Use Wireguard Router to reach home network

irg008 · February 8, 2023, 2:22am

Hi there,

for several weeks now i've been trying to get my setup to work, but i just cant seem to figure out what is wrong. My Setup looks as follows:

Home Lan (192.168.0.0/24)
Remote Lan (192.168.1.0/24)
Raspberry Pi with PiVPN as Wireguard-"server" (192.168.0.69)
OpenWRT Archer C7 Router (192.168.1.1)

I want it so that, when you are in either lan, you can reach every host of both lan's. (The main reason is, that i have Servers in both networks, however only the 192.168.0.0/24 lan has an public IP adress, the router creates a subnet in my apartment complex which neither a ip-address that i know nor port-forwarding that i could have control, therefor i thought i could use the VPN tunnel to make my server in 192.168.1.1/24 reachable via the 192.168.0.0/24 an then via my ISP to the big wide world. )

The "Server" is working fine so far, i can connect to it from my phone or my laptop, however i cannot seem to get the router to connect to it. I have downloaded the opkg packages neccessary (according to the many many tutorials i've tried), and i have tried setting up an interface manually or by importing the config files created by piVPN directly, but it doesnt even seem to try to connect, as there is neither TX nor RX data beeing transferred. I have reached the end of my (limited) knowledge and give up, i hope there is anyone out there that could help me, i will be happy to provide any further information neccessary .

lastly, since english is not my mother tongue, i hope one can excuse any mistakes on my side...

Thanks to everyone in advance,
irg008

psherman · February 8, 2023, 2:25am

let's see your configs on both devices... make sure you make it clear which side is home and which is remote.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

irg008 · February 8, 2023, 9:16am

Firstly, thanks for the fast reply!

Here are the (automatically by PiVPN generated, they seem fine tho) configs:

Home: /etc/wireguard/wg0.conf

[Interface]
PrivateKey = xXx
Address = 10.235.125.1/24,fd11:5ee:bad:c0de::1/64
MTU = 1420
ListenPort = myWireguardPort
### begin MyHandy1 ###
[Peer]
PublicKey = xXx
PresharedKey = xXx
AllowedIPs = 10.235.125.2/32,fd11:5ee:bad:c0de::2/128
### end MyHandy1 ###
### begin MyRouter1 ###
[Peer]
PublicKey = xXx
PresharedKey = xXx
AllowedIPs = 10.235.125.3/32,fd11:5ee:bad:c0de::3/128
### end MyRouter1 ###
### begin MyLaptop1 ###
[Peer]
PublicKey = xXx
PresharedKey = xXx
AllowedIPs = 10.235.125.4/32,fd11:5ee:bad:c0de::4/128
### end MyLaptop1 ###

...the config i importet into OpenWRT (remote):
/etc/wireguard/configs/MyRouter1.conf:

[Interface]
PrivateKey = xXx
Address = 10.235.125.3/24,fd11:5ee:bad:c0de::3/64
DNS = 208.67.222.222, 208.67.220.220

[Peer]
PublicKey = xXx
PresharedKey = xXx
Endpoint = mydomain.com:myWireguardPort
AllowedIPs = 0.0.0.0/0, ::0/0

...and for Reference, here is my Laptops' config File, which, as my Phone (Handy == Phone), is working perfectly fine:
/etc/wireguard/configs/MyLaptop1

[Interface]
PrivateKey = xXx
Address = 10.235.125.4/24,fd11:5ee:bad:c0de::4/64
DNS = 208.67.222.222, 208.67.220.220

[Peer]
PublicKey = xXx
PresharedKey = xXx
Endpoint = mydomain.com:myWireguardPort
AllowedIPs = 0.0.0.0/0, ::0/0

both /etc/config/network and /etc/config/firewall do not exist (in these locations) on my raspberry (and at first glance I couldn't find any similar looking files either :/)

hope that still helps, if there is anything else to provide let me know

psherman · February 8, 2023, 4:00pm

I'm not aware of this option in terms of file locations for setting up wireguard on OpenWrt. Usually the configs live in the /etc/config/network file.

These files should exist on your OpenWrt router (the 'remote' side Archer C7)... if they don't, you're probably not using OpenWrt.

Let's see the output of the following from OpenWrt:

wg show
ubus call system board

irg008 · February 8, 2023, 5:25pm

the location of the file is on the raspberry (home) /etc/wireguard/configs/MyRouter1.conf, the server generated config so to speak. I then took this file and Imported it into the OpenWRT-Wireguard-Interface (remote):
Button "Load configuration..."

sorry for the improper clarification...

