WireGuard on Raspberry Pi 4B

Hello!
I want to setup WireGuard on Raspberry Pi 4B (only one ethernet port).
I don't want Pi 4B connect to LAN, don't want to use USB <-> RJ45
My network should be like below picture:

And I use this firmware to have better network speed + stable.

Note: this firmware don't have wireless. And I don't need wireless also.

My problem: I can't connect to network if I using WireGuard.
Without connect to wireguard: I can ping, but can't ssh or access to http://192.168.x.x even I can ping.

/etc/config/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3d:15f8:d25f::/48'

config device
	option name 'br-lan'
	option type 'bridge'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'kHKq+aYz+C27/PKHjS/ryoaW0Y1D/5P5f1p2ClBod14='
	option listen_port '8989'
	list addresses '192.168.99.1/32'

config wireguard_vpn
	option description 'Test'
	option public_key '/L8eVwF3A4ZyyX2ThTiWc+8LHAciv7BGWPn/PNbAMQo='
	option private_key 'uNec6wwUinhUU4epbnvDfy1C7V4+aa6yVvIjfJse4W8='
	option persistent_keepalive '25'

/etc/config/firewall


config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Please help me! Thank you.

that firmware is also inofficial.

might want to use https://firmware-selector.openwrt.org/?version=SNAPSHOT&target=bcm27xx%2Fbcm2712&id=rpi-5

Works as designed then ?

Not really what I want.
WireGuard doesn't work correctly.
user from WireGuard can't use internet. I can see packages through WireGuard status page.

not expert on vpn and openwrt, but your firewall only have one vpn rule, and it's is lan -> vpn, exactly the thing you did not want ?

So, I configured wrongly.
I need to add something like

config forwarding
	option src 'vpn'
	option dest 'wan'

Is it right?

that would be a good starting point...

You need a vpn zone before you can forward to or from it.

should I add config like this

config zone 'vpn'
	option name 'vpn'
	list network 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

Yes, that'd be a good place to start

1 Like

I tried to create zone 'vpn', and create 'forwarding'. But it still doesn't work

repost your (new) firewall file.

Here is my new firewall file

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config zone 'vpn'
	option name 'vpn'
	list network 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

like I said, not my forte, but I'd say 3x ACCEPT.

Given that you've provided pretty much no details about how everything is actually connected together or what testing you've done then I'm not sure what more you're expecting...

2 Likes

Where is the other end of the Wireguard tunnel? I assume it is a commercial service and you want to use it for general Internet access.

Your diagram shows a wireless connection from the Pi to a single computer that is going to use the tunnel for its Internet. But you have not activated wifi in the Pi and set up a separate network for the Wireguard user(s) which that scheme would require. It now seems that you want that computer to be with the others on the main router's LAN and the whole LAN to use the Wireguard tunnel as the default route to the Internet?

I want only WireGuard users connect to Pi then go to internet.
WireGuard users are from the Internet.

Others devices will connect direct to router not Pi and don't use WireGuard tunnel.

Summary:
Devices from Internet will be using my WireGuard to go to internet.
Local devices go to internet directly (not using WireGuard).

The red lines are route for WireGuard users
The blue lines are route for local devices

that's nowhere near the sketch you provided in your 1st post ...

2 Likes

and it makes even less sense.

1 Like

Sorry! I didn't detail WireGuard users's route

do you know

1 primary router have a public IP ?
2a it allows you to open ports in the firewall, allowing the incoming WG traffic to pass ?
2b there's a DMZ option in it