Wireguard interface interfering other zones / DNS

1 Like

Force of habit, I'm afraid. :smiley: I guess I'm showing my age...

1 Like

OK, I hope I am makeing progress and learning with VPN and wireguard and openwrt.
Installing vpn-policy-routing and using the command uci set network.@wireguard_wg0[0].route_allowed_ips='0'
is freeing my wan/lan/wifi2.

Luci shows
wan/eth0.2/192.168.0.1 set as default gateway. That's the gateway from my isp route in my home network. So LAN and all devices connected / routed to wan work like charm.

For testing and conveniance a set up 3 wifi zones. the first (wifi1) routed to wg0, a the second (wifi1a) and third (wifi2) to wan.
As wlan1/wifi2 is my open 5G wifi it routes always to wan. wlan0 is / shall be my VPN wifi so is is routed wg0.
If I route it to my second zone it is open like wifi2. That is working. Thanx so far.

But if I try to set up the connection of wlan0/wifi1 to wg0 internet is blocked. VPN-Policy-Routing shows wg0/X.X.X.16 as gateway. That is the IP from my wg client. the wg server has 10.0.0.1. Under a full wireguard set up, I had to add a static route from X.X.X.16 to X.X.X.1 before it was working correctly. Now this is not working anymore. With or wihout static route. I read https://forum.openwrt.org/t/solved-site-to-site-vpn-with-wireguard-and-openwrt/72764/21 but could not understand how to adopt this to my problem.

The wireguard server shows the connection, but no real traffic.

So I am still hope to get further help.

Here are my network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb6:1936:f34c::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '80:3f:5d:bc:fa:e4'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'wifi1'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

config interface 'wifi1a'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.20.1'

config interface 'wifi2'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.30.1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'XXX'
	list addresses 'X.X.X.16/32'

config wireguard_wg0
	option public_key 'yyyy'
	option endpoint_host 'yyy.yyy.de'
	option endpoint_port 'XXXXX'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

and firewall

config defaults
   option input 'ACCEPT'
   option output 'ACCEPT'
   option forward 'REJECT'
   option synflood_protect '1'

config zone
   option name 'lan'
   option input 'ACCEPT'
   option output 'ACCEPT'
   option forward 'ACCEPT'
   list network 'lan'

config zone
   option name 'wifi1a'
   option input 'ACCEPT'
   option output 'ACCEPT'
   option forward 'REJECT'
   list network 'wifi1a'

config zone
   option name 'wifi2'
   option input 'ACCEPT'
   option output 'ACCEPT'
   option forward 'ACCEPT'
   list network 'wifi2'

config zone
   option name 'wan'
   option input 'REJECT'
   option output 'ACCEPT'
   option forward 'REJECT'
   option masq '1'
   option mtu_fix '1'
   list network 'wan'
   list network 'wan6'

config forwarding
   option src 'lan'
   option dest 'wan'

   config forwarding
   option src 'wifi1a'
   option dest 'wan'

config forwarding
   option src 'wifi2'
   option dest 'wan'

config rule
   option name 'Allow-DHCP-Renew'
   option src 'wan'
   option proto 'udp'
   option dest_port '68'
   option target 'ACCEPT'
   option family 'ipv4'

config rule
   option name 'Allow-Ping'
   option src 'wan'
   option proto 'icmp'
   option icmp_type 'echo-request'
   option family 'ipv4'
   option target 'ACCEPT'

config rule
   option name 'Allow-IGMP'
   option src 'wan'
   option proto 'igmp'
   option family 'ipv4'
   option target 'ACCEPT'

config rule
   option name 'Allow-DHCPv6'
   option src 'wan'
   option proto 'udp'
   option src_ip 'fc00::/6'
   option dest_ip 'fc00::/6'
   option dest_port '546'
   option family 'ipv6'
   option target 'ACCEPT'

