WireGuard only TX no RX traffic

AL15 · April 5, 2020, 10:32am

HI,

after upgrading to OpenWRT 19.07 i somehow have only RX traffic trials but no TX traffic:

Here my settings:

image804×507 51.4 KB

image801×402 42 KB

image806×194 34.5 KB

image801×785 94.9 KB

Firewall Settings:

image800×670 93.3 KB

Traffic Rules:

image850×325 74.2 KB

network: rt_tables

128     prelocal
255     local
254     main
253     default
0       unspec
100 vpnroute
101 wanroute

network: config rules

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde2:cfde:7e77::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.15.1'
        option delegate '0'
        option igmp_snooping '1'
        option gateway '192.168.15.1'
        option dns '192.168.15.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

config rule
        option in 'lan'
        option src '192.168.15.50/32'
        option lookup '100'

*******
config rule
        option in 'lan'
        option src '192.168.15.79/32'
        option lookup '100'

config rule
        option in 'lan'
        option src '192.168.15.0/24'
        option lookup '101'

config route 'VPN_route'
        option interface 'WGINTERFACE'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option table '100'

config route 'lan_route_VPN'
        option interface 'lan'
        option target '192.168.15.0'
        option netmask '255.255.255.0'
        option gateway '192.168.15.1'
        option table '100'

config route 'WAN_route'
        option interface 'WAN'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option table '101'

config route 'lan_route'
        option interface 'lan'
        option target '192.168.15.0/24'
        option netmask '255.255.255.0'
        option gateway '192.168.15.1'
        option table '100 101'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '***private key'
        option listen_port '***port'
        option force_link '1'
        option delegate '0'
        list addresses '192.168.16.1/24'

config wireguard_wg0
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option description 'MobileNote8'
        option public_key '***public key'
        list allowed_ips '192.168.16.2/24'

config interface 'WGINTERFACE'
        option proto 'wireguard'
        option delegate '0'
        option force_link '1'
        list addresses '10.***/32'
        option private_key '***my private key'

config wireguard_WGINTERFACE
        option public_key 'iE7SukqspT1UtQxce9S5plJ+GpAXdl4zG2oqpbhzvAw='
        option endpoint_host '185.210.219.242'
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '25'
        option description 'Mullvad'
        option endpoint_port '51820'

I also tried to configure everything again (new keys, add/remove WireGuard) but always stuck at the same scenario

PS: WG is for a mobile client to dial in via WG protocol and this is working fine.

THANKS!

trendy · April 5, 2020, 4:43pm

In network, under lan interface remove these:

        option gateway '192.168.15.1'
        option dns '192.168.15.1'

Remove these:

config rule
        option in 'lan'
        option src '192.168.15.0/24'
        option lookup '101'


config route 'lan_route_VPN'
        option interface 'lan'
        option target '192.168.15.0'
        option netmask '255.255.255.0'
        option gateway '192.168.15.1'
        option table '100'

config route 'WAN_route'
        option interface 'WAN'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option table '101'
config route 'lan_route'
        option interface 'lan'
        option target '192.168.15.0/24'
        option netmask '255.255.255.0'
        option gateway '192.168.15.1'
        option table '100 101'

Under config wireguard_wg0 remove option route_allowed_ips '1' and change `list allowed_ips '192.168.16.2/32'
Also the forwarding from wan->wg zone is not correct.

AL15 · April 5, 2020, 6:35pm

Great it works!

If i understand the changes right i not need to have the lan and wan route as its by defaul available (UI setting for interfaces) so the entries are not needed - am i right?

Regarding wan - i set this now to reject not sure why i overloked this befor.

Thanks

trendy · April 5, 2020, 6:41pm

The default gateway is not needed in LAN, because it knows about the default interface from WAN. Also the DNS is learnt from the WAN.
The routes that you had were too much. Your default gateway is the wan, so if you don't manipulate anything the traffic goes out of wan. So you need only a default route in a separate routing table for the vpn, and rules for the devices which you'd like to send via vpn.

system · April 15, 2020, 6:41pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.