mrdav
January 13, 2022, 11:44am
1
Hi,
I have two routers running OpenWrt (at different sites) and I would like to be able to 'connect' them via VPN.
I have Wireguard running on one router and I can connect to it with my Windows PC, android tablet & phone. However, I would like to be able to connect my TV to it as well, hence VPN at the router. (I'm using the same conf as I use from my windows laptop)
I have followed this tutorial https://www.youtube.com/watch?v=0_zQAp3V18c&t=308s and can access LuCi at the remote site using 192.168.9.1, however nothing else (no internet, no printer etc.).
I'm still new to OpenWrt and networking and so would really appreciate some advice about how to go about tracking down the issue.
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '<REDACTED>'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'WAN'
option proto 'dhcp'
option macaddr '<REDACTED>'
option device 'eth1.20'
config interface 'WG0'
option proto 'wireguard'
option private_key '<REDACTED>'
list addresses '192.168.9.3/32'
option auto '0'
config wireguard_WG0
option description 'WGConnection'
option public_key '<REDACTED>'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host '<REDACTED>'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'WAN'
list network 'WG0'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'wg'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'wg'
option dest 'wan'
I briefly tried to create a WAN/LAN firewall zone 'wg' but that didn't let me connect to anything. Hence why it's dangling in the config.
If anything else would be useful to track down the issue, let me know. Once again, any help greatly appreciated!
krazeh
January 13, 2022, 11:57am
2
What are the config files for the other router?
mrdav
January 13, 2022, 12:06pm
3
Remote router config files:
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '<REDACTED>'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'WAN'
option proto 'dhcp'
option device 'eth1'
config interface 'wg0'
option proto 'wireguard'
option private_key '<REDACTED>'
option listen_port '51820'
list addresses '192.168.9.1/24'
config wireguard_wg0 'wgclient'
option description 'A21s'
option route_allowed_ips '1'
option public_key '<REDACTED>'
list allowed_ips '192.168.9.2/32'
config wireguard_wg0
option description 'legion'
option route_allowed_ips '1'
option public_key '<REDACTED>'
list allowed_ips '192.168.9.3/32'
config interface 'tun0'
option proto 'none'
option device 'tun0'
config wireguard_wg0
option description 'Tablet'
option public_key '<REDACTED>'
list allowed_ips '192.168.9.4/32'
option route_allowed_ips '1'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
list network 'WAN'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'wg'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'wg0'
option forward 'DROP'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'wg'
option dest 'wan'
config zone
option name 'vpnclient'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
list network 'tun0'
config forwarding
option src 'vpnclient'
option dest 'lan'
config forwarding
option src 'vpnclient'
option dest 'wan'
[EDITED: due to posting wrong firewall config]
krazeh
January 13, 2022, 12:55pm
4
What kind of access to resources at the remote site do you want? Simply internet? Or do you want to access devices connected to that LAN?
mrdav
January 13, 2022, 1:20pm
5
I do need access to remote LAN connected devices, but only need that on a couple of Android / Windows devices which I currently have via their own wireguard software.
For the router to router VPN, I only need internet really
Are you sure you posted the firewall configuration of the remote router? It looks just like the one of the local device.
mrdav:
config interface 'wg0'
mrdav:
list network 'WG0'
The interface names are case sensitive, so fix this disparity.
On the remote router you should move the wireguard interface from the wan to the lan zone.
Remove this:
mrdav
January 13, 2022, 2:55pm
7
Many thanks. Good catch. I've now edited my post above with the correct remote firewall config.
Can I just check with you, before making the changes to the remote that you suggest, is there any danger I will lose connection to the remote server (via my other wireguard clients)? It's just I'm not going to be there for a few months, so can't afford to make any change that could mean I lose contact.
mrdav
January 13, 2022, 3:25pm
8
Also if it's any use, here is a tracert. (On the left is the wg0 wireguard interface on the router. On the right is wg0 deactivated and using Window's wireguard client instead)
My apologies. I totally overlooked that both routers have the same IP address on the lan interface. To make it work, one of the devices should use a different lan IP network. You should fix that first.
mrdav
January 13, 2022, 5:03pm
10
No need to apologise! I should have mentioned that myself actually, as I did wonder about that. I'll get on to changing that...
Will let you know how I get on... (Gonna be a chore as I have several devices with static IPs (home assistant / sensors / printers and the like), but something I should have thought about it right from the start, so my own fault).
Many thanks!
1 Like
mrdav
January 13, 2022, 9:16pm
11
OK, so changing to 192.168.2.1 on the 'local' router has gotten me further. Gives a full tracert to 8.8.8.8, however, Unable to resolve target system name google.com.
so assuming I have a wrong setting somewhere for DNS ?
mrdav
January 13, 2022, 11:16pm
12
Finally have a working solution, but not 100% sure if it's the right way to do it, but I've simply unchecked Use DNS servers advertised by peer
and put in use custom DNS servers
'8.8.8.8' instead.
This has done the trick.
So thanks for all the help! Once again, this forum has been invaluable and I couldn't have done it without you!