Wireguard multiple interfaces - one is not working [Solved]

Installing and Using OpenWrt
1

Hi, I have such case:

<Device 1 local IP> <--------> <Route 2 public IP> <---Internet---> <Router 1 Public IP>

I would like to have to 2 wireguard links.

  1. one on subnet 10.2.2.x - And this one is working. In this case <Router 1 Public IP> is server and <Device 1> is client. Also 5 other devices are working fine.
  2. Second subnet 10.3.3.x - I would like to have <Device 1 local IP> as server so I set port forwarding on <Route 2 public IP> and <Router 1 Public IP> as clinet.
    Handshake is fine but ping is not working. And strange thing is that server is seen client on incorrect port:

On server side:

root@OpenWrtMiWiFiMini:~# wg show wg1
interface: wg1
  public key: <key>
  private key: (hidden)
  listening port: 60024

peer: <key>
  endpoint: <Router 1 Public IP>:1097
  allowed ips: 10.3.3.2/32
  latest handshake: 2 minutes, 21 seconds ago
  transfer: 2.93 KiB received, 2.05 KiB sent
  persistent keepalive: every 25 seconds
root@OpenWrtMiWiFiMini:~#

On client side:

root@Xiaomi3G:~# wg show wg1
interface: wg1
  public key: <key>
  private key: (hidden)
  listening port: 60027

peer: <key>
  endpoint: <Router 2 Public IP>:60024
  allowed ips: (none)
  latest handshake: 1 minute, 22 seconds ago
  transfer: 2.26 KiB received, 3.50 KiB sent
  persistent keepalive: every 25 seconds

Any idea what could be wrong ?

2

Client side

How about that? Allow at least 10.3.3.1

2 Likes
3

No it isn't:

There are no such thing as servers and clients

If you don't have masquerade enabled, there is no port forwarding.

4

But the port forwarding is on <Route 2 public IP>. Does iptables have to be enable on <Device 1 local IP> ?
I have firewall off - to be sure that is not blocking any connection ?

5

:confused:

I just said:

So if your firewall is off, how are your port forwarding?

  • Have you created a route for the subnet?
  • Have you tried the IP address assigned to the devices?
6

port forwarding is on <Route 2 public ip> and device <Device 1 local IP> behind this NAT (port forwarding from externat 60024 to 60024 local IP address)

7

@kofec, I honestly think you're confusing the WG network and the LANs you're trying to route to. It's quite confusing when you continue to speak of port forwarding and NAT, before you clarify my inquiry about masquerading.

I won't be able to help you until you can clearly articulate what you're trying to do.

  • Fix the allowed IP section
  • You should allow the entire subnet at the other end of the connection
  • You need to make a route to the network at the other end of the connection.
  • If you do not have masquerade on, then you must route, not port forward
  • Remove the port number 1097 from the peer
8

routes on device 1:

root@OpenWrtMiWiFiMini:~# ip r
default via 192.168.4.1 dev eth0.2 proto static src 192.168.4.12
10.3.3.0/24 dev wg1 proto kernel scope link src 10.3.3.1
10.3.3.2 dev wg1 proto static scope link
<Router 1 Public IP> via 192.168.4.1 dev eth0.2 proto static
192.168.4.0/24 dev eth0.2 proto kernel scope link src 192.168.4.12
192.168.111.0/24 dev br-lan proto kernel scope link src 192.168.111.1

Routes on <Router 1 Public IP>

default via 91.90.x.x dev eth0.2 proto static
10.2.2.0/24 dev wg0 proto kernel scope link src 10.2.2.1
10.2.2.2 dev wg0 proto static scope link
10.2.2.3 dev wg0 proto static scope link
10.2.2.4 dev wg0 proto static scope link
10.2.2.5 dev wg0 proto static scope link
10.2.2.6 dev wg0 proto static scope link
10.2.2.7 dev wg0 proto static scope link
10.2.2.8 dev wg0 proto static scope link
10.2.2.9 dev wg0 proto static scope link
10.2.2.10 dev wg0 proto static scope link
10.2.2.254 dev wg0 proto static scope link
10.3.3.0/24 dev wg1 proto kernel scope link src 10.3.3.2
<Route 2 public IP> via 91.90.x.x dev eth0.2 proto static
91.90.176.128/25 dev eth0.2 proto kernel scope link src 91.90.176.163
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.11.0/24 via 192.168.1.10 dev br-lan proto static
9

I'm not sure why you posted your routes.

  • OK, can you ping when you fix the allowed IPs and removed port 1097?
  • In your original post, device 1 was a computer on LAN, why does it have routes!?!?
10

This port was assign automatically when peer connect ? Should I force it ?

Configuration on peer (server side):

config interface 'wg1'
        option proto 'wireguard'
        option private_key '...key..'
        option listen_port '60024'

config wireguard_wg1
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        option description 'Xiaomi MIR3'
        option public_key '...key..'
        list allowed_ips '10.3.3.2/32'

config interface 'wg1ip'
        option proto 'static'
        option ifname 'wg1'
        option ipaddr '10.3.3.1'
        option netmask '255.255.255.0'
11

I keep saying there are not servers and clients, so you're only managing to confuse me.

YOU HAVE TO ALLOW ALL IPS THAT WILL COME FROM THIS INTERFACE, USE 10.3.3.0/24!!!!

Can you explain what this is????

I think you mean:

config interface 'wg1'
        option proto 'wireguard'
        option private_key '...key..'
        option listen_port '60024'
        list addresses '10.3.3.1/24'

config wireguard_wg1
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        option description 'Xiaomi MIR3'
        option public_key '...key..'
        list allowed_ips '10.3.3.2/24'
1 Like
12

This is how I assign IP address to interface on openwrt

13

Then you assign the IP incorrectly then. I just showed you how to properly:

EDIT: changed allowed IPs to 10.3.3.0/24

14

I change as you suggest and now It is working. Thanks a lot

1 Like
15

@lleachii What should be the configuration if I would like to add another peer ?

16

I assume this means attach a peer to the device listening at 60024:

  • Generate another Private Key to assign to the new device

On the OpenWrt:

  • Place its Public Key into another peer
  • Assign it an unused IP in the /24 range
  • Optionally - pick a new description
  • Otherwise, repeat all other steps as you did for the first peer

Are you doing this on the LuCI web GUI?

If so, you simply:

Screenshot%20from%202019-02-08%2017-26-32
Screenshot from 2019-02-08 17-26-32.png177×589 6.9 KB

  • hit the Add button
1 Like
17

I'm not sure is it bug or per design. But if I would like to have more peers connected to one peer. I have to change configuration like below (change mask from 24 to 32):

config wireguard_wg1
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        option description 'Xiaomi MIR3'
        option public_key '...key..'
        list allowed_ips '10.3.3.2/32'
config wireguard_wg1
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        option description 'xxx'
        option public_key '...key..'
        list allowed_ips '10.3.3.3/32'

other way one only one peer is working. Maybe it is related to arp discover ? I don't know

Other peers have:
allowed ips: (none)
Maybe because of overlap ?

1 Like
18

Interesting...I only allow single /32 IPs anyway on the peers (or "clients," as you say)...but it makes sense, because the IPs can't exist "everywhere."

See: https://www.wireguard.com/#cryptokey-routing

Please stop using Allowed IPs none.

19

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.