Wireguard interface interfering other zones / DNS

https://docs.openwrt.melmac.net/vpn-policy-routing/#wireguard-tunnel

1 Like

A quick read of your configurations shows that you have a WireGuard interface configured to intercept and send all traffic (0.0.0.0/0) down the tunnel (wg0).

However, there don't appear to be corresponding firewall rules to permit the traffic to flow from the other zones, e.g. "lan", "wifi1", "wifi2", to the new "wg0" zone.

Remember that routing is "where do I send this traffic?" and firewalling is "is this traffic permitted?".

(On a separate note, you appear to have opened up your router's admin services - SSH, HTTP, HTTPS - to the Internet. Is that intentional, or an accident?)

2 Likes

Thanx for the hints und answers.

The easy info first: the router is behind an isp router (fritzbox). Without intentional port forwarding the router is not exposed to the internet. The setting is for easy remote access within the home network.

Neither Lan, wifi1 or wifi2 are forwarded to wg0 but to wan instead. Does the wireguard interface intercepts also the whole traffic from the other interfaces as well? My intention was to send the traffic down the tunnel for connected interfaces. By the way: If I connect wifi1 to wg0 thats is working correctly with full internet access incl. DNS.

@vgaetera: I read the page but do not understand how to establish the right route. I tried to activate a route exclusively for wg0 but its not working. Maybe thats because of the interception of the wg interface? A guide for my example would be extremly helpful with additional explanation why the setting has to be that way for learning highly appreceated.

Regards,

Mario

uci set network.@wireguard_wg0[0].route_allowed_ips="0"
uci commit network
/etc/init.d/network restart
2 Likes

The actual interception happens in the kernel.

The kernel maintains a routing table which contains instructions for where to send traffic. Essentially, the kernel controls everything.

Other processes can hook into the kernel to modify the routing table. WireGuard is one such process. With your original configuration, WireGuard was telling the kernel "modify the routing table so that everything (0.0.0.0/0) goes via wg0".

From the OpenWRT command line, route -n will show you the routes known to the kernel. That may help you to see the internal logic behind the answer to the question "where do I send this?".

1 Like
1 Like

Force of habit, I'm afraid. :smiley: I guess I'm showing my age...

1 Like

OK, I hope I am makeing progress and learning with VPN and wireguard and openwrt.
Installing vpn-policy-routing and using the command uci set network.@wireguard_wg0[0].route_allowed_ips='0'
is freeing my wan/lan/wifi2.

Luci shows
wan/eth0.2/192.168.0.1 set as default gateway. That's the gateway from my isp route in my home network. So LAN and all devices connected / routed to wan work like charm.

For testing and conveniance a set up 3 wifi zones. the first (wifi1) routed to wg0, a the second (wifi1a) and third (wifi2) to wan.
As wlan1/wifi2 is my open 5G wifi it routes always to wan. wlan0 is / shall be my VPN wifi so is is routed wg0.
If I route it to my second zone it is open like wifi2. That is working. Thanx so far.

But if I try to set up the connection of wlan0/wifi1 to wg0 internet is blocked. VPN-Policy-Routing shows wg0/X.X.X.16 as gateway. That is the IP from my wg client. the wg server has 10.0.0.1. Under a full wireguard set up, I had to add a static route from X.X.X.16 to X.X.X.1 before it was working correctly. Now this is not working anymore. With or wihout static route. I read https://forum.openwrt.org/t/solved-site-to-site-vpn-with-wireguard-and-openwrt/72764/21 but could not understand how to adopt this to my problem.

The wireguard server shows the connection, but no real traffic.

So I am still hope to get further help.

Here are my network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb6:1936:f34c::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '80:3f:5d:bc:fa:e4'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'wifi1'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

config interface 'wifi1a'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.20.1'

config interface 'wifi2'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.30.1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'XXX'
	list addresses 'X.X.X.16/32'

config wireguard_wg0
	option public_key 'yyyy'
	option endpoint_host 'yyy.yyy.de'
	option endpoint_port 'XXXXX'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

and firewall

config defaults
   option input 'ACCEPT'
   option output 'ACCEPT'
   option forward 'REJECT'
   option synflood_protect '1'

config zone
   option name 'lan'
   option input 'ACCEPT'
   option output 'ACCEPT'
   option forward 'ACCEPT'
   list network 'lan'

config zone
   option name 'wifi1a'
   option input 'ACCEPT'
   option output 'ACCEPT'
   option forward 'REJECT'
   list network 'wifi1a'

