It's been few days, the wireguard still doesn't work. I would be very much grateful if someone could kindly advise me on.
I have an Openwrt with 2 WANs by using mwan3. When one WAN fails, the other WAN handles all traffic and WAN_b should handle both wireguard traffic and default traffic.
Handshake is successful on both sides of the WireGuard, but unable to ping remote LAN port behand eachother, only WAN (Endpoint) can be pinged. Also, Endpoint Host is set to 9.9.9.7 on remote, but "wg" command shows 8.8.8.7. Suspecting an issue with the "rule" section of mwan3 configuration, but uncertain of the problem's location.
My side:
WAN (eth1): static 8.8.8.7 gateway:8.8.8.1
WAN_b(eth2): static 9.9.9.7 gateway:9.9.9.1
root@OpenWrt:/# wg
interface: wg0
public key: sJou1WwZNsX7jHfV2CNkCer7uHwxs0yMXFBTwX8DznI=
private key: (hidden)
listening port: 51820
peer: wUi4iTCulzasw3s7mrWoXF4MuOzf6PColPoBxS3a9As=
endpoint: 7.7.7.8:51820
allowed ips: 192.168.100.0/24, 192.168.8.0/24
latest handshake: 34 seconds ago
transfer: 368 B received, 2.50 KiB sent
persistent keepalive: every 25 seconds
root@OpenWrt:/# ping 192.168.8.1
PING 192.168.8.1 (192.168.8.1): 56 data bytes
^C
root@OpenWrt:~# ping -I 192.168.1.1 192.168.8.1
PING 192.168.8.1 (192.168.8.1) from 192.168.1.1: 56 data bytes
^C
root@OpenWrt:/# ping 7.7.7.8
PING 7.7.7.8 (7.7.7.8): 56 data bytes
64 bytes from 7.7.7.8: seq=0 ttl=63 time=1.034 ms
64 bytes from 7.7.7.8: seq=1 ttl=63 time=0.980 ms
The following are the results of the following commands
route -n
cat /etc/config/network
cat /etc/config/mwan3
root@OpenWrt:/# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 8.8.8.1 0.0.0.0 UG 10 0 0 eth1
0.0.0.0 9.9.9.1 0.0.0.0 UG 20 0 0 eth2
7.7.7.8 8.8.8.1 255.255.255.255 UGH 10 0 0 eth1
8.8.8.0 0.0.0.0 255.255.255.0 U 10 0 0 eth1
9.9.9.0 0.0.0.0 255.255.255.0 U 20 0 0 eth2
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
root@OpenWrt:/# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd7a:61b6:b586::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth5'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth1'
option proto 'static'
option netmask '255.255.255.0'
option metric '10'
option gateway '8.8.8.1'
option ipaddr '8.8.8.7'
config interface 'wanb'
option proto 'static'
option device 'eth2'
option netmask '255.255.255.0'
option metric '20'
option gateway '9.9.9.1'
option ipaddr '9.9.9.7'
config interface 'wg0'
option proto 'wireguard'
option private_key 'EDvWgQu5GNIGKDgaPv6kVHCvEl0Y8TJk1KC3OFubzEA='
option listen_port '51820'
list addresses '192.168.100.3'
config wireguard_wg0
option public_key 'wUi4iTCulzasw3s7mrWoXF4MuOzf6PColPoBxS3a9As='
list allowed_ips '192.168.100.2/24'
list allowed_ips '192.168.8.1/24'
option endpoint_host '7.7.7.8'
option persistent_keepalive '25'
option route_allowed_ips '1'
root@OpenWrt:/# cat /etc/config/mwan3
config globals 'globals'
option mmx_mask '0x3F00'
config interface 'wan'
option enabled '1'
option family 'ipv4'
option initial_state 'online'
option track_method 'ping'
option count '1'
option size '56'
option max_ttl '60'
option timeout '4'
option interval '10'
option failure_interval '5'
option recovery_interval '5'
option down '5'
option up '5'
option reliability '1'
config interface 'wanb'
option family 'ipv4'
option reliability '1'
option enabled '1'
option initial_state 'online'
