kush96
January 25, 2024, 3:12pm
1
Hi, I would like to set up a wire guard server on my OpenWrt router so I can access my home network remotely. I have done this and I can connect to the wireguard server but I can't access the Internet or any devices on my home network.
Here is my current setup. Let me know if more information is required.
ISP router ................ <- wifi bridge (relayd)- > .............. openwrt router.
My ISP router is doing DHCP.
I have set up a wire guard server using Luci and also set up DDNS. Here are my wireguard interface settings.
[General]
[Advanced]
[Firewall]
[DHCP]
[peer settings]
[peer configuration]
[Interface]
PrivateKey = XXXXXXXXXXXXX
Address = 10.0.0.2/32
ListenPort = 56969
DNS = 192.168.2.1
[Peer]
PublicKey = XXXXXXXXXXXXXX
# PresharedKey not used
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = xxxxxxxxxxx:56969
PersistentKeepAlive = 25
I'm not sure why DNS is pointing to 192.168.2.1 . I have tried removing it and I still can't access the internet on the client. Also on the client, I can ping 10.0.0.1 but can't reach anything else.
Also I opened port 56969 on my ISP router so that wireguard can work.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
kush96
January 25, 2024, 4:17pm
3
Thanks for helping.
ubus call system board
{
"kernel": "5.10.176",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Xiaomi Redmi Router AX6S",
"board_name": "xiaomi,redmi-router-ax6s",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.5",
"revision": "r20134-5f15225c1e",
"target": "mediatek/mt7622",
"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
}
}
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdfb:76a3:35c4::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
option gateway '192.168.1.1'
list dns '192.168.1.1'
list dns '8.8.8.8'
config device
option name 'wan'
option macaddr 'XX:XX:XX:XX:XX:XX'
config interface 'wwan'
option proto 'dhcp'
config interface 'repeater_bridge'
option proto 'relay'
list network 'lan'
list network 'wwan'
config interface 'wgKush'
option proto 'wireguard'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXX'
option listen_port '56969'
option delegate '0'
option defaultroute '0'
list addresses '10.0.0.1'
config wireguard_wgKush
option description 'AcerLaptop'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '10.0.0.2/32'
option route_allowed_ips '1'
option endpoint_host 'XXX.duckdns.org'
option endpoint_port '56969'
option persistent_keepalive '25'
cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wwan'
list network 'repeater_bridge'
list network 'wgKush'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
wg show
interface: wgKush
public key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
private key: (hidden)
listening port: 56969
peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
endpoint: xxx.xx.xx.xx:2441
allowed ips: 10.0.0.2/32
latest handshake: 3 hours, 41 minutes, 22 seconds ago
transfer: 199.17 KiB received, 1.16 MiB sent
persistent keepalive: every 25 seconds
Truth be told, I've never tried setting up a wireguard endpoint on a wifi repeater using relayd. I'm not sure if it will work or not because of the nuances of how relayd works.
Do you have another OpenWrt device that you can use for Wireguard instead? That would be more straightforward.
1 Like
kush96
January 26, 2024, 4:17am
5
I don't have another wire-guard device unfortunately and i think relayd is my only option. I'm in a share house and my room is far from the Main router. Main cannot mesh and i cant connect via cable.
I have tried the solution in here and it works. WireGuard "server" on Relayd client bridge device [SOLVED]
I cant access devices connect to the OpenWrt AP or lan ports. I can only connect to computers connected to the wlan from the Main ISP router.
I have my Raspberry pi on 192.168.1.150 and when i connect my laptop to the wg VPN and ping it i get this..
Reply from 192.168.1.1.00: Destination host unreachable
192.168.1.100 is the ip address of the OpenWrt router.
Glad to know it generally works. But, it doesn't entirely surprise me that you're having trouble connecting to the devices that are connected via the relay...
relayd is basically a clever hack that involves routing between two interfaces such that the same subnet appears on each interface. In any normal situation, this cannot be routed, so that's why relayd is needed. My best guess is that there is routing ambiguity about how to reach devices on the downstream subnet since both the upstream and downstream are the same... so it just ends up pointing the packets to the upstream and that's it. I could be wrong about the reason, but fundamentally a relayd based device will have some nuances and quirks that don't conform to normal routing methods.
harpia
April 5, 2024, 4:13pm
7
Don't you need a firewall rule allowing Wireguard in from WAN? I couldn't find it in your output of /etc/config/firewall.
config rule 'Allow_WireGuard'
option name 'Allow_WireGuard'
option src 'wan'
option proto 'udp'
option dest_port '56969'
option target 'ACCEPT'
