I’m trying to reach a TFTP server on a remote location with Wireguard, but the firewall is acting weird.
The setup is a double NATted OpenWRT with mostly default settings, that has a Wireguard interface to the remote location. This Wireguard interface works and I can reach the remote, no problem there. Now I’d like the 192.168.1.0/24 clients to reach a TFTP-server. To my dismay, UDP return traffic is met with an ICMP port unreachable.
Wireguard configuration, cut for brevity:
config interface 'W'
[cut key etc]
list addresses '10.107.116.2'
config wireguard_W
option description 'W'
list allowed_ips '172.17.2.0/24'
list allowed_ips '10.107.116.1'
[option endpoint_host / option endpoint_port and key]
option route_allowed_ips '1'
The W interface is added to the WAN firewall zone in order to be NATted, I hoped to not have to setup routing at the other side. Trying ssh from 192.168.1.192 to the remote 172.17.2.187 works perfectly well. This is a tcpdump from the W interface as defined above:
IP 10.107.116.2.44700 > 172.17.2.187.22: Flags [S] IP 172.17.2.187.22 > 10.107.116.2.44700: Flags [S.] IP 10.107.116.2.44700 > 172.17.2.187.22: Flags [.] IP 10.107.116.2.44700 > 172.17.2.187.22: Flags [P.] SSH: SSH-2.0-OpenSSH_10.0p2 Debian-7
(etcetera etcetera). However, when trying to use TFTP: IP 10.107.116.2.43385 > 172.17.2.187.69: TFTP, length 13, RRQ "ipxe" octet IP 172.17.2.187.34749 > 10.107.116.2.43385: UDP, length 19 IP 10.107.116.2 > 172.17.2.187: ICMP 10.107.116.2 udp port 43385 unreachable, length 55
As you can see, the return traffic is met with a stern “port unreachable”. What is happening here? Why can’t the return traffic be un-NATted and delivered to its source 192.168.1.192?
This is on a TP-Link ER605 v2 - at first I had no offloading, I also tried software and hardware flow offloading. But no return UDP traffic seems possible.
Edit: I now enabled routing on the other side so now tftp works as advertised. But I hate doing this because it would force me to renumber the 192.168.1.0/24 for a second network like this.
What you show is that the WireGuard "client" which connects to an endpoint at the other side where a WireGuard server is listening?
It will help if you show us your configs, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses (192.168.X.X, 10.X.X.X and 172.16-32.X.X) as that is not needed:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip -6 route show
ip route show table all
ip rule show
wg show
Yep, the OpenWRT router is a WG client. Most settings are default. I may have messed up a few settings because I thought I had done something wrong - anyway; here’s the setup. Please note that I changed the Zaandam interface to LAN now, because it is routed and doesn’t need NAT anymore. Also note the double NAT, yes, the WAN interface is at 10.67.8.25 and it ACCEPTs incoming traffic.
{
"kernel": "6.6.119",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:4",
"model": "TP-Link ER605 v2",
"board_name": "tplink,er605-v2",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.5",
"revision": "r29087-d9c5716d1d",
"target": "ramips/mt7621",
"description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
"builddate": "1766005702"
}
}
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf8:7867:6137::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config device
option name 'lan2'
option macaddr '5C:E9:31:AE:18:7F'
config device
option name 'lan3'
option macaddr '5C:E9:31:AE:18:7F'
config device
option name 'lan4'
option macaddr '5C:E9:31:AE:18:7F'
config device
option name 'lan5'
option macaddr '5C:E9:31:AE:18:7F'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan1'
option macaddr '5C:E9:31:ae:18:80'
config interface 'wan'
option device 'wan1'
option proto 'dhcp'
config interface 'wan6'
option device 'wan1'
option proto 'dhcpv6'
config interface 'Zaandam'
option proto 'wireguard'
option private_key '==redacted=='
list addresses '10.107.116.2'
option delegate '0'
config wireguard_Zaandam
option description 'Zaandam'
option public_key '==redacted=='
list allowed_ips '172.17.2.0/24'
list allowed_ips '10.107.116.1'
option endpoint_host '==redacted=='
option endpoint_port '==redacted=='
option route_allowed_ips '1'
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'Zaandam'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
default via 10.67.8.254 dev wan1 proto static src 10.67.8.25
10.67.8.0/24 dev wan1 proto kernel scope link src 10.67.8.25
10.107.116.1 dev Zaandam proto static scope link
172.17.2.0/24 dev Zaandam proto static scope link
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
==redacted== via 10.67.8.254 dev wan1 proto static
fdf8:7867:6137::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdf8:7867:6137::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev dsa proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan1 proto kernel metric 256 pref medium
default via 10.67.8.254 dev wan1 proto static src 10.67.8.25
10.67.8.0/24 dev wan1 proto kernel scope link src 10.67.8.25
10.107.116.1 dev Zaandam proto static scope link
172.17.2.0/24 dev Zaandam proto static scope link
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
==redacted== via 10.67.8.254 dev wan1 proto static
local 10.67.8.25 dev wan1 table local proto kernel scope host src 10.67.8.25
broadcast 10.67.8.255 dev wan1 table local proto kernel scope link src 10.67.8.25
local 10.107.116.2 dev Zaandam table local proto kernel scope host src 10.107.116.2
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
fdf8:7867:6137::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdf8:7867:6137::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev dsa proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan1 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fdf8:7867:6137:: dev br-lan table local proto kernel metric 0 pref medium
local fdf8:7867:6137::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev dsa table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wan1 table local proto kernel metric 0 pref medium
local fe80::b8:49ff:fe2c:66c3 dev dsa table local proto kernel metric 0 pref medium
local fe80::5ee9:31ff:feae:187f dev br-lan table local proto kernel metric 0 pref medium
local fe80::5ee9:31ff:feae:1880 dev wan1 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev dsa table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wan1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev Zaandam table local proto kernel metric 256 pref medium
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
interface: Zaandam
public key: ==redacted==
private key: (hidden)
listening port: 34363
peer: ==redacted==
endpoint: ==redacted==
allowed ips: 172.17.2.0/24, 10.107.116.1/32
latest handshake: 11 minutes, 2 seconds ago
transfer: 366.92 MiB received, 24.96 MiB sent
Not related to your problem but use 10.107.166.2/24
I assume the subnet of the other side is 172.17.2.0/24
You do not have Keepalive set no problem if you only connect from this side but if the other side wants to send traffic then you need to set KeepAlive:
You are not NATting the WG traffic which is not needed if the other side has 192.168.1.0/24 as Allowed IPs and routing of Allowed IPs is enabled.
What you want to reach on the other side e.g. a server or other client over there on the lan must accept traffic from 192.168.1.0/24 that is not default so check that.
I know everything is OK, but the UDP NAT is not. And no, as I said, I'm not NATting anymore, because UDP NATting did not work.
I'm guessing the topic is misdirected and should be in dev, right? As I know how to setup a site to site VPN but there seems to be a real software issue?