Wireguard routing on Fritz!3000 repeater

Hi folks,
first of all thanks to everyone contributing here.

I am using my Fritz 3000 repeater as an wifi to wifi router when im on vacation. I have an own server with wireguard which I use to circumvent geoblocking.

This setup worked fine for several years until I updated to the current openwrt (23.05.3) release via LuCi upload. The former version version was about 1 year old. I got some warnings that my existing configuration might cause trouble which I confirmed and kept the conf.
At a first glance it worked fine but soon I realized that the router wont boot reliably. Sometimes I have to powercycle it a few times until any interface comes back online.

So I decided to rebuild the config based on the old one by peeking at the conf backup. I also downloaded a backup of the new conf. Now I can choose between two options depending on what conf is active:

  1. Old conf - unreliable booting but wireguard routing working

  2. New conf - reliaible booting but wireguard routing not working
    This means the handshake works wg interface is up and connected but i cant get openwrt to route through the wg tunnel. It routes through the wan interface. I found this by using an IP checker site. It confirmes that I am located in the contry I am in and not in my homecountry as it would be with the old conf.

I think this is something about the firewall configuration, so here are the files

Old one, unreliable boot but wg routing works

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option mtu_fix '1'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpn'
	option output 'ACCEPT'
	option forward 'DROP'
	option input 'DROP'
	option masq '1'
	list network 'wgReise'

config forwarding
	option src 'lan'
	option dest 'vpn'

New one - reliable boot but wg routing does not work

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan_zone'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option mtu_fix '1'

config zone
	option name 'wgReiseZone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'wgReise'
	option masq '1'

config zone
	option name 'wan_zone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan_zone'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan_zone'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan_zone'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan_zone'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan_zone'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan_zone'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan_zone'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan_zone'
	option dest 'lan_zone'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan_zone'
	option dest 'lan_zone'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'lan_zone'
	option dest 'wgReiseZone'

config forwarding
	option src 'lan_zone'
	option dest 'wan_zone'

there is a line missing in the new one:

config include
	option path '/etc/firewall.user'

I further realized that there are more files under /etc/conf in the old backup.

I followed this tutorial on the new conf to set up wg routing:
wg setup for dummies

To me it doesnt matter if wg routing is fixed in the new one or the boot issue in the old one.

If there are any questions or requests for further conf files I'll happily provide them

Thanks in advance

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

Possible quick fix: in the new config did you Enable Route Allowed IPs in the WG peer config?

Otherwise lets see thee new config, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
wg show

Oh and, non related, but you can remove option mtu_fix '1' from the LAN zone

1 Like

I very much appreciate the quick replies :smiley:

unfortunately ip routing is checked in the wg peer config.

I will deliver the asked files in a few ours.

ubus call system board:

{
        "kernel": "5.15.150",
        "hostname": "ReiseRouter",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "AVM FRITZ!Repeater 3000",
        "board_name": "avm,fritzrepeater-3000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'XXX'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.22.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wwan'
	option proto 'dhcp'
	option device 'phy1-sta0'

config interface 'wgReise'
	option proto 'wireguard'
	list addresses '10.0.0.5'
	option private_key 'XXX'
	option metric '10'
	list dns 'XXX'

config wireguard_wgReise
	option description 'XXX'
	option public_key 'XXX'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option route_allowed_ips '1'
	option endpoint_host 'XXX'
	option endpoint_port 'XXX'
	option persistent_keepalive '25'

wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '108'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'IT'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option channel 'auto'
	option band '2g'
	option htmode 'HT20'
	option country 'IT'
	option cell_density '0'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option channel '44'
	option band '5g'
	option htmode 'VHT80'
	option country 'IT'
	option cell_density '0'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'sta'
	option network 'wwan'
	option ssid 'XXX'
	option encryption 'psk2'
	option key 'XXX'

config wifi-iface 'wifinet1'
	option device 'radio2'
	option mode 'ap'
	option ssid 'XXX'
	option encryption 'psk2'
	option key 'XXX'
	option network 'lan'

dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan_zone'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wgReiseZone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'wgReise'
	option masq '1'

config zone
	option name 'wan_zone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan_zone'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan_zone'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan_zone'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan_zone'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan_zone'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan_zone'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan_zone'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan_zone'
	option dest 'lan_zone'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan_zone'
	option dest 'lan_zone'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'lan_zone'
	option dest 'wgReiseZone'

config forwarding
	option src 'lan_zone'
	option dest 'wan_zone'

ip route show

default via 192.168.178.1 dev phy1-sta0  src 192.168.178.110
default dev wgReise scope link  metric 10
10.0.0.5 dev wgReise scope link  metric 10
XXX.XXX.XXX.XXX via 192.168.178.1 dev phy1-sta0
192.168.22.0/24 dev br-lan scope link  src 192.168.22.1
192.168.178.0/24 dev phy1-sta0 scope link  src 192.168.178.110

wg show

peer: XXX
  endpoint: XXX.XXX.XXX.XXX:XXXX
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 1 minute, 59 seconds ago
  transfer: 1.08 KiB received, 3.95 KiB sent
  persistent keepalive: every 25 seconds

Could it possibly be the ip route, some kind of priorization?
When I disabled the the lan -> wan forwarding to favor the the lan -> wgReiseZone I had no internet connection at all (no ping to 8.8.8.8)

So far the routing via wan works. I am actually writing this over my "holiday" connection.

Greetings,
Armin

Remove option metric

Reboot and test again

1 Like

Thank you very much egc.

This did the trick

1 Like