Wireguard, Digital Ocean Droplet as egress

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi All,
In order to raise my WAF points I'd like to configure a VPN from my home network that egresses into the UK public internet. I've installed Wireguard on my OpenWRT router and have a Digital Ocean droplet for the other end. Both ends can connect and ping each other over the VPN but I can't get any LAN traffic to exit the droplet onto the internet. I guess I'm missing some vital firewall or routing configuration. Any help much appreciated.

LAN: 192.168.1.0/24
VPN: 10.0.0.0/24

Here's the OpenWRT config

config interface 'DO'
	option proto 'wireguard'
	option listen_port '5555'
	option private_key '<snip>'
	list addresses '10.0.0.2/24'
	list addresses '192.168.1.0/24'

config wireguard_DO
	option public_key '<snip>'
	list allowed_ips '10.0.0.1/32'
	option endpoint_host '209.97.179.43'
	option endpoint_port '5555'

config zone
	option name 'VPN'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'DO'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'

root@gate:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth1
10.0.0.0        *               255.255.255.0   U     0      0        0 DO
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
209.97.179.43   192.168.0.1     255.255.255.255 UGH   0      0        0 eth1

Since I'm using masq I'm pretty sure I don't need the LAN subnet in AllowedIP's.

Here's the droplet config

[Interface]
Address = 10.0.0.1/24
SaveConfig = true
ListenPort = 5555
PrivateKey = <snip>

[Peer]
PublicKey = <snip>
AllowedIPs = 10.0.0.2/32

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         209.97.176.1    0.0.0.0         UG    0      0        0 eth0
10.0.0.0        *               255.255.255.0   U     0      0        0 wg0
10.16.0.0       *               255.255.0.0     U     0      0        0 eth0
209.97.176.0    *               255.255.240.0   U     0      0        0 eth0

I'm testing by using VPN Policy Routing to send one client down the VPN. I also tested by sending everything down the VPN, which resulted in a lowering of the Wife Acceptance Factor for a short while. :slight_smile:

2

from a glance:
change the option forward 'REJECT' in your network config, vpn-zone, to ACCEPT

aside from that, how excactly is a vpn going to make your wife happier?

3

Hmm. I don't think I need ACCEPT forward since I've set masquerade to 1. The firewall zone has the same config as the WAN interface.

WAF is raised when the wife watches Coronation Street and Eastenders. :slight_smile:

4

Your allowed IPs need to be 0.0.0.0/0 for a full-Internet VPN.

1 Like
5

Excellent. I also had to add this to the droplet config.

PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Thanks Guys.

6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.