '0'

config interface 'lxc'
	option device 'lxcbr0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.0.4.1'

config interface 'wg0'
	option proto 'wireguard'
	list addresses '10.100.100.100/24'
	option private_key 'xxx'
	option listen_port '51820'

config wireguard_wg0
	option description 'me'
	list allowed_ips '10.100.100.102/32'
	option route_allowed_ips '1'
	option public_key 'xxx'
        option preshared_key 'xxx'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'lxc'

config forwarding
	option src 'lxc'
	option dest 'wan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'ssh reborn'
	list proto 'tcp'
	option src 'wan'
	option src_dport '13232'
	option dest_ip '192.168.1.100'

config zone
	option name 'lxc'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lxc'

config rule 'wg'
	option name 'Allow-WireGuard'
	option proto 'udp'
	option target 'ACCEPT'
	option src 'wan'
	option dest_port '51820'

config zone
	option name 'iot'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'IOT'
	list network 'iot'

config zone
	option name 'guest'
	option output 'ACCEPT'
	list network 'guest'
	option input 'REJECT'
	option forward 'REJECT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'rpi4b-standard'
	option src 'wan'
	option src_dport '14556'
	option dest_ip '192.168.1.101'
	option family 'ipv4'
	list proto 'tcp'
	option dest_port '22'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'guest'

config forwarding
	option src 'lan'
	option dest 'iot'

config rule
	option name 'guest dhcp and dns'
	option src 'guest'
	option target 'ACCEPT'
	option dest_port '53 67 68'

config rule
	option name 'pi-hole-dns guest to lxc'
	list proto 'udp'
	option src 'guest'
	option dest 'lxc'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'pihole rev-server'
	option src 'lxc'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option src 'IoT'
	option target 'ACCEPT'
	option name 'iot dhcp'
	option dest_port '67 68'

config rule
	option name 'iot dns'
	list proto 'udp'
	option src 'IoT'
	option dest 'lxc'
	option dest_port '53'
	option target 'ACCEPT'

frollic · October 7, 2024, 7:37pm

Kodi is set to only allow connections from IPs on the same subnet ?

Try using ssh through WG, to access the Kodi interface, via a ssh tunnel.

darksky · October 7, 2024, 7:40pm

I went through /var/lib/kodi/.kodi/userdata/guisettings.xml which stores such settings but I did not see anything that affects that.

EDIT: Ah, I see you edited your reply, trying your suggestion now.

frollic · October 7, 2024, 7:40pm

guisettings doesn't sound like the correct file.

darksky · October 7, 2024, 7:42pm

Yes, connections are accepted with this setup (ssh foo.me -L 8080:localhost:8080) then using a browser to hit http://localhost:8080

I will see about a kodi setting that could be causing this if it's not something in my router's firewall... this test does not rule that out.

darksky · October 8, 2024, 6:58am

I figured it out. You were 99% right. Kodi wasn’t (and cannot) restrict the IP range, but ufw on the box running Kodi was. I had a rule allowing all traffic from the 193.168.1.0/24 subnet, and ssh traffic from anywhere. Since wireguard is coming from 10.100.100.0/24, it was getting dropped. Adding 8080/udp from anywhere fixed it. Thanks for the suggestion!

darksky · October 8, 2024, 7:00am

Thank you @frollic for the suggestion.

system · October 18, 2024, 7:01am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.