Wireguard OpenWrt <-> OpenWrt tunnel for travel router

psherman · September 23, 2019, 4:12am

I'm having difficulty configuring my WG tunnel for a travel router environment. For context, I have this setup working perfectly with OpenVPN, but I just can't seem to figure out the right set of options for the WireGuard related configuration.

Here's the setup:

OpenWrt 18.06.4 on a router at home as the "server side" endpoint (server in OpenVPN, peer in WG).
OpenWrt 18.06.4 on a travel router as my 'remote' endpoint. The WAN of this router is wifi/ethernet in my remote location (hotel, cafe, etc.), and all of the devices I have with me (phones, computers, tablets, etc.) connect to the LAN of this device. This travel router can be just a regular old NAT/firewall setup, or can create a VPN tunnel back to my home endpoint -- and this is all transparent to the devices that are on the LAN. This allows all of my devices to access the internet as if I were home (geo IP restrictions, security when on an unknown network, etc.). and I can also access resources on my home network.

With OpenVPN, I use the redirect gateway def1 directive to direct all traffic through the tunnel. I then have the following statements in my firewall:

config zone
	option name 'vpn'
	option input 'REJECT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'tun0'

config forwarding
	option dest 'vpn'
	option src 'lan'

Now, with that in mind, I'm trying to figure out how to setup the WG tunnel. I have it working properly between my iPhone and the home router. Therefore, I can confirm that the "server side" (home) peer is configured properly.

I can get a peer-to-peer handshake successfully established between the two routers. But when I establish the connection, no traffic flows through the tunnel. If I enable the "route allowed IPs" option, it seems to kill connectivity entirely.

Here is the relevant stuff from the firewall and network files. What's wrong, and what options should be enabled/disabled (for example, force link, route allowed IPs, masquerade & mtu_fix, the wireguard firewall zone settings, etc.).

config zone
	option output 'ACCEPT'
	option name 'WireGuard'
	option forward 'REJECT'
	option input 'REJECT'
	option network 'wg0'

config forwarding
	option dest 'WireGuard'
	option src 'lan'

config interface 'wg0'
	option proto 'wireguard'
	list addresses '10.0.5.3'
	option private_key '[REDACTED]'
	option delegate '0'
	option force_link '1'

config wireguard_wg0
	option public_key '[REDACTED]'
	option endpoint_host '[REDACTED]'
	option endpoint_port '8444'
	option persistent_keepalive '25'
	option preshared_key '[REDACTED]'
	option description 'Home VPN'
	list allowed_ips '0.0.0.0/0'

Thanks!

David.S.Mckellen · September 23, 2019, 4:45am

Hi There
Which Wireguard Provider do you use?
Wireguard configuration is different than Openvpn, I'll send you some tutorial links, hope to solve your problem

https://vpn.ac/knowledgebase/125/WireGuard-on-OpenWRT.html

https://torguard.net/article/250/how-to-setup-wireguard-on-the-gli-gl-ar750s-openwrt-router.html

I suggest you to config your WG according to this link, simple and easy

https://vpn.ac/knowledgebase/125/WireGuard-on-OpenWRT.html

Good Luck

psherman · September 23, 2019, 6:13am

@David.S.Mckellen - Thanks for the reply. I'm not using a commercial WG provider. Instead, it is a router with WG installed at home. I use the VPN to tunnel back to my home network (remote access to network resources in my home) and home internet connection (to bypass geo IP restrictions such as streaming media when I'm out of the country or bypassing the great firewall of china, etc.). So following a commercial VPN's suggestions may or may not work, depending on how closely it mirrors my general setup at home.

I had looked at these guides. They seem to all suggest that the route allowed IPs option should be enabled. They differ on how they manage the firewall zone (some suggest a unique wireguard zone with masquerading enabled, others apply the wg interface to the WAN zone which is usually also masqueraded).

Despite trying those things, I still was unable to get it to work properly. Any additional thoughts?

yousong · September 23, 2019, 10:14am

psherman:

I can get a peer-to-peer handshake successfully established between the two routers. But when I establish the connection, no traffic flows through the tunnel. If I enable the "route allowed IPs" option, it seems to kill connectivity entirely.

