I'm having some issues getting two openwrt devices communicating over wireguard. One is my home router and the other is a rpi3 with openwrt installed that I intend to use as a travel router. I want to be able to access home network resources while away in a hotel.
My home router seems to be working fine. I have loaded the peer config onto other devices such as a laptop or android phone. I can get on and access network resources no problem. However, when I configure the rpi, I get a handshake every few minutes and nothing else. I've tried forcing all traffic through the wireguard interface to check for connectivity but nothing out to the internet or to network resources. I have a feeling that the issue lies with how my rpi is routing the traffic because I can use an identical configuration on my phone and it works great.
Pertinent parts of /etc/config/network on "client" device (rpi)
I'll remove the 192.168.100.0/24 for now. Ultimately, I just want to direct traffic going to my home LAN to go through the tunnel, though.
Sure thing. Important parts of /etc/config/network
config interface 'WG0'
option proto 'wireguard'
option private_key 'REMOVED'
option listen_port '51820'
list addresses '192.168.100.1/24'
option peerdns '0'
list dns '192.168.1.224'
option mtu '1420'
config wireguard_WG0
option description 'Travel Router'
option public_key 'REMOVED'
option private_key 'REMOVED'
option persistent_keepalive '25'
list allowed_ips '192.168.100.3/32'
option route_allowed_ips '1'
And /etc/config/firewall - On here I have the WG0 interface in the LAN zone which seems to work with my other devices. I also have a few other tunnels either configured and disabled for now or they're ovpn to a paid vpn I use.
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'WG0'
list network 'lan'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'tun0'
option output 'ACCEPT'
option forward 'REJECT'
list network 'tun0'
option input 'REJECT'
option masq '1'
config forwarding
option src 'lan'
option dest 'tun0'
config rule
option name 'WG0'
option src 'wan'
option target 'ACCEPT'
list proto 'udp'
option dest_port '51820'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Reverse Proxy80'
option src 'wan'
option src_dport '80'
option dest_ip 'REMOVED'
option dest_port '10583'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Reverse Proxy 443'
option src 'wan'
option src_dport '443'
option dest_ip 'REMOVED'
option dest_port '10584'
Yes, it is allowed. It is not recommended, but it is allowed. Recommended is all lowercase. But also allowed is mixed case and all upper case.
Since the system is case sensitive, it is critical that all related entries use the same case. So in this case, the firewall must have 'WG0' (Wg0 or wg0 or wG0 would not work).
And, although not relevant in a wireguard/VPN network interface, the same is true for the DHCP server config and the wireless network associations -- case must be the same as it is in the network config file.
NOTE: LuCI displays the network names in all upper case in most (but not all) of the views... this is an annoying thing about the rendering because it obfuscates the actual case of the interface, which can lead to human errors. But, if you use LuCI to associate the network with a DHCP server, firewall zone, or wifi SSID, it is consistent.
This was it. I thought I had that on both but apparently, I didn't. Thanks for the help! Now, I just have to mess with it to only route 192.168.1.0/24 through the tunnel but I think I can handle that.
I just noticed that you're missing this on the travel router side (should be in the peer config stanza)
option route_allowed_ips '1'
Why did the tunnel work fine for other devices if I was using the same configuration, though? Is it just the fact that this is a router and all the connected clients need to have routes while on a phone or laptop it's just directly connected to the tunnel?
Yeah, this is killing me. I noticed it for the first time in the last few days. Before I noticed that it was happening, I thought I was going crazy. I usually type in interface names as well as most configuration items in Linux all in lower case for this reason. When I saw them in upper case, I couldn't understand why I did that. I probably thought to try making sure I was using upper case to see if that was what was doing it.
Thankfully, I was using the dropdowns to specify everything so it was still grabbing the right names.
From what I'm reading from start to solve: You were able to connect from phone to
...and that had the
... configured correctly.
Once you made that; and other suggested changes to your rpi. magic occured. and confusion, bewilderment and excitement made you second guess which one was broken to begin with.
