oneil4
August 21, 2021, 4:30pm
1
hi
my configuration of wireguard don't work, i access only on local router, but if me try to use vpn for access to google ( for exemple ) i have error "dns bad prob blablabla ..."
try to add "option dns '1.1.1.1' but same issue.
config interface 'wg0'
option proto 'wireguard'
list addresses '10.0.1.1/24'
option listen_port '56718'
option private_key 'IAxsssssssssssssssdYDlvssssssssssssssssssssC3I='
option mtu '1280'
option dns '1.1.1.1'
config wireguard_wg0
option description 'redmiseb'
option public_key 'Zzsssssssssssssssssssssssssssssssssss='
list allowed_ips '10.0.1.2'
wgserver file :
config server
option port_start '56718'
option port_end '56730'
option base_prefix '2002::/64'
option wg_key '/root/wg.key'
option wg_pub '/root/wg.pub'
my only rule firewall
config rule
option name 'wireguard'
option src 'wan'
option dest_port '56718'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
my dhcp file :
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option sequential_ip '1'
list server '10.0.0.1#5335'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option dhcpv4 'server'
option leasetime '72h'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
i'm use adguard home on ip 10.0.0.1:5335
do you have idea ?
thank you
krazeh
August 21, 2021, 6:26pm
2
The list allowed_ips
in this config means that only traffic coming from or going to 10.0.1.2 is allowed in or out of the tunnel. You need to add 0.0.0.0/0 to the list.
Is that a screenshot of your “server”? If so, remove the 0.0.0./0 and check the “route allowed ips”
oneil4
August 22, 2021, 6:12am
6
i don't know if good or not, but i have try to change peer ip and wireguard ip
wireguard old 10.0.2.1 => 10.0.0.200
and peer old 10.0.2.2 => 10.0.0.201
because br-lan actualy is 10.0.0.1 with static lease plage 10.0.0.2 to 10.0.0.100 ( but not used 100 static lease )
10.0.0.101 to 10.0.0.150 = dynamique dhcp
and now wireguard for 10.0.0.200.
but again not work.
for try use AP phone for connect my computer and activate wireguard directly on my computer not on my phone because i have read is not possible whit no rooted phone use the AP phone with tunnel for all device connected on the AP ...
illustration actual situation :
pc with wireguard active ==> phone AP ==> internet ==> ISP box ===> router openwrt.
i have only local trafic ( if try connect on luci, worked ) but no resove DNS if try access google page for exemple.
Wireguard must be on a different subnet than your lan(s). So your original network ranges were fine. Your new one won’t work properly.
Please post the wg config file from your pc.
1 Like
oneil4
August 23, 2021, 4:06am
8
the wgserver file :
config server
option port_start '56718'
option port_end '56730'
option base_prefix '2002::/64'
option wg_key '/root/wg.key'
option wg_pub '/root/wg.pub'
the network file :
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.0.0.1'
option ipv6 '0'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option ipv6 '0'
config switch
option name 'switch0'
option reset '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 4'
option vid '1'
config interface 'wg0'
option proto 'wireguard'
option listen_port '56718'
option private_key 'IxxxxI='
list addresses '10.0.0.200/24'
option force_link '1'
config wireguard_wg0
option description 'redmiseb'
option public_key 'ZxxxxA='
option route_allowed_ips '1'
list allowed_ips '10.0.0.201'
my firewall file :
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg0'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wan'
option forward 'REJECT'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '80'
option enabled '0'
option name 'INTERNET LUCI'
config rule
option target 'ACCEPT'
list proto 'tcp'
option src 'wan'
option dest_port '21 20000 20001'
option enabled '0'
option name 'INTERNET FTP'
config rule
option target 'ACCEPT'
list proto 'tcp'
option src 'wan'
option dest_port '22'
option enabled '0'
option name 'INTERNET SSH'
config rule
option name 'wireguard'
option src 'wan'
option dest_port '56718'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
and my DHCP file :
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option sequential_ip '1'
list server '10.0.0.1#5335'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option dhcpv4 'server'
option leasetime '72h'
list ra_flags 'none'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'imprimante'
option dns '1'
option mac 'F4:39:09:8F:08:BF'
option ip '10.0.0.2'
config host
option name 'WIFIasusN76VB'
option dns '1'
option mac '6C:71:D9:AC:18:1D'
option ip '10.0.0.3'
the pc config :
[Interface]
PrivateKey = 8OSUxxxxxx1GE=
Address = 10.0.0.201/32
[Peer]
PublicKey = tpBspxxxxx=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = openwrt.vairon.fr:56718
You need to change your WG or LAN subnet -- they cannot be the same. Change one or the other to another subnet (and if you change the WG subnet, be sure to update it for the allowed IPs on the OpenWrt side as well as the address on the PC).
The other thing you need to do is add DNS to the PC interface configuration -- without it, you will not have a DNS server specified
oneil4
August 23, 2021, 4:35am
11
ok i change WG interface not used 200, now re-use 10.0.1.1 and for the peer use 10.0.1.2
add DNS for the desktop file:
[Interface]
PrivateKey = 8Ossssssssssssu0kQP1GE=
Address = 10.0.1.2/32
DNS = 10.0.0.1:5335
[Peer]
PublicKey = tpBspPQssssssssssssssHEDjRzT4=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = openwrt.vdddd.fr:56718
DNS = 10.0.0.1:5335 is adguard home
Try pinging the router address, then 8.8.8.8, and then google.com
Report the results of each ping test.
The ping result appears to show that pinging 8.8.8.8 is working. Therefore, the problem is almost certainly the dns setting on the PC's WG config. Try changing the DNS there too 8.8.8.8 and see if you can then ping sites by domain names and/or browse the web.
oneil4
August 23, 2021, 4:43am
17
ok more good,
if change DNS for 8.8.8.8 tunnel work
but i don't know why don't work with my adguard home now, on lan network, work perfectly
adguard ip web interface 10.0.0.1:8080
dns serv : 10.0.0.1:5335
I don't know if you can specify an alternate port in the DNS configuration of Wireguard. That may be the issue. Maybe someone else can chime in if there is a way to do that.
oneil4
August 23, 2021, 4:46am
20
thank i will back later, i'm go to work. AFK from 11 houres ~