Wireguard server behind router

drfox · January 4, 2025, 2:24pm

I just replaced a TP-Link router with a GL.inet Flint M6000. I replaced the GL.net software with OpenWrt
I have a Raspberry Pi client running Wireguard, and it is the "server" for the Wireguard VPN * On the TP-Link router, I had it configured like this in the Routing Table

``Network Destination: 10.x.x.0
``Subnet Mask: 255.255.255.0
``Gateway 192.168.x.x (ip address of WG server)

It worked fine behind the TP-Link
I'm trying to set this up through the OpenWrt Gui. I went to Network:Firewall:Port Forwards * and added this:

``Name:Wireguard
``Address family:Automatic
``Protocol:UDP
``SourceZone:WAN
``External and Internal Ports:51820
``DestinationZone:LAN
``Internal IP: (my Pi has both ipv4 and ipv6 addresses, I chose the ipv4): 192.168.x.x

I saved and applied the port forward, but I can't ping WG clients from the WG server, nor can I ping the WG server from the clients (using the 10.x.x.x addresses). I can ping both ways using their LANs (192.168.x.x)

Sorry if this formatting sucks. I'm sure when I post it, it will look ugly, but I would appreciate any help you can give me. Thanks

frollic · January 4, 2025, 2:25pm

fix the formatting in your post 1st ?

drfox · January 4, 2025, 2:27pm

How do I fix it? How do I go from line to line? Do I use this < > or this ` ?

frollic · January 4, 2025, 2:30pm

copy the "real" text, remove all content from post, repaste the text ?

drfox · January 4, 2025, 2:43pm

OK, I fixed it as well as I can for now. How do I indent text? I tried with adding spaces after the`, but that didn't work

lleachii · January 4, 2025, 2:57pm

Just use plain text, please. Indented lines are not necessary on a informal forum. Merely make a new line for a new paragraph.

This is invalid as the Wireguard tunnel is not a Layer 2 interface.

~~You merely have to:~~

I would provide an example route, but your posts is either incomplete, truncated, or erroneous:

What's the complete subnet mask?

drfox · January 4, 2025, 3:21pm

Thank you for your reply
I fixed the mask to 255.255.255.0
My pi's WG address is 10.9.9.1; all the clients, are, of course 10.9.9.x.
The Gateway in the TP-Link was 10.9.9.0, but I don't see a way to input Gateway in OpenWRT
Do I need to do anything with Firewall Traffic Rules?
I did try changing the Forward to LAN to 10.9.9.1, but still no joy

psherman · January 4, 2025, 3:39pm

Now that you have a powerful new router running openwrt, have you considered setting up wireguard on the router itself, rather than on a separate pi behind the router?

And is the pi running openwrt?

Anyway, let’s take a look at your configs so we can more easily identify the issues.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

drfox · January 4, 2025, 4:20pm

The reason I wasn't going to use the router as a WG server is simply because I have the WG VPN working well, and the current RPi "server" is also my other computers' backup device (I have an external SSD attached to the RPi). I suppose I could simply copy the WG config from the RPi, but then I have to figure out how to port forward the backups to the RPi.
Anyway, here you go; thanks in advance for your help

root@OpenWrt:~# ubus call system board
{
	"kernel": "6.6.67",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.0-rc4",
		"revision": "r28211-d55754ce0d",
		"target": "mediatek/filogic",
		"description": "OpenWrt 24.10.0-rc4 r28211-d55754ce0d",
		"builddate": "1734915335"
oot@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd70:9edf:6bd7::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option ip6assign '64'
	option delegate '0'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcp'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option gateway '192.168.10.1'
root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'wan'
	option dest 'guest'

config rule
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option target 'ACCEPT'
	option dest_port '53'

config rule
	option name 'Allow-DHCP-Guest'
	list proto 'udp'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Wireguard'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_port '51820'
	option dest_ip '10.9.9.1'

psherman · January 4, 2025, 4:23pm

The address here is wrong:

drfox:

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Wireguard'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_port '51820'
	option dest_ip '10.9.9.1'

It must be the address that the pi holds on the lan - 192.168.10.x

drfox · January 4, 2025, 4:28pm

Changed it; still can't ping

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Wireguard'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_port '51820'
	option dest_ip '192.168.10.100'

psherman · January 4, 2025, 4:29pm

Ping won’t work. But have you tried starting the wg tunnel?

drfox · January 4, 2025, 4:37pm

Not sure what you mean about starting the WG tunnel. I have rebooted the RPi, it can ping its own VPN IP but can't ping the others. The others can't ping anything in the VPN. The normal LAN IPs work fine.
Maybe I should just use the router as the server. If I give the router/server an IP of, say 10.0.0.15, how can I back up to 10.0.0.1 from remote clients? Do I port forward or just rely on the router/server?

psherman · January 4, 2025, 4:40pm

Can you describe specifically how you are testing? And is the Pi running OpenWrt?

drfox · January 4, 2025, 5:03pm

RPi is not runnng OpenWrt. RPi is running Debian.
I'm testing by pinging, both with the LAN IPs and with the WG IPs
The LAN IPs ping both ways. The WG IPs can ping themselves but not the server nor the other clients

psherman · January 4, 2025, 5:20pm

Are you testing this from an active Wireguard (remote) peer? And is this remote peer originating from a different network (such as a cellular connection) or the same lan?

Did you previously configure static routes on your main router to accommodate the WG routing, or does your Pi with Debian perform NAT masquerading?

drfox · January 4, 2025, 5:53pm

I'm checking from my laptop in my home where the router is. It is getting its LAN IP from the router. Its WG IP is static, configured under /etc/wireguard/
IIRC