hillz
May 11, 2020, 3:11am
1
Hi,
I'm using Openwrt 18.06.2 and I want to use this router as a wireguard client, I have a wireguard server on my VPS setup correctly. I followed this tutorial to setup my router as a wireguard client. It can connect to my server but I can't browse the web, the chrome browser says DNS_PROBE_FINISHED_NO_INTERNET
Please also note that I have an interface named "HiLink " for my Huawei E3372 4G modem and I'm using nextdns.io for my DNS server (/etc/config/dhcp) . here are my config files:
(UPDATED)
Wireguard Client Config File:
[Interface]
PrivateKey = 2EQhES6x06J1H3LA7atYKwZ/s5vi7uyGX7jlOeVLImQ=
Address = 10.88.0.13/16
DNS = 8.8.8.8
[Peer]
PublicKey = zdQBd+tRYBUvPMmOCGFFbfNMlPD9ttBqEU9ahHlrSgM=
PresharedKey = 4vzCXXKpynxI1jMx2lemmUbn5PfcFT3a5CBdJj1RToc=
AllowedIPs = 0.0.0.0/0
Endpoint = wg-sg3.myip.id:443
PersistentKeepalive = 25
Network config:
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd09:a84e:7aba::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
config interface 'HiLink'
option proto 'dhcp'
option ifname 'eth2'
config wireguard_WireGuard
option route_allowed_ips '1'
option persistent_keepalive '25'
option public_key 'zdQBd+tRYBUvPMmOCGFFbfNMlPD9ttBqEU9ahHlrSgM='
list allowed_ips '0.0.0.0/0'
option endpoint_host 'wg-sg3.myip.id'
option endpoint_port '443'
config interface 'WireGuard'
option proto 'wireguard'
option private_key '2EQhES6x06J1H3LA7atYKwZ/s5vi7uyGX7jlOeVLImQ='
list addresses '10.88.0.13/32'
Firewall Config:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 HiLink WireGuard'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
DHCP config:
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option noresolv '1'
list server '45.90.28.33'
list server '45.90.30.33'
list server '8.8.8.8'
list server '8.8.4.4'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
How do I solve this ?
Make this /32; and BTW, you didn't assign an IP from the IPv6 network - use /128 for that.
Can't be the same IP on both ends. That will never work in a normal circumstance, let alone while using Wireguard cryptokey routing technology .
Try .2 and .1 respectively for both ends of the tunnel.
hillz
May 11, 2020, 7:50pm
3
Thank you for the reply, since there's a problem on my VPS server, now I've changed to another wireguard config file on another server, now it looks like this:
Wireguard_client.conf:
[Interface]
PrivateKey = [MY PRIVATE KEY]
Address = 10.88.0.13/16
DNS = 8.8.8.8
[Peer]
PublicKey = zdQBd+tRYBUvPMmOCGFFbfNMlPD9ttBqEU9ahHlrSgM=
PresharedKey = 4vzCXXKpynxI1jMx2lemmUbn5PfcFT3a5CBdJj1RToc=
AllowedIPs = 0.0.0.0/0
Endpoint = wg-sg3.myip.id:443
PersistentKeepalive = 25
When wireguard is connected I always get DNS_PROBE_FINISHED_NO_INTERNET on my chrome browser, how do I fix it ?
To be clear, which end is your VPN server ?
hillz
May 11, 2020, 8:44pm
5
My server now is wg-sg3.myip.id:443
hillz
May 11, 2020, 8:46pm
6
I don't use the configuration on my first post anymore
...Then, need to see your whole new config.
hillz:
server now is
Then Address should be 10.88.0.13 /32
hillz
May 11, 2020, 9:27pm
8
I have updated my first post with the new config file, please take a look
hillz:
Address = 10.88.0.13/16
You said the original post is now updated with the current configuration... As has been stated earlier by at least one or two other people, this is wrong. It must be /32.
Pro-tip: don't update the original post to reflect progressive changes... it confuses both current and future readers of this thread. The best option is to provide the update in-line in the thread so that everyone can see the changes and understand the most current status and/or fixes.