config rule
   option name 'Allow-MLD'
   option src 'wan'
   option proto 'icmp'
   option src_ip 'fe80::/10'
   list icmp_type '130/0'
   list icmp_type '131/0'
   list icmp_type '132/0'
   list icmp_type '143/0'
   option family 'ipv6'
   option target 'ACCEPT'

config rule
   option name 'Allow-ICMPv6-Input'
   option src 'wan'
   option proto 'icmp'
   list icmp_type 'echo-request'
   list icmp_type 'echo-reply'
   list icmp_type 'destination-unreachable'
   list icmp_type 'packet-too-big'
   list icmp_type 'time-exceeded'
   list icmp_type 'bad-header'
   list icmp_type 'unknown-header-type'
   list icmp_type 'router-solicitation'
   list icmp_type 'neighbour-solicitation'
   list icmp_type 'router-advertisement'
   list icmp_type 'neighbour-advertisement'
   option limit '1000/sec'
   option family 'ipv6'
   option target 'ACCEPT'

config rule
   option name 'Allow-ICMPv6-Forward'
   option src 'wan'
   option dest '*'
   option proto 'icmp'
   list icmp_type 'echo-request'
   list icmp_type 'echo-reply'
   list icmp_type 'destination-unreachable'
   list icmp_type 'packet-too-big'
   list icmp_type 'time-exceeded'
   list icmp_type 'bad-header'
   list icmp_type 'unknown-header-type'
   option limit '1000/sec'
   option family 'ipv6'
   option target 'ACCEPT'

config rule
   option name 'Allow-IPSec-ESP'
   option src 'wan'
   option dest 'lan'
   option proto 'esp'
   option target 'ACCEPT'

config rule
   option name 'Allow-ISAKMP'
   option src 'wan'
   option dest 'lan'
   option dest_port '500'
   option proto 'udp'
   option target 'ACCEPT'

config rule
   option name 'Support-UDP-Traceroute'
   option src 'wan'
   option dest_port '33434:33689'
   option proto 'udp'
   option family 'ipv4'
   option target 'REJECT'
   option enabled '0'

config include
   option path '/etc/firewall.user'

config rule
   option dest_port '80'
   option src 'wan'
   option name 'Allow-Web-WAN'
   option target 'ACCEPT'

config rule
   option dest_port '443'
   option src 'wan'
   option name 'Allow-SSL-WAN'
   option target 'ACCEPT'

config rule
   option dest_port '22'
   option src 'wan'
   option name 'Allow-SSH-WAN'
   option target 'ACCEPT'

config zone
   option name 'wifi1'
   option input 'ACCEPT'
   option output 'ACCEPT'
   option forward 'ACCEPT'
   list network 'wifi1'

config zone
   option name 'wg0'
   option input 'REJECT'
   option output 'ACCEPT'
   option forward 'REJECT'
   list network 'wg0'

config forwarding
   option src 'wifi1'
   option dest 'wg0'

Regards,

Mario

Set up VPN-PBR as described here, replacing the VPN interface name and the LAN subnet:
Vpn client on seperate wifi network, no vpn on the other - #6 by vgaetera

2 Likes

I tried

uci set vpn-policy-routing.config.enabled="1"
uci -q delete vpn-policy-routing.config.dest_ipset
uci -q delete vpn-policy-routing.lan_vpn
uci set vpn-policy-routing.lan_vpn="policy"
uci set vpn-policy-routing.lan_vpn.src_addr="192.168.0.1/24"
uci set vpn-policy-routing.lan_vpn.dest_addr="!192.168.0.1/24"
uci set vpn-policy-routing.lan_vpn.interface="wg0"
uci commit vpn-policy-routing
/etc/init.d/vpn-policy-routing restart

But no success / change. Normal wifi is working, vpn wifi is establishing the tunnel but no internet.
Do I have to change any other settings as well?

