Hello!
I want to setup WireGuard on Raspberry Pi 4B (only one ethernet port).
I don't want Pi 4B connect to LAN, don't want to use USB <-> RJ45
My network should be like below picture:
And I use this firmware to have better network speed + stable.
Note: this firmware don't have wireless. And I don't need wireless also.
My problem: I can't connect to network if I using WireGuard.
Without connect to wireguard: I can ping, but can't ssh or access to http://192.168.x.x even I can ping.
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3d:15f8:d25f::/48'
config device
option name 'br-lan'
option type 'bridge'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'vpn'
option proto 'wireguard'
option private_key 'kHKq+aYz+C27/PKHjS/ryoaW0Y1D/5P5f1p2ClBod14='
option listen_port '8989'
list addresses '192.168.99.1/32'
config wireguard_vpn
option description 'Test'
option public_key '/L8eVwF3A4ZyyX2ThTiWc+8LHAciv7BGWPn/PNbAMQo='
option private_key 'uNec6wwUinhUU4epbnvDfy1C7V4+aa6yVvIjfJse4W8='
option persistent_keepalive '25'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
Please help me! Thank you.
Not really what I want.
WireGuard doesn't work correctly.
user from WireGuard can't use internet. I can see packages through WireGuard status page.
not expert on vpn and openwrt, but your firewall only have one vpn rule, and it's is lan -> vpn, exactly the thing you did not want ?
So, I configured wrongly.
I need to add something like
config forwarding
option src 'vpn'
option dest 'wan'
Is it right?
that would be a good starting point...
krazeh
August 9, 2024, 11:32am
7
You need a vpn
zone before you can forward to or from it.
should I add config like this
config zone 'vpn'
option name 'vpn'
list network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
krazeh
August 9, 2024, 11:43am
9
Yes, that'd be a good place to start
1 Like
I tried to create zone 'vpn', and create 'forwarding'. But it still doesn't work
repost your (new) firewall file.
Here is my new firewall file
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config zone 'vpn'
option name 'vpn'
list network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option src 'vpn'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
like I said, not my forte, but I'd say 3x ACCEPT.
krazeh
August 9, 2024, 12:43pm
14
Given that you've provided pretty much no details about how everything is actually connected together or what testing you've done then I'm not sure what more you're expecting...
2 Likes
mk24
August 9, 2024, 12:48pm
15
Where is the other end of the Wireguard tunnel? I assume it is a commercial service and you want to use it for general Internet access.
Your diagram shows a wireless connection from the Pi to a single computer that is going to use the tunnel for its Internet. But you have not activated wifi in the Pi and set up a separate network for the Wireguard user(s) which that scheme would require. It now seems that you want that computer to be with the others on the main router's LAN and the whole LAN to use the Wireguard tunnel as the default route to the Internet?
I want only WireGuard users connect to Pi then go to internet.
WireGuard users are from the Internet.
Others devices will connect direct to router not Pi and don't use WireGuard tunnel.
Summary:
Devices from Internet will be using my WireGuard to go to internet.
Local devices go to internet directly (not using WireGuard).
The red lines are route for WireGuard users
The blue lines are route for local devices
that's nowhere near the sketch you provided in your 1st post ...
2 Likes
mk24
August 9, 2024, 1:09pm
18
and it makes even less sense.
1 Like
Sorry! I didn't detail WireGuard users's route
do you know
1 primary router have a public IP ?
2a it allows you to open ports in the firewall, allowing the incoming WG traffic to pass ?
2b there's a DMZ option in it