option track_method 'ping'
option count '1'
option size '56'
option max_ttl '60'
option timeout '4'
option interval '10'
option failure_interval '5'
option recovery_interval '5'
option down '5'
option up '5'
config member 'wan_m1_w3'
option interface 'wan'
option metric '1'
option weight '3'
config member 'wanb_m1_w3'
option interface 'wanb'
option metric '1'
option weight '3'
config policy 'wan_only'
list use_member 'wan_m1_w3'
option last_resort 'unreachable'
config policy 'wanb_only'
option last_resort 'unreachable'
list use_member 'wanb_m1_w3'
config policy 'balanced'
list use_member 'wan_m1_w3'
list use_member 'wanb_m1_w3'
option last_resort 'unreachable'
config rule 'wg'
option family 'ipv4'
option proto 'udp'
option dest_port '51820'
option use_policy 'wanb_only'
option sticky '0'
config rule 'https'
option proto 'tcp'
option dest_port '443'
option sticky '1'
option use_policy 'balanced'
config rule 'all'
option proto 'all'
option dest_ip '0.0.0.0/0'
option sticky '0'
option use_policy 'balanced'
Remote side:
WAN(eth0): static 7.7.7.8 gateway:7.7.7.1
The following are the results of the following commands
route -n
cat /etc/config/network
root@GL-MV1000:~# wg
interface: wg0
public key: wUi4iTCulzasw3s7mrWoXF4MuOzf6PColPoBxS3a9As=
private key: (hidden)
listening port: 51820
peer: sJou1WwZNsX7jHfV2CNkCer7uHwxs0yMXFBTwX8DznI=
endpoint: 8.8.8.7:51820 <---it should be 9.9.9.7,Please see screenshot below
allowed ips: 192.168.100.0/24, 192.168.1.0/24
latest handshake: 49 seconds ago
transfer: 6.18 KiB received, 1.71 KiB sent
root@GL-MV1000:~# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
^C
root@GL-MV1000:~# ping -I 192.168.8.1 192.168.1.1
PING 192.168.1.1 (192.168.1.1) from 192.168.8.1: 56 data bytes
^C
root@GL-MV1000:~# ping 8.8.8.7
PING 8.8.8.7 (8.8.8.7): 56 data bytes
64 bytes from 8.8.8.7: seq=0 ttl=63 time=0.745 ms
64 bytes from 8.8.8.7: seq=1 ttl=63 time=0.902 ms
^C
root@GL-MV1000:~# ping 9.9.9.7
PING 9.9.9.7 (9.9.9.7): 56 data bytes
64 bytes from 9.9.9.7: seq=0 ttl=63 time=0.514 ms
64 bytes from 9.9.9.7: seq=1 ttl=63 time=1.001 ms
^C
root@GL-MV1000:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 7.7.7.1 0.0.0.0 UG 10 0 0 wan
7.7.7.0 0.0.0.0 255.255.255.0 U 10 0 0 wan
ip address show dev eth19.9.9.7 7.7.7.1 255.255.255.255 UGH 10 0 0 wan
192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
root@GL-MV1000:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd3:1356:9fcc::/48'
config interface 'lan'
option type 'bridge'
option ifname 'lan0 lan1 usb0'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option hostname 'GL-MV1000-298'
option ipaddr '192.168.8.1'
config interface 'wan'
option ifname 'wan'
option ipv6 '0'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '7.7.7.8'
option gateway '7.7.7.1'
option metric '10'
config interface 'lan0'
option ifname 'lan0'
option macaddr '94:83:c4:0a:42:99'
config interface 'lan1'
option ifname 'lan1'
option macaddr '94:83:c4:0a:42:99'
config interface 'wg0'
option proto 'wireguard'
option private_key '6G+8SN2C4v0yWd2O4C5jCa5LPK8D7S3PuVrMQK3VbWg='
option listen_port '51820'
list addresses '192.168.100.2'
config wireguard_wg0
option public_key 'sJou1WwZNsX7jHfV2CNkCer7uHwxs0yMXFBTwX8DznI='
list allowed_ips '192.168.100.1/24'
list allowed_ips '192.168.1.0/24'
option endpoint_host '9.9.9.7'