Johnwl
January 29, 2022, 6:09pm
1
Hello
I am struggling to configure my router to work with wireguard. What I am doing
connecting to wan through wifi client and want to use the VPN( wireguard) trough port 1
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd0:e293:2785::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0.2'
option macaddr 'd4:6e:0e:ed:42:f3'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '6t 1 2 3 4'
config interface 'wwan'
option proto 'dhcp'
config interface 'WG'
option proto 'wireguard'
list addresses '**********'
option private_key '**********'
config wireguard_WG
option description '**********'
option public_key '**********'
option preshared_key '**********'
option route_allowed_ips '1'
option endpoint_host '**********'
option endpoint_port '51820'
list allowed_ips '0.0.0.0/0'
Firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wwan'
list network ''
list network 'WG'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'vpn'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option input 'ACCEPT'
option mtu_fix '1'
Will appreciate any help i am very new
Can you describe what is happening in general right now? Are you able to get connectivity when your WG tunnel is not running? What happens if you ping 8.8.8.8 and google.com from one of your wifi clients when WG is down?
Is the WG tunnel being established successfully (are you getting handshakes)? Where is the other WG peer -- is it a commercial VPN service? or another endpoint somewhere such as your home?
Johnwl
January 29, 2022, 7:29pm
3
psherman:
ibe what is happening in general right now? Are you able to get connectivity when your WG tunnel is not running? What happens if you ping 8.8.8.8 and google.com from one of your wifi clients when WG is down?
Is the WG tunnel being established successfully (are you getting handshakes)? Where is the other WG peer -- is it a commercial VPN service? or another endpoint somewhere such as your home?
At the moment I am getting internet through cable but not pass from the VPN. The VPN is hosted by myself(not at the same network) and can confirm it is working because I am connecting it from my phone
I'm not personally familiar with how to configure VPN PBR (since I don't use it myself), but I think the first thing to check is to verify that your tunnel is working in general. You didn't answer about if you're getting handshakes.
But let's look at the complete config:
Please copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
Johnwl
January 29, 2022, 9:13pm
5
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd0:e293:2785::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0.2'
option macaddr 'd4:6e:0e:ed:42:f3'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '6t 1 2 3 4'
config interface 'wwan'
option proto 'dhcp'
config interface 'WG'
option proto 'wireguard'
list addresses '10.253.0.2'
option private_key '*************'
config wireguard_WG
option description '*************'
option public_key '*************'
option preshared_key '*************'
option route_allowed_ips '1'
option endpoint_host '*************'
option endpoint_port '51820'
list allowed_ips '0.0.0.0/0'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wwan'
list network ''
list network 'WG'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
I haven't changed anything from my first post.
What is the output from:
wg show
Johnwl
January 29, 2022, 10:05pm
7
interface: WG
public key: N1DIa50VaUZ1xjXa9aA4aC02a0BLs9azpv6kMgbCaCk=
private key: (hidden)
listening port: 34895
peer: lTkHorpXvB9fATjZWSc0LBQ2aUe0U28DL9erZyEmOAw=
preshared key: (hidden)
endpoint: ***. ***. ***. ***:51820
allowed ips: 0.0.0.0/0
transfer: 0 B received, 740 B sent
Seems that you don’t have a working handshake.
Maybe check the keys.
Johnwl
January 29, 2022, 10:23pm
9
interface: WG
public key: vNIIBFsenGpro7UHMiEdEPVOBeQo7eRADTWH0mlMRmI=
private key: (hidden)
listening port: 51710
peer: lTkHorpXvB9fATjzWSc0LBQ2aUe0U28DL9erZyWmOAw=
preshared key: (hidden)
endpoint: *:51820
allowed ips: 0.0.0.0/0
latest handshake: 4 hours, 8 minutes, 38 seconds ago
transfer: 1.84 KiB received, 2.27 KiB sent
I pasted the keys again and now there is handshake but there is no tunnel my ip is the same
That doesn't seem right. This should be seconds or minutes.
Johnwl
January 29, 2022, 10:35pm
11
allowed ips: 0.0.0.0/0
latest handshake: 2 minutes, 3 seconds ago
transfer: 67.37 KiB received, 9.76 KiB sent
I redo it again result is the same no tunnel
at least you now seem to have an active connection remote peer based on the handshake and transfer values.
Have you tried disabling VPN PBR? If that is misconfigured, it might not allow the traffic to flow as expected, but if entirely disabled, the traffic should all be routed through the tunnel if it is working.
Johnwl
January 29, 2022, 10:49pm
13
Thank you I have complete remove VPN PBR and now it is working. Thank you spent your time to help me find a solution. Wish you all the best and let the time spent for me come/transform in something else you wish most
Johnwl
January 30, 2022, 3:29pm
14
I don't know why but today after I turn on the router again the VPN connection has been lost only TX packets. I delete it the interface and recreate it no tunnel again. I don't know why can't make it stable