I planned to setup a Side-to-Side Wireguard VPN between my two Archer C7 routers which both are running the latest stable release of OpenWRT. I followed the following tutorials:
Unfortunately Wireguard seems to break both routers after I enabled the interface. Even if the time is synced and the interface is not enabled on boot.
So I am frustrated now and do not know how I can get it working. Can someone give me some hint? Or ist Wireguard on OpenWRT extremely buggy and should not be used?
In the recent past I have also setup successfully a Wireguard server on a Debian machine without any issues.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
Hi! Thanks for the fast answer. Find in the following the output as requested. Just a note: I started from scratch by reset the router and tried to establish the connection only with my phone to avoid to break the remote OpenWRT router but here I have the same issue....
{
"kernel": "4.14.195",
"hostname": "OpenWrt",
"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
"model": "TP-Link Archer C7 v5",
"board_name": "tplink,archer-c7-v5",
"release": {
"distribution": "OpenWrt",
"version": "19.07.4",
"revision": "r11208-ce6496d796",
"target": "ath79/generic",
"description": "OpenWrt 19.07.4 r11208-ce6496d796"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd4a:9ec1:65cc::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'static'
option ipaddr '192.168.178.10'
option netmask '255.255.255.0'
option gateway '192.168.178.1'
list dns '9.9.9.9'
list dns '149.112.112.112'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '3c:84:6a:aa:2b:ff'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'VPN'
option proto 'wireguard'
list addresses '10.55.0.1/24'
option private_key '************************************'
option auto '0'
option listen_port '35021'
config wireguard_VPN
option public_key '************************************'
option description 'iPhone'
option persistent_keepalive '25'
option route_allowed_ips '1'
option endpoint_port '35021'
list allowed_ips '10.55.0.2/32'
list allowed_ips '192.168.10.0/24'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan VPN'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src_port '35021'
option src 'wan'
option name 'Allow-Wireguard'
option target 'ACCEPT'
option dest 'lan'
list dest_ip '192.168.10.1'
option dest_port '35021'
list proto 'udp'
config redirect
option dest_port '35021'
option src 'wan'
option name 'Wireguard'
option src_dport '35021'
option target 'DNAT'
option dest_ip '192.168.10.1'
option dest 'lan'
list proto 'udp'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.10.1/24 brd 192.168.10.255 scope global br-lan
valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.178.10/24 brd 192.168.178.255 scope global eth0.2
valid_lft forever preferred_lft forever
default via 192.168.178.1 dev eth0.2 proto static
192.168.10.0/24 dev br-lan proto kernel scope link src 192.168.10.1
192.168.178.0/24 dev eth0.2 proto kernel scope link src 192.168.178.10
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.10.0 dev br-lan table local proto kernel scope link src 192.168.10.1
local 192.168.10.1 dev br-lan table local proto kernel scope host src 192.168.10.1
broadcast 192.168.10.255 dev br-lan table local proto kernel scope link src 192.168.10.1
broadcast 192.168.178.0 dev eth0.2 table local proto kernel scope link src 192.168.178.10
local 192.168.178.10 dev eth0.2 table local proto kernel scope host src 192.168.178.10
broadcast 192.168.178.255 dev eth0.2 table local proto kernel scope link src 192.168.178.10
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
And yes both routers are behind a modem from the ISP. The port forward on these devices is enabled but this should not be the problem as long as the interface did not come up properly.
Hi, thanks for your reply. Interesting I made the current conifugration within Luci because I was tired to use the bunch of uci command. I have adapted these changes and know the interface could be started without any issues. Testing from LAN access the connection was successful.
But unfortunately from my phone via LTE no connection is possible. Here I get the message: "handshake did not complete after xxx seconds"... So I assume I get this error because I have not set up an IPv6 address? Actually I have a public IPv4 adress from my provider, so it should work anyway?
I have already created a static route to the VPN network on the modem from my ISP...
Ah thanks a lot no the connection could be established.
But to have access to the web I have to put the corresponding IP range in the "Allowed IP" field in the peer section or not? Or other way my original plan is to have a side-by-side VPN network, thus only the traffic to LAN should be forwarded on both sides, the rest should not be go through the VPN tunnel.
So in addition to the peer IP I have just to add the corresponding private LAN subnet, right?
Hi, Ok I have setup the remote router as "client" and added the corresponding allowed IP on both sides. Now on the Wireguard status page it says that never a handshake was made and on the client router it seems that he tries to connect via IPv6 and not IPv4.
For testing I used the public IPv4 from the server side and not the dyndns hostname and the connection was succesfull!
So it seems that I have to setup IPv6 as-well. Unfortunately I am not very familiar with IPv6 so I have to try it out.
Unfortunately I am stucked at the following configuration steps:
uci set network.vpn.ip6prefix="fdf1:e8a1:8d3f::/48"
uci set network.vpn.ip6prefix="fdf1:e8a1:8d3f::/48"
What does this actually mean? I understand that on server and client side the IPv6 subnet must not overlap - so just the same like with IPv4 but what does the mentioned lines actually do?
Furthermore I want to understand this and already performed the remaining steps within Luci and here I cannot find the corresponding text fields.
Can somebody give me some more information about this? Because I want to prevent to completely break my current working IPv4 only setup
They assign to both WG interfaces an IPv6 prefix.
Then from this prefix there is a /64 prefix assigned to each lan with a proper hint to avoid conflicts.
Most likely there is no Luci support, but it's not a big deal and you can add it manually from Luci under lan, or you could directly allow the ULA already assigned to each router.
