Wireguard: configured LAN tunnels, cannot make WAN tunnels

Caterpillar01 · December 10, 2020, 4:44pm

I am configuring Wireguard a wan network that has both LAN usage hosts and WAN hosts. Let's call the LAN hosts A and B, and let's call C the host connected by WAN. I
Wireguard network IPs

OpenWRT router 10.0.0.1
A 10.0.0.2
B 10.0.0.3
C 10.0.0.4

I successfully managed to let A and B ping the OpenWRT router Wireguard IP, but the WAN host C, it cannot ping it. I also tried to move wg0 interface from unspecified firewall zone to LAN, but it did not fix the problem. Can you help me? I don't post the client configuration since I know that is okay because I am a longtime Wireguard user on "regular" Linux machines, but I am not yet so practice with OpenWRT configuration. Thank you

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'removed_be_me::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 lan2 lan3 lan4'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option _turris_mode 'managed'

config interface 'wan'
        option ifname 'eth2'
        option proto 'dhcp'
        option ipv6 '0'
        option hostname 'xxxxxx'

config interface 'wan6'
        option ifname '@wan'
        option proto 'none'

config interface 'wg0'
        option proto 'wireguard'
        option private_key **REMOVED**
        option listen_port '51000'
        list addresses '10.0.0.1/24'

config wireguard_wg0
        option public_key **REMOVED**
        option description 'A'
        option endpoint_port '51000'
        option endpoint_host '192.168.1.20'
        list allowed_ips '10.0.0.2/32'

config wireguard_wg0
        option endpoint_port '51000'
        option public_key **REMOVED**
        option description 'B'
        option endpoint_host '192.168.1.30'
        list allowed_ips '10.0.0.3/32'

config wireguard_wg0
        option public_key **removed_be_me**
        option description 'host from WAN'
        list allowed_ips '10.0.0.4/32'

/etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule 'turris_wan_6in4_rule'
        option enabled '0'

vgaetera · December 10, 2020, 4:58pm

uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="51000"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

Caterpillar01 · December 10, 2020, 5:20pm

still no change unfortunately

vgaetera · December 10, 2020, 5:24pm

IPs don't match.
Closing quote symbol is missing.

Caterpillar01 · December 10, 2020, 5:27pm

My typo, I was censoring original IPs, replacing them with others, and I missed that one

Closing quote symbol is missing.

Typo too on the forum message

vgaetera · December 10, 2020, 5:50pm

Check the WG status on both client and server:

wg show

Make sure the WAN client is connecting to the WAN IP of the server:

tcpdump -evni eth2 udp port 51000

Caterpillar01 · December 10, 2020, 6:26pm

Make sure the WAN client is connecting to the WAN IP of the server:
tcpdump -evni eth2 udp port 51000

Should I run it on the WAN client?

Host A (OpenWRT router)

interface: wg0
  public key: **removed_by_me**
  private key: (hidden)
  listening port: 51000

(note: host C)
peer: **removed_by_me**
  endpoint: 192.168.1.3:51000
  allowed ips: 10.0.0.3/32
  latest handshake: 38 minutes, 12 seconds ago
  transfer: 45.60 KiB received, 45.20 KiB sent

  (note: host B)
peer: **removed_by_me**
  endpoint: 192.168.1.2:51000
  allowed ips: 10.0.0.2/32

Host C

# wg show
interface: wg0
  public key: **removed_by_me**
  private key: (hidden)
  listening port: 51000

  (note: host A)
peer: **removed_by_me**
  endpoint: **removed_by_me**:51000
  allowed ips: 10.0.0.1/32
  transfer: 0 B received, 8.67 KiB sent

# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
^C
10.0.0.1 ping statistics 
2 packets transmitted, 0 received, 100% packet loss, time 1017ms

Caterpillar01 · December 10, 2020, 8:31pm

Make sure the WAN client is connecting to the WAN IP of the server:
tcpdump -evni eth2 udp port 51000

Yes packages arrive

vgaetera · December 10, 2020, 8:39pm

Avoid specifying listen_port on the client.
Verify that WAN client is using the WAN IP of the router for endpoint_host.
Make sure that endpoint_port on the client matches the listen_port on the server and the dest_port in the port opening rule.

Caterpillar01 · December 10, 2020, 9:35pm

Mah I just restarted the OpenWRT wg0 interface and after a few seconds the WAN client could ping the OpenWRT wireguard IP (wg0 interface). May I ask you which firewall zone should wg0 belong, in my use case? (WAN and LAN clients)

vgaetera · December 10, 2020, 9:44pm

If your WG clients are trusted enough to allow access to the LAN, then it's reasonable to share the same firewall zone with LAN.

Caterpillar01 · December 10, 2020, 9:51pm

Thank you. What happens in case I leave it to unspecified?

vgaetera · December 10, 2020, 10:00pm

In this case, the default policies will be applied to it:

Caterpillar01 · December 10, 2020, 10:02pm

Thank you for your time and your precious help

system · December 20, 2020, 10:02pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.