Im soo stupid and equally sorry, i searched for these files on the server (home) side!
Of course they do exist on the client (remote) side (OpenWRT):

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd14:3d36:4b84::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.1.120'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'xXx'
        list addresses '10.235.125.3/24'
        list addresses 'fd11:5ee:bad:c0de::3/64'
        option peerdns '0'
        list dns '208.67.222.222'
        list dns '208.67.220.220'

config wireguard_vpn
        option description 'Imported peer configuration'
        option public_key 'xXx'
        option preshared_key 'xXx'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'
        option endpoint_host 'mydomain'
        option endpoint_port 'myport'

and

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Minecraft'
        option src 'wan'
        option src_dport '25565'
        option dest_ip '192.168.1.120'
        option dest_port '25565'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'ssh'
        option src 'wan'
        option src_dport '22'
        option dest_ip '192.168.1.120'
        option dest_port '22'

config zone
        option name 'tunnel'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'tunnel'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'tunnel'

Hope this helps!

irg008 · February 8, 2023, 5:28pm

also, wg show:

root@OpenWrt:~# wg show
interface: vpn
  public key: xXx
  private key: (hidden)
  listening port: 35926

peer: xXx
  preshared key: (hidden)
  endpoint: MyDomain.com:MyPort
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 10 hours, 46 minutes, 52 seconds ago
  transfer: 124 B received, 4.68 KiB sent

and ubus call system board:

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.10.146",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
        "model": "TP-Link Archer C7 v1",
        "board_name": "tplink,archer-c7-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.2",
                "revision": "r19803-9a599fee93",
                "target": "ath79/generic",
                "description": "OpenWrt 22.03.2 r19803-9a599fee93"
        }
}

I also just now realize that now it actually shows some Data being transferred, which was never there before

[EDIT]:
I also just tested, and from The Router (remote) i actually can now succesfully ping 10.235.125.1, however none of the other hosts on the 192.168.0.0/24 Subnet...

I also tried pinging the same address from my laptop which is now in 192.168.1.0/24 (behind the remote Router), which does not work (Reply from 192.168.1.1: Destination port unreachable.)

psherman · February 8, 2023, 6:27pm

You can remove DNS from the WG interface definition... it doesn't actually do anything.

In the peer config, you need to add option route_allowed_ips '1'

irg008:

config wireguard_vpn
        option description 'Imported peer configuration'
        option public_key 'GsV/isUdS7hwCRnW8UKF8jNHGO1//+vUQ5sdk81j0Uc='
        option preshared_key 'qT7l+cBPyxo0biOpHjwGB4nr1bS+iS+gNOsEOpeW7Dc='
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'
        option endpoint_host 'wireguard.pfeilepi.ml'
        option endpoint_port '51820'

You're missing the network in the tunnel firewall zone... therefore, the WG tunnel is not actualy assigned to any firewall zone.

Add list network 'vpn' to the tunnel firewallzone

irg008:

config zone
        option name 'tunnel'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'tunnel'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'tunnel'

Also, with masquerading enabled on this zone, the tunnel > lan forwarding doesn't serve any practical purpose.... you can remove the 'src tunnel, dest lan' rule.

irg008 · February 9, 2023, 7:50am

Oh Hey Thanks, i've now had a chance to test your suggestions and they worked like a charm! i can succesfully ping all my devices on my home location from anyone in the remote lan!
However, what still isnt working, and also was my problem before, the other way around. i still cannot seem to find any of my remote devices from my home lan. Do you maybe have an idea for me there too?
And again, thanks a alot, this is great already ^^

[EDIT]
I just realized, that the whole config with readeable keys was in the /etc/config/network side, could you maybe also remove them in your quotes? thanks

irg008 · February 9, 2023, 12:33pm

Hi there, I've been experimenting a bit in the last few hours, an i got it to work the other way around too, however devices on the remote network can only be reached if i ping them from the Raspberry (Wireguard-Server at the home lan) itself, not from any other devices at home (i think, i cant actually test that complete since im not at home and can only access the raspberry, however:). Another Problem is, that my Laptop as a peer cannot reach the remote lan (not even 192.168.1.1 or 10.235.125.3, the remote ip in the wg network).

psherman · February 14, 2023, 12:45am

@irg008 - sorry this fell off my radar a few days ago. Are you still looking for a solution here? If so, I'll catch up and see what ideas I can offer.

irg008 · February 14, 2023, 1:16am

Hi,
no worries, through completely setting everything up again and playing endlessly with all the many variables i actually managed to get it to work now, but still thank you for your support! Now i can reach my whole remote and home network from whenever im connected to my vpn! i still have some issues to figure out, and maybe you can still help me with these, but overall it works for now.
One Problem i have is that the devices in my home network can't reach my remote network (yet), i assume that is because the ip route only exists on the raspberry, and unfortunately i have a router from my ISP vodafone, which doesnt let me create any ip routes or even define name servers, so i guess i will have to go around and enter my wireguard server with the route as the network gateway in all my home's devices...
Also, which sadly i too haven't figured out yet is how to forward ports all the way from the home router with a public IP to my remote network's servers; i want to host a little minecraft server there, but i'm really not shure how, from the raspberry, i can forward incoming port 25565 to say 192.168.1.40 (via wg) so that i can make my mc-server publicly reachable...
but anyways, im happy for now and will keep tinkering until something seems to work... have a nice day!