config zone
   option name 'wifi2'
   option input 'ACCEPT'
   option output 'ACCEPT'
   option forward 'ACCEPT'
   list network 'wifi2'

config zone
   option name 'wan'
   option input 'REJECT'
   option output 'ACCEPT'
   option forward 'REJECT'
   option masq '1'
   option mtu_fix '1'
   list network 'wan'
   list network 'wan6'

config forwarding
   option src 'lan'
   option dest 'wan'

   config forwarding
   option src 'wifi1a'
   option dest 'wan'

config forwarding
   option src 'wifi2'
   option dest 'wan'

config rule
   option name 'Allow-DHCP-Renew'
   option src 'wan'
   option proto 'udp'
   option dest_port '68'
   option target 'ACCEPT'
   option family 'ipv4'

config rule
   option name 'Allow-Ping'
   option src 'wan'
   option proto 'icmp'
   option icmp_type 'echo-request'
   option family 'ipv4'
   option target 'ACCEPT'

config rule
   option name 'Allow-IGMP'
   option src 'wan'
   option proto 'igmp'
   option family 'ipv4'
   option target 'ACCEPT'

config rule
   option name 'Allow-DHCPv6'
   option src 'wan'
   option proto 'udp'
   option src_ip 'fc00::/6'
   option dest_ip 'fc00::/6'
   option dest_port '546'
   option family 'ipv6'
   option target 'ACCEPT'

config rule
   option name 'Allow-MLD'
   option src 'wan'
   option proto 'icmp'
   option src_ip 'fe80::/10'
   list icmp_type '130/0'
   list icmp_type '131/0'
   list icmp_type '132/0'
   list icmp_type '143/0'
   option family 'ipv6'
   option target 'ACCEPT'

config rule
   option name 'Allow-ICMPv6-Input'
   option src 'wan'
   option proto 'icmp'
   list icmp_type 'echo-request'
   list icmp_type 'echo-reply'
   list icmp_type 'destination-unreachable'
   list icmp_type 'packet-too-big'
   list icmp_type 'time-exceeded'
   list icmp_type 'bad-header'
   list icmp_type 'unknown-header-type'
   list icmp_type 'router-solicitation'
   list icmp_type 'neighbour-solicitation'
   list icmp_type 'router-advertisement'
   list icmp_type 'neighbour-advertisement'
   option limit '1000/sec'
   option family 'ipv6'
   option target 'ACCEPT'

config rule
   option name 'Allow-ICMPv6-Forward'
   option src 'wan'
   option dest '*'
   option proto 'icmp'
   list icmp_type 'echo-request'
   list icmp_type 'echo-reply'
   list icmp_type 'destination-unreachable'
   list icmp_type 'packet-too-big'
   list icmp_type 'time-exceeded'
   list icmp_type 'bad-header'
   list icmp_type 'unknown-header-type'
   option limit '1000/sec'
   option family 'ipv6'
   option target 'ACCEPT'

config rule
   option name 'Allow-IPSec-ESP'
   option src 'wan'
   option dest 'lan'
   option proto 'esp'
   option target 'ACCEPT'

config rule
   option name 'Allow-ISAKMP'
   option src 'wan'
   option dest 'lan'
   option dest_port '500'
   option proto 'udp'
   option target 'ACCEPT'

config rule
   option name 'Support-UDP-Traceroute'
   option src 'wan'
   option dest_port '33434:33689'
   option proto 'udp'
   option family 'ipv4'
   option target 'REJECT'
   option enabled '0'

config include
   option path '/etc/firewall.user'

config rule
   option dest_port '80'
   option src 'wan'
   option name 'Allow-Web-WAN'
   option target 'ACCEPT'

config rule
   option dest_port '443'
   option src 'wan'
   option name 'Allow-SSL-WAN'
   option target 'ACCEPT'

config rule
   option dest_port '22'
   option src 'wan'
   option name 'Allow-SSH-WAN'
   option target 'ACCEPT'

config zone
   option name 'wifi1'
   option input 'ACCEPT'
   option output 'ACCEPT'
   option forward 'ACCEPT'
   list network 'wifi1'

config zone
   option name 'wg0'
   option input 'REJECT'
   option output 'ACCEPT'
   option forward 'REJECT'
   list network 'wg0'

config forwarding
   option src 'wifi1'
   option dest 'wg0'

Regards,

Mario

Set up VPN-PBR as described here, replacing the VPN interface name and the LAN subnet:
Vpn client on seperate wifi network, no vpn on the other - #6 by vgaetera

