I am looking for a good way for remote access to my OpenWRT router (Fritzbox4020).
So far I use Raspi4 (RaspiOS) as a server, I connect to it using remote.it over vnc viewer: then I can look at GUI of OpenWRT, switch, other APs etc inside of it. It's easy, but not very comfortable, so I am looking for a better option. I am trying out wireguard now.
I installed wireguard server on FB 4020 (for now behind another router). Then I installed wireguard client on win8.1 on Virtualbox on my Macbook Pro (mid 2012): my MacOS is 10.12.6, which is too old to install wireguard directly.
Now, wiki for openwrt and tutorial for win wireguard was clear enough and I thought I did it right, I get a green light "active" for wireguard on win, but handshaking is not completing. I've read somewhere that it has some incompatibility with VDSL: I have vdsl100 from Deutsche Telekom. But may be I did something wrong. Or perhaps because of VirtualBox, or mwan3 ? (I just have one internet contract, but set up mwan3 failover just in case I might need it in future.)
Now, since I don't know what kind of things cause incomplete handshaking, I don't know where to look for errors. Could someone please tell me what can be wrong ?
Besides, now I am not very sure if wireguard is indeed a good choice for me:
Suppose I'm in a place where all the internet connection is over another VPN (e.g. at a Univerisity). Can I still access to my router using wireguard from there? (Remote.it works regardless of it. This is very important for me.)
Suppose I get on the guest-wifi of my home network, where access to the device is dropped by firewall rule. Can I access to the router using wireguard? (less important)
There are so many potential variables... but let's start with your OpenWrt configuration and the other peer (i.e. the Win guest host in VB) config.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
Then post your WG config from win 8.1.
Finally, please draw up a quick diagram of your physical network topology, labeled with the IP addresses of the devices so that it is clear what is going on.
Thank you both for your replies! @ulmwind: no I haven't configured any port forwarding: it wasn't written in wiki or tutorial... and with log, I'm not sure, I think I wasn't seeing anything on FB4020 log. I guess you mean that the router before FB4020 blocked the access?
Now I'm going to paste network and firewall: note that FB4020 is not in production. I have set up several vlans/zones, but they aren't in use yet. The relevant part of the current topology is
Modem (speedport entry 2) --- Raspi4(openWRT) eth0.16:192.168.1.1/24 ---
WAN:Fritzbox4020(openwrt):LAN various subnets (I'm using 192.168.2.1/24 right now)
Raspi4 is my production system and got a few subnets, but they are not relevant to FB4020. FB4020 is expected to play a similar role as Raspi4 in future elsewhere, except that I plan to use ISP router there, instead of modem.
/etc/config/network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd7b:8e0b:fa87::/48'
config device
option name 'eth1'
option macaddr '44:4E:6D:0F:xx:xx'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
list dns '208.67.222.123'
list dns '208.67.220.123'
option metric '10'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'eth0.1'
config device
option name 'eth0.1'
option macaddr '44:4E:6D:0F:xx:xx'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option type 'bridge'
option device 'br-16'
option ipaddr '192.168.10.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option type 'bridge'
option device 'br-11'
list dns '208.67.222.222'
list dns '208.67.220.220'
config interface 'resident'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option type 'bridge'
option device 'br-15'
list dns '208.67.222.222'
list dns '208.67.222.220'
config device
option type 'bridge'
option name 'br-guest'
list ports 'eth0.11'
option ipv6 '0'
config device
option type 'bridge'
option name 'br-16'
list ports 'eth0.16'
config switch_vlan
option device 'switch0'
option vlan '6'
option vid '16'
option ports '0t 1 4'
config device
option type 'bridge'
option name 'br-11'
list ports 'eth0.11'
option ipv6 '0'
config switch_vlan
option device 'switch0'
option vlan '7'
option vid '11'
option ports '0t'
config device
option type 'bridge'
option name 'br-15'
list ports 'eth0.15'
config switch_vlan
option device 'switch0'
option vlan '8'
option vid '15'
option ports '0t'
config interface 'vlan12'
option proto 'static'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
option type 'bridge'
option device 'br-12'
list dns '208.67.222.222'
list dns '208.67.222.220'
config device
option type 'bridge'
option name 'br-12'
list ports 'eth0.12'
config switch_vlan
option device 'switch0'
option vlan '9'
option vid '12'
option ports '0t 3'
config interface 'WANb'
option proto 'dhcp'
option device 'eth0.7'
option metric '20'
config switch_vlan
option device 'switch0'
option vlan '10'
option ports '0t 2'
option vid '7'
config interface 'vpn'
option proto 'wireguard'
option listen_port '51820'
list addresses '192.168.9.1/24'
list addresses 'fdf1:e8a1:8d3f:9::1/64'
option private_key 'MB5yqf3Z7U/mDyJdURrGdpWURwKUae3bpxxxxxx'