Regards,

Mario

1 Like

If the issue persists, collect the diagnostics and post it to pastebin.com redacting the private parts:

ubus call system board; uci show network; uci show firewall; uci show dhcp; \
uci show vpn-policy-routing; /etc/init.d/vpn-policy-routing support; wg show; \
ip address show; ip route show table all; ip rule show; iptables-save; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Here you are and thanx in advance for helping:

https://pastebin.com/YtWkfAmg

Regards,

Mario

1 Like
uci set network.wifi1.type="bridge"
uci set network.wifi2.type="bridge"
uci set network.wifi1a.type="bridge"
uci commit network
/etc/init.d/network restart

uci set firewall.@zone[5].masq="1"
uci set firewall.@zone[5].mtu_fix="1"
uci commit firewall
/etc/init.d/firewall restart

uci set vpn-policy-routing.lan_vpn.src_addr="192.168.10.0/24"
uci set vpn-policy-routing.lan_vpn.dest_addr="!192.168.10.0/24"
uci commit vpn-policy-routing
/etc/init.d/vpn-policy-routing restart

Thanx for the suggestion and help. I did it as described but it looks like a step back. wifi2 - the free wifi - doesn't allow any connections anymore and wifi1 - set as wireguard tunnel - connects but doesn't allow any internet traffic.

I posted with the above commands another pastbin here https://pastebin.com/qwsYtvVw

May I also ask for a favor: I would appreciate any explanation for changes to better understand why the change is necessary and maybe how to identify the error. (and to avoid need for help next time as I (and outher readers) hopefully better understand the problems.)

But the response times and quality of support here is awsome!!

Regards,

Mario

1 Like

Weird, perhaps it's related to some hardware-specific wireless issues.
Try to disable extra Wi-Fi interfaces/SSIDs, save the changes and restart the router.
Test Wi-Fi interfaces separately, only enabling one at a time.

This can help in some cases:

uci set dhcp.lan.force="1"
uci set dhcp.wifi1.force="1"
uci set dhcp.wifi2.force="1"
uci set dhcp.wifi1a.force="1"
uci commit dhcp
/etc/init.d/dnsmasq restart

Are you connecting to your own VPN server, or a commercial VPN provider?

  • Bridging is the recommended method to attach a wireless interface to a network.
  • Masquerading helps to resolve routing issues.
  • Routing policy should be applied to the source subnet.

After letting rest my device for some hours its working normal now. If no device was connected over some hours it takes some time before internet is available after connection. I will have a look.

It's my private server within my home network. Access over DynDNS provider and forwarded ports on my ISP router.

What else to tell:

After establishing the vpn routing:

PBR showed an error with the wireguard gateway X.X.X.16 (I'm still uncertain, shouldn't it be the X.X.X.1 address
from the wireguard server subnet? After disabling the routing policy, the error disappeared, but nevertheless, internet was not accessible all the time with the wireguard wifi network.

Regards,

Mario

1 Like

Then we should also check the server side, post to pastebin.com redacting the private parts:

ip address show; ip route show table all; ip rule show; \
sudo wg show; sudo iptables-save; sudo nft list ruleset; \
sysctl net 2> /dev/null | grep -e forward

Make sure to apply these workarounds on the client side:

1 Like

I will give it a try. Will take some time as we renew parts of our flat.
Best you can do with COVID lockdown :wink:

1 Like

Here we are:

https://pastebin.com/H85dMvku

Add 1: Handshake worked
Add 2: Using my S10 (not parallel to the openwrt device we are talking about) with the wireguard app is working with the same credentials perfectly.

Regards

Mario

1 Like

Disable the WG zone masquerading on both client and server.
Add the client side subnet to the peer's allowed IPs on the server.
Temporarily disable MWAN, PBR and GL.iNet-specific firewall scripts on the server.

1 Like

Disabling masquerading was easy - but no effect, Same for the subnet.
I am a bit reluctant to change firewall script on the server.
As it is working with my mobile phone and laptop without any problem, the
wrong setting must be on the client side of the wireguard settings in my openwrt travel router?
I am still struggling that a pure wireguard setting is working with a static rule from my peer IP X.X.X.16 to the wireguard server IP X.X.X1. With PBR enabled, the wg standard gateway is X.X.X.16 and I can not change this to X.X.X.1.