1 Like
hillz
May 11, 2020, 9:42pm
10
You must be referring to the wireguard config file, on my openwrt router I have used '10.88.0.13/32 '
config interface 'WireGuard'
option proto 'wireguard'
option private_key '2EQhES6x06J1H3LA7atYKwZ/s5vi7uyGX7jlOeVLImQ='
list addresses '10.88.0.13/32'
1 Like
He's referring to what he quoted. Simply hit the dropdown to see what's quoted.
Is this your server????
If so, that is wrong.
See...this is why you shouldn't edit Post No 1's configs.
I'm son confused...
Can you please (if you seek my assistance) - make a simple post:
Explain where the OpenWrt is involved
Post configs for all devices involved
Explain which device you desire to be the server
1 Like
trendy
May 11, 2020, 11:00pm
12
On server side you are using address 10.88.0.1/16 and for peer 10.88.0.13/32
On OpenWrt side you should use 10.88.0.13/16
Fix that and post the following from OpenWrt:
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
Remember to redact passwords, MAC addresses and any public IP addresses you may have
hillz
May 13, 2020, 3:07am
13
Here's the output:
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd09:a84e:7aba::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
config interface 'HiLink'
option proto 'dhcp'
option ifname 'eth2'
config wireguard_WireGuard
option route_allowed_ips '1'
option persistent_keepalive '25'
option public_key 'zdQBd+tRYBUvPMmOCGFFbfNMlPD9ttBqEU9ahHlrSgM='
list allowed_ips '0.0.0.0/0'
option endpoint_host 'wg-sg3.myip.id'
option endpoint_port '443'
config interface 'WireGuard'
option proto 'wireguard'
option private_key '2EQhES6x06J1H3LA7atYKwZ/s5vi7uyGX7jlOeVLImQ='
list addresses '10.88.0.13/16'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/ar933x_wmac'
option htmode 'HT20'
option disabled '0'
option country 'US'
option legacy_rates '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'root'
option encryption 'psk2'
option key 'password'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option noresolv '1'
list server '45.90.28.33'
list server '45.90.30.33'
list server '8.8.8.8'
list server '8.8.4.4'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 HiLink WireGuard'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.6.2 on Wed May 13 09:48:58 2020
*nat
:PREROUTING ACCEPT [91:17920]
:INPUT ACCEPT [36:2397]
:OUTPUT ACCEPT [180:11876]
:POSTROUTING ACCEPT [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[91:17920] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[52:4264] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
[39:13656] -A PREROUTING -i eth2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i WireGuard -m comment --comment "!fw3" -j zone_wan_prerouting
[224:14863] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth2 -m comment --comment "!fw3" -j zone_wan_postrouting
[224:14863] -A POSTROUTING -o WireGuard -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[52:4264] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[224:14863] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[224:14863] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[39:13656] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed May 13 09:48:58 2020
# Generated by iptables-save v1.6.2 on Wed May 13 09:48:58 2020
*mangle
:PREROUTING ACCEPT [366:66965]
:INPUT ACCEPT [214:23982]
:FORWARD ACCEPT [140:36306]
:OUTPUT ACCEPT [403:57615]
:POSTROUTING ACCEPT [508:92437]
[0:0] -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[6:360] -A FORWARD -o WireGuard -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed May 13 09:48:58 2020
# Generated by iptables-save v1.6.2 on Wed May 13 09:48:58 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[214:23982] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[115:10642] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:120] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[49:3251] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
[50:10089] -A INPUT -i eth2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i WireGuard -m comment --comment "!fw3" -j zone_wan_input
[140:36306] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[40:4657] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[100:31649] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i WireGuard -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[403:57615] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[153:41698] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth2 -m comment --comment "!fw3" -j zone_wan_output
[250:15917] -A OUTPUT -o WireGuard -m comment --comment "!fw3" -j zone_wan_output