config wireguard_vpn 'wgclient'
list allowed_ips '192.168.9.2/32'
list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'
option public_key 'WDG1WvM2kstCvNSS4RvfWXVXmf5DrJ/jqPGxxxxxxx'
/etc/config/firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'guest'
list network 'vlan12'
list network 'vpn'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'WANb'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'IPv6 device block'
option family 'ipv6'
option src '*'
option target 'DROP'
list proto 'all'
config rule
option name 'IPv6 forward drop'
option family 'ipv6'
list proto 'all'
option src '*'
option dest '*'
option target 'DROP'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'resident'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'resident'
config rule
option name 'guest DNS DHCP'
option src 'guest'
option dest_port '53 67 68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'resident DHCP DNS'
option src 'resident'
option dest_port '53 67 68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'guest forward block'
list proto 'all'
option src 'guest'
option dest '*'
list dest_ip '192.168.0.0/16'
option target 'DROP'
config rule
option name 'resident forward drop'
list proto 'all'
option src 'resident'
option dest '*'
list dest_ip '192.168.0.0/16'
option target 'DROP'
config include 'opennds'
option type 'script'
option path '/usr/lib/opennds/restart.sh'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
OK! It's quite large, but mostly not relevant: FB4020 attached to UAP pro (to the secondary jack) is the router with Wireguard server. It's just there for now so that I can configure it. I avoided 192.168.1.1 so that there will be no conflict with vlan16 (1.1/24) of Raspi-OpenWRT.
Is the internet coming in on the Speedport Modem? The IP address on that is a link-local address, so not valid for anything involving routing (although it could still be the admin interface for that device)? Is that device operating in a routing mode, or just a pure modem/bridge? If not the Speedport, what device is the primary router in the network? Is the Pi with OpenWrt (192.168.1.1) the device that is running your WG interface?
Internet is coming in on the speedport, and it's in a modem-mode. (TAE is the name of a telephone jack in Germany) This 169.254 address is irrelevant to the network, one has to connect the laptop on the second port and give it a static address to access to the modem. It doesn't get an IP from DHCP of the router.
The primary router is Raspi4 with OpenWRT, and the router I installed Wireguard server and want to access remotely is FB4020 attached to Unifi-AP Pro (from the second port: I don't have a spare switch right now). It's not playing any role here, it's just there so that I can install things and configure it. It's meant to be used in another building as the main router behind an ISP router,(double NAT) and do the same job as Raspi4 is doing here.
Now, this is the first time in my life setting "port forward", I want to make sure that I didn't do anything dangerous (i.e. opening up too much):
Incoming IPv4: TCP, UDP, ICMP
source zone: WAN
External port 51820
desination zone: lan
Internal IP address: 192.168.1.101 (the IP for FB given by Raspi DHCP)
Advanced settings: didn't do anything. (first I put for source IP address 192.168.9.2/32, then it didn't work!)
OK, please, give section from /etc/config/firewall file.
Are you going to run SEPARATE 'wg-server' on RPi? What is purpose of it, if you already have one 'wg-server'? Sorry, I have not understood your diagram properly.
@ulmwind
FB4020 is connected to Raspi4-OpenWRT only to be configured/installed/experimented for now. Once it's done, it will be used elsewhere, under another internet-contract.
But I'm still keeping FB4020 there for a while (or put another FB4020 to configure identically), I would like to setup wireguard on Raspi4 in a way that it will be compatible with wireguard on FB4020.
As for /etc/config/firewall do you mean this?
config redirect
option target 'DNAT'
option name 'Port forwarding '
option src 'wan'
option src_dport '51820'
option dest 'lan'
option dest_ip '192.168.1.101'
list proto 'tcp'
list proto 'udp'
list proto 'icmp'
OK ! Thanks! I wasn't sure about it (b/c I use GUI and ping once I'm there; ) I will take TCP and ICMP away.
Speaking of ICMP, is it possible to ping FB4020 from outside somehow, using the public IP and some kind of port forwarding on Raspi, so that I can tell from outside in case the connection between FB4020 and Raspi gets somehow broken? I would like to set up some kind of ping-monitor, if that's possible.
The reason you don't need TCP and ICMP (or anything else) is that all of the allowed traffic goes through a tunnel (regardless of the port/protocol), so pings go right through the tunnel.
Regarding your ping test... this really depends on from where and to where you are trying to test, and I'm not quite sure what you are aiming to test. Maybe a simplified diagram that shows where you would be testing from, the internet connection(s) involved, and how the tunnel connects the two locations would make it easier to understand your intent.
) I will take TCP and ICMP away.