Looks as if we are stuck.

Currently this looks like a server side problem.
But it's a headache to troubleshoot GL.iNet devices. :sweat:
There's quite a lot of customization compared to the vanilla OpenWrt.
It's difficult to analyze and predict the possible implications.
Try to isolate the issue by redirecting all traffic from the client to the tunnel.

1 Like

I try to set up a vanilla openwrt device with a wg server the next days.
Maybe we can then transfer settings to the GL.iNet device.

Nevertheless, thanx for the support so far.

1 Like

OK, here we are.
I have set up an plain vanilla openwrt device with wireguard server - no other default configs changed. I added some peers, set up port forwarding to the device on my ISP router and connecting my android S10 works fine.
(just as remark: during the install I get an error installing the pure wireguard package, but wireguard-tools etc. are working).

here are my setting (it's OK to see all wg credentials as I will set up all new afterwards ...)

network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd11:4ffb:5b98::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '80:3f:5d:9d:04:98'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'SEiMsidULbmm7JZkZAPRFwvi3vyMGrM48z0H+4VJzkM='
	option listen_port '51820'
	list addresses '10.10.0.1/24'

config wireguard_wg0
	option description 'Client1'
	option public_key 'IILT8BMCVjTsfV9JjXZsCZYXk4pKEgLw52s+6aljLUU='
	list allowed_ips '10.10.0.2/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option endpoint_host 'xxx.xxx.de'
	option endpoint_port '51824'

config wireguard_wg0
	option description 'Client2'
	option public_key 'mGgJNJ9VgpVZkd3WXZgF6nDIz8JTH0PfRr1EGIuyXEA='
	list allowed_ips '10.10.0.3/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option endpoint_host 'xxx.xxx.de'
	option endpoint_port '51824'

config wireguard_wg0
	option description 'Client3'
	option public_key 'uPdPL1NeJBC5QQbvaHkcrBk5anFMXeHi+5dDomjmiEU='
	list allowed_ips '10.10.0.4/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option endpoint_host 'xxx.xxx.de'
	option endpoint_port '51824'

config wireguard_wg0
	option description 'Client4'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '10.10.0.5/32'
	option public_key 'fBFVwY5kbec0J/OV45IH44a3rcfaDs0lwWrgF3tg3R8='
	option endpoint_host 'xxx.xxx.de'
	option endpoint_port '51824'

config wireguard_wg0
	option description 'Client5'
	option public_key 'VjYTWhuJyg5tr4xPP3L5mwD94R75GuP8W7FpBvdOhhA='
	list allowed_ips '10.10.0.6/32'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	option endpoint_host 'xxx.xxx.de'
	option endpoint_port '51824'

firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config rule
	option name 'Allow-Web-WAN'
	option src 'wan'
	option dest_port '80'
	option target 'ACCEPT'

config rule
	option name 'Allow-SSH-WAN'
	option src 'wan'
	option dest_port '22'
	option target 'ACCEPT'

config rule
	option name 'Allow-SSL-WAN'
	option src 'wan'
	option dest_port '443'
	option target 'ACCEPT'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '51820'
	option name 'Allow-Wireguard-Inbound'

That was router B.

On my main router A I can establish the handshake to router B and get an refresh every 2 min.
But I have not traffic or can use the wireless connections to get to the internet. Same situation as with the wireguard router from GL.iNet described above. So given the settings off my one-time, temporary router above, how would my router A have to configured that one wifi go direct to wan -> ISP router and the second one to router B via wireguard tunnel and then to wan -> ISP router???

I highly appreciate any ideas.

Regards,

Mario

1 Like

This part is missing:

Then check the diagnostics:

# Server
opkg update
opkg install tcpdump
tcpdump -evni any icmp

# Client
ping 10.10.0.1
ping host_in_server_lan