Wireguard, firewall routing

Hello!
Please help me configure router.

When WireGuard turned on, everything works well, but after turning off the WG interface, even router does not ping world.

Is it possible make a rule if the wg0 interface is running - all traffic goes to wg0 (even if there is no connection to the server), but when the interface is stopped (manual) - traffic should go to the WAN(PPPoE)?

Thank you very much!

System

        "kernel": "5.15.137",
        "hostname": 
        "system": "Intel(R) N100",
        "model": "QEMU Standard PC (i440FX + PIIX, 1996)",
        "board_name": "qemu-standard-pc-i440fx-piix-1996",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.1",
                "revision": "r23619-101988c61a",
                "target": "x86/64",
                "description": "OpenWrt 23.05.1 r23619-101988c61a"

Network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd1e:a810:cba7::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        option macaddr 'F8
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'
        list ports 'eth5'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '192.168.50.3/24'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '
        list addresses '10.7.0.2/24'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option mtu '1420'

config wireguard_wg0
        option description 
        option public_key 
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host 
        option endpoint_port '54650'
        option private_key 
        option preshared_key 

config interface 'RT'
        option proto 'pppoe'
        option device 'eth1'
        option force_link '1'
        option username 
        option password 
        option ipv6 '0'
        option mtu '

config device
        option name 'eth0

dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '1'
        option limit '255'
        option leasetime '24h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'RT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg0'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'vpn'

You've got several issues...

Starting here:

This version had a major bug (don't remember the nature of it), so it was never officially announced. You should upgrade to 23.05.3.

Next, your DHCP server is invalid:

The valid range of addresses in a /24 is the .1 - .254 addresses. Further, it is very important that the router's IP address is not within the DHCP pool.

Since your router's IP address is .3, you need to make sure that the start postion is >= 4. Then, the limit is the number of address available (not the end position). Therefore, to determine the ending address, the calculation is start + limit - 1. With this in mind, your limit value must ensure that the ending address is <= 254. So, start = 4 and limit = 251 would work, or anything that satisfies the equation.

Fix those things, then try again. If things don't work, show us the output of

wg show
2 Likes

You have removed

If you put that back you will have internet if the vpn is disabled.

3 Likes

Thanks for answers!

Need upgrade wg package, but done, wg working fine

Thanks, fix up limit, <=3 - not ready yet (WRT is gateway for proxmox, thats gave me a lot of problems), especially since 1-3 are static. It seems this can't make a problem?

Still doesn't work without VPN :frowning:

When wg0 start:

interface: wg0
  public key: 
  private key: (hidden)
  listening port: 47834
peer: 
  preshared key: 
  endpoint: 
  allowed ips: 0.0.0.0/0
  latest handshake: 25 seconds ago
  transfer: 148.10 KiB received, 142.45 KiB sent

When wg0 stop: Notning returns

Thanks for answers!

I have 2 config forwarding in firewall:

config forwarding
        option src 'lan'
        option dest 'wan'
onfig forwarding
        option src 'lan'
        option dest 'vpn'

Need to add a 3rd one?

That should be enough, if you disable WG you have to reboot the router or do service network restart

If that resolves your problem and you frequently enable/disable WG then you can use as Allowed IPs 0.0.0.0/1 and 128.0.0.0/1 instead of 0.0.0.0/0 this preserves the default route so that you do not need to restart the network or have to reboot the router (another way is working with metrics)

2 Likes

Hello. Thanks for the answer.

Now WG interface rises when the router boots (this need to save), network restart service - make restart wg0.

In my case, WG connected 99+% of time, but if it drops, I need quickly (often from my phone) connect to the OWRT and switch to work without the WG.
How can this be done manually (without editing configurations), returning the original state by rebooting the router?
Or by automation: the wg0 interface is stopped = route changes to bypass the WG before rebooting?
Thank you!!

My WireGuard also stops once in a while, I use several WG tunnels if one tunnel is down the next one is automatically started (it takes about 20 seconds)

I use a script for that see: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/wireguard-watchdog

But you can also look into watchcat

1 Like

Hi, thanks for answer.

It looks very cool, but unfortunately in my country WG is easily blocked for any reason.
It's a pity WG doesn't support obfuscation.

Forgive my carelessness, I did not restart the interface after adding 0.0.0.0/1 and 128.0.0.0/1 to the peers wg.
It worked exactly as needed: if the connection with VG0 is lost - traffic does not go outside; When the interface is stopped - it is bypassed.
Thank you!

1 Like

There is obfuscation for WireGuard but it needs to be run on both sides as far as I know there is no commercial provider supporting it.

There is another third party firmware which has it standard incorporated and I used that to setup an obfuscated WG between two routers supporting it.

I use this for obfuscation between two OpenWRT routers (it it the same as used by said third party firmware):

But also promising:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.