Wireguard issue on OpenWRT 22.05

jwh · July 24, 2023, 9:55am

Good morning.
I am experiencing some issues with a Wireguard configuration on OpenWRT 22.05 installed on a router installed in cascade to main one.

Once the interface wg0 has been added I cannot connect the web anymore.
I also have a rule to only connect using VPN for a single url (for testing purpose I inserted www.repubblica.it)

What frustrates me the more is that it worked for some time and then it stopped.
I attach some network, firewall and pbr configuration hereafter

NETWORK


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd30:8d69:33d9::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'eth0.1'
	option macaddr '40:b0:76:99:b4:9c'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '162.252.172.57'
	list dns '149.154.159.92'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcp'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '********************************************'
	option listen_port '63318'
	list addresses '10.14.0.2/16'
	option mtu '1350'
	list dns '162.252.172.57'
	list dns '149.154.159.92'

config wireguard_wg0
	option description 'WireguardSurfsharkROME'
	option public_key 'fqxSeDr7n249iywruwLMwkV3r36svPT1tLf9TJOTFAw='
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host 'it-rom.prod.surfshark.com'
	option endpoint_port '51820'
	option persistent_keepalive '25'

FIREWALL


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	list network 'wan'
	list network 'wan6'
	list network 'wg0'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config rule
	option name 'SSH'
	option src '*'
	option dest_port '22'
	option target 'ACCEPT'

PBR


config pbr 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option resolver_set 'dnsmasq.ipset'
	option enabled '1'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

config policy
	option name 'DDNS'
	option dest_addr 'checkip.dyndns.com'
	option interface 'wan'

config policy
	option name 'MyTest'
	option dest_addr 'www.repubblica.it'
	option interface 'wg0'

config policy
	option src_addr '192.168.0.0/16'
	option interface 'wan'

egc · July 24, 2023, 10:18am

Maybe remove the above, your own network is 192.168.1.1/24 that is included in 192.168.0.0/16 and now you are routing your own network via the WAN instead of via the LAN

jwh · July 24, 2023, 11:02am

Thanks a lot. I will try.

Anyway the intention of this was to route all the traffic but what written in previous policy (www.repubblica.it) coming from any device in 192.168.0.0/16 through wan and not wg0.
Any suggestion to better achieve this?

Do you mean that if I remove this policy

config policy
	option src_addr '192.168.0.0/16'
	option interface 'wan'

only www.repubblica.it will be routed using wg0 anyway (so VPN will be used by every device only to access www.repubblica.it)?

Thanks again

egc · July 24, 2023, 11:08am

If you do not want to route anything via the VPN except for what you set in the PBR than disable "Route Allowed IPs" in the WG Peer.

You probably have 0.0.0.0/0 in the Allowed IP's, by disabling the "Route Allowed IPs" you default route is still the WAN.

jwh · July 24, 2023, 12:24pm

I will try, so to recap:

remove policy with option src_addr '192.168.0.0/16'
disable "Route Allowed IPs" in the WG Peer
keep a policy like the following to route some particular domains on wg0:

config policy
	option name 'MyTest'
	option dest_addr '<domainsToRoutewg0'
	option interface 'wg0'

Did I get you correct?

Thanks in advance

egc · July 24, 2023, 12:34pm

Yeah give that a try that works for me, I use dnsleaktest.com for testing

Note: you are using the PREROUTING chain which means it only works for your LAN clients, if you want it to work from the router itself you have to use the OUTPUT chain.

jwh · July 24, 2023, 1:29pm

mmm, not sure I get you.
what do you mean with "it only works for your LAN clients"?

And what if you want it to work from the router itself?

My need is that all the clients, connected via ethernet cable or wify to this router, shall use a VPN when connecting to certain domains. In this case I think it is ok once you say it works for my LAN clients, right?

And what does OUTPUT chain would add?

Thanks for your patience

egc · July 24, 2023, 1:39pm

With LAN clients I mean any client connected to your router by cable or WiFi.

But if you try it from the router itself e.g. when you SSH into your router and execute:
traceroute <domainsToRoutewg0>

It will not work and you should see that the routing is via the default route which is the WAN in your case.

That is because PBR uses iptables/nftables to route and your LAN clients use other iptables chains (PREROUTING) then the router itself which uses the OUTPUT chain.

If necessary you can set both chains

jwh · July 24, 2023, 2:35pm

Oh, now I got you.

You are very very gentle.
I will test your suggestion soon, n ow unfortunately I am away from home. I will keep you informed.

Have a great day ahead