Here is the relevant stuff from the firewall and network files. What's wrong, and what options should be enabled/disabled (for example, force link, route allowed IPs, masquerade & mtu_fix, the wireguard firewall zone settings, etc.).

Looks like you have tried quite a lot

Just to confirm the "kill connectivity entirely" statement. Does it also include small packets like ping, tcp 3-way connection setup? If not, I would give mtu_fix a try.

route_allowed_ips is also required to make the wireguard as the default route. Please check if there is also a host route to route tunnel endpoint ip through wan port.

masq is required depending on the allowed ips settings of the wireguard interface on your home router

psherman · September 23, 2019, 6:19pm

@yousong - Thanks for your reply. Yes, I have tried a bunch of things! And yes, the route_allowed_ips and masq is exactly what I figured based on my experience with OpenVPN in this same type of application. When the connectivity would die, it would kill everything, including pings.

but...

Meanwhile, I noticed that my iPhone WG stopped working, so I re-configured everything on my 'server'/home peer (new keys and such) and also reconfigured the iPhone client. It is possible something broke as I was adding the 2nd peer (for the travel router), so maybe I wasn't doing anything wrong, but rather fighting some other mistake or broken issue on the 'server' side.

I'm still working on this issue, but I'll report back with status and hopefully a solution when I can!

Thanks for the input thus far!

psherman · September 24, 2019, 4:12am

I solved it.... here is what I learned and then the working config.

First, I will (and have been) referring to my home based VPN endpoint as the 'server'. The iPhone and travel router are, in this case, 'clients'. I am putting the 'server' and 'client' words in quotes because I know that WG treats everything as peers.

On the 'server', I had originally setup one 'client' (my iPhone), and I set the allowed IPs for the iPhone peer configuration (on the 'server') to 0.0.0.0/0 and checked the route allowed IPs box. This worked, and I thought that it meant that any IP address that I would contact from the iPhone would be allowed to be routed through the server. However, this turned out to be the wrong interpretation, as I learned when I setup the second 'client' with the same config. Suddenly in the WireGuard Status page, my iPhone, from the perspective of the 'server', said Allowed IPs was None! That is when I realized I was treating this Allowed IPs incorrectly.

The solution was to set the 'server' side peer allowed IPs with a /32 address that is in the subnet of the server's general setup. I had already been setting up the 'client' side general configuration with that paradigm. On the 'client' devices, it is fine to use 0.0.0.0/0 as the allowed IPs because that basically forces all traffic through the WG tunnel. And, as I had thought/expected and was confirmed in this thread, route allowed IPs should be enabled on the 'client' side. In the 'client' side firewall, masquerading should also be enabled in this context since the travel router gets a single IP from the WG 'server' and essentially NATs that to the devices connected to the travel router itself.

Here is what I finally did:

WireGuard section of /etc/config/network on 'server'

config interface 'wg0'
	option proto 'wireguard'
	option listen_port '8444'
	list addresses '10.0.5.1/24'
	option private_key '[REDACTED]'
	option auto '0'

config wireguard_wg0
	option description 'iPhone'
	option public_key '[REDACTED]'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '10.0.5.2/32'
	option preshared_key '[REDACTED]'

config wireguard_wg0
	option description 'TravelRouter'
	option public_key '[REDACTED]'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '10.0.5.3/32'
	option preshared_key '[REDACTED]'

Wireguard section of /etc/config/network on 'client' travel router

config interface 'wg0'
	option proto 'wireguard'
	option private_key '[REDACTED]'
	list addresses '10.0.5.3/24'
	option auto '0'

config wireguard_wg0
	option public_key '[REDACTED]'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host '[REDACTED]'
	option endpoint_port '8444'
	option persistent_keepalive '25'
	option description 'WGHome'
	option preshared_key '[REDACTED]'

WireGuard section of /etc/config/firewall on 'client' travel router

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'WireGuard'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wg0'

config forwarding
	option dest 'WireGuard'
	option src 'lan'

system · October 4, 2019, 4:12am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.