[50:10089] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[2:120] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[100:31649] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[100:31649] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[49:3251] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[49:3251] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[49:3251] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth2 -m comment --comment "!fw3" -j ACCEPT
[35:1484] -A zone_wan_dest_ACCEPT -o WireGuard -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[315:46082] -A zone_wan_dest_ACCEPT -o WireGuard -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o WireGuard -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[50:10089] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[50:10089] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[250:15917] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[250:15917] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
[50:10089] -A zone_wan_src_REJECT -i eth2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i WireGuard -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed May 13 09:48:58 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
8: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 192.168.8.100/24 brd 192.168.8.255 scope global eth2
valid_lft forever preferred_lft forever
9: WireGuard: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1
inet 10.88.0.13/16 brd 10.88.255.255 scope global WireGuard
valid_lft forever preferred_lft forever
default dev WireGuard proto static scope link
10.88.0.0/16 dev WireGuard proto kernel scope link src 10.88.0.13
81.90.188.36 via 192.168.8.1 dev eth2 proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.8.0/24 dev eth2 proto kernel scope link src 192.168.8.100
broadcast 10.88.0.0 dev WireGuard table local proto kernel scope link src 10.88.0.13
local 10.88.0.13 dev WireGuard table local proto kernel scope host src 10.88.0.13
broadcast 10.88.255.255 dev WireGuard table local proto kernel scope link src 10.88.0.13
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.8.0 dev eth2 table local proto kernel scope link src 192.168.8.100
local 192.168.8.100 dev eth2 table local proto kernel scope host src 192.168.8.100
broadcast 192.168.8.255 dev eth2 table local proto kernel scope link src 192.168.8.100
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
lrwxrwxrwx 1 root root 16 Apr 11 2019 /etc/resolv.conf -> /tmp/resolv.conf
lrwxrwxrwx 1 root root 21 May 12 04:56 /tmp/resolv.conf -> /tmp/resolv.conf.auto
-rw-r--r-- 1 root root 65 May 13 05:27 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
# Interface HiLink
nameserver 192.168.8.1
nameserver 192.168.8.1
==> /tmp/resolv.conf <==
# Interface HiLink
nameserver 192.168.8.1
nameserver 192.168.8.1
==> /tmp/resolv.conf.auto <==
# Interface HiLink
nameserver 192.168.8.1
nameserver 192.168.8.1
And here's the screenshot after wireguard is connected:
Have you tested it with clients such Wireguard or Tunsafe?!!! Is it working flawlessly?!! if the answer is yes and everything is ok, then you made mistake while configuring your server via OpenWRT
leave DNS Forwarding empty
uncheck Ignore resolve file
then in wan uncheck Use DNS Servers advertised by peer and set your desired DNS Servers,save and reboot your router then test againg
Everything Should be work correctly
You do realize you failed to explain again, correct?
So now, we have an OpenWrt config...and don't know the server config.
Nontheless...if your Post #1 is up to date, then the [PEER] config is wrong. You need to use the Public Key of the OpenWrt.
Private configured in your OpenWrt: 2EQhES6x06J1H3LA7atYKwZ/s5vi7uyGX7jlOeVLImQ=
Peer Public Key at server: grvqfXzTyxP1OFAxVxHfDTUeV3EB39QtuY5VufIZel4=
Next:
You have a preshared key configured for the OpenWrt on the server; but you did not add it to the OpenWrt's interface config.
config wireguard_WireGuard
option route_allowed_ips '1'
option persistent_keepalive '25'
option public_key '<NEW_PUBLIC_KEY_FOR_SERVER>'
list allowed_ips '0.0.0.0/0'
option endpoint_host 'wg-sg3.myip.id'
option endpoint_port '443'
option preshared_key '4vzCXXKpynxI1jMx2lemmUbn5PfcFT3a5CBdJj1RToc='
You also need to make a new keypair for the server-side...apply its public key in the spot noted above - you used the same Private Key for both ends of the connection .
Also fix all addressing issues already noted above.
Server:
List address: xxx.xxx.xxx.xxa /16 (BTW, a /16 way too large for 2 IPs)
Allowed IPs on [PEER]
: xxx.xxx.xxx.xxb /32
OpenWrt:
List address: xxx.xxx.xxx.xxb /32
Allowed IPs on peer (from server): 0.0.0.0/0 (or use 0.0.0.0/1 and 128.0.0.0/1 together instead)
hillz
May 13, 2020, 3:07pm
17
It's fixed, after upgrading to 19.07.2 wireguard is working fine, thanks for all the help.
system
Closed
May 23, 2020, 3:07pm
18
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.