2 Likes

I tried

uci set vpn-policy-routing.config.enabled="1"
uci -q delete vpn-policy-routing.config.dest_ipset
uci -q delete vpn-policy-routing.lan_vpn
uci set vpn-policy-routing.lan_vpn="policy"
uci set vpn-policy-routing.lan_vpn.src_addr="192.168.0.1/24"
uci set vpn-policy-routing.lan_vpn.dest_addr="!192.168.0.1/24"
uci set vpn-policy-routing.lan_vpn.interface="wg0"
uci commit vpn-policy-routing
/etc/init.d/vpn-policy-routing restart

But no success / change. Normal wifi is working, vpn wifi is establishing the tunnel but no internet.
Do I have to change any other settings as well?

Regards,

Mario

1 Like

If the issue persists, collect the diagnostics and post it to pastebin.com redacting the private parts:

ubus call system board; uci show network; uci show firewall; uci show dhcp; \
uci show vpn-policy-routing; /etc/init.d/vpn-policy-routing support; wg show; \
ip address show; ip route show table all; ip rule show; iptables-save; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Here you are and thanx in advance for helping:

https://pastebin.com/YtWkfAmg

Regards,

Mario

1 Like
uci set network.wifi1.type="bridge"
uci set network.wifi2.type="bridge"
uci set network.wifi1a.type="bridge"
uci commit network
/etc/init.d/network restart

uci set firewall.@zone[5].masq="1"
uci set firewall.@zone[5].mtu_fix="1"
uci commit firewall
/etc/init.d/firewall restart

uci set vpn-policy-routing.lan_vpn.src_addr="192.168.10.0/24"
uci set vpn-policy-routing.lan_vpn.dest_addr="!192.168.10.0/24"
uci commit vpn-policy-routing
/etc/init.d/vpn-policy-routing restart

Thanx for the suggestion and help. I did it as described but it looks like a step back. wifi2 - the free wifi - doesn't allow any connections anymore and wifi1 - set as wireguard tunnel - connects but doesn't allow any internet traffic.

I posted with the above commands another pastbin here https://pastebin.com/qwsYtvVw

May I also ask for a favor: I would appreciate any explanation for changes to better understand why the change is necessary and maybe how to identify the error. (and to avoid need for help next time as I (and outher readers) hopefully better understand the problems.)

But the response times and quality of support here is awsome!!

Regards,

Mario

1 Like

Weird, perhaps it's related to some hardware-specific wireless issues.
Try to disable extra Wi-Fi interfaces/SSIDs, save the changes and restart the router.
Test Wi-Fi interfaces separately, only enabling one at a time.

This can help in some cases:

uci set dhcp.lan.force="1"
uci set dhcp.wifi1.force="1"
uci set dhcp.wifi2.force="1"
uci set dhcp.wifi1a.force="1"
uci commit dhcp
/etc/init.d/dnsmasq restart

Are you connecting to your own VPN server, or a commercial VPN provider?

  • Bridging is the recommended method to attach a wireless interface to a network.
  • Masquerading helps to resolve routing issues.
  • Routing policy should be applied to the source subnet.

After letting rest my device for some hours its working normal now. If no device was connected over some hours it takes some time before internet is available after connection. I will have a look.

It's my private server within my home network. Access over DynDNS provider and forwarded ports on my ISP router.

What else to tell:

After establishing the vpn routing:

PBR showed an error with the wireguard gateway X.X.X.16 (I'm still uncertain, shouldn't it be the X.X.X.1 address
from the wireguard server subnet? After disabling the routing policy, the error disappeared, but nevertheless, internet was not accessible all the time with the wireguard wifi network.

Regards,

Mario

1 Like

Then we should also check the server side, post to pastebin.com redacting the private parts:

ip address show; ip route show table all; ip rule show; \
sudo wg show; sudo iptables-save; sudo nft list ruleset; \
sysctl net 2> /dev/null | grep -e forward

Make sure to apply these workarounds on the client side:

1 Like

I will give it a try. Will take some time as we renew parts of our flat.
Best you can do with COVID lockdown :wink:

1 Like

Here we are:

https://pastebin.com/H85dMvku

Add 1: Handshake worked
Add 2: Using my S10 (not parallel to the openwrt device we are talking about) with the wireguard app is working with the same credentials perfectly.

Regards

Mario

1 Like

Disable the WG zone masquerading on both client and server.
Add the client side subnet to the peer's allowed IPs on the server.
Temporarily disable MWAN, PBR and GL.iNet-specific firewall scripts on the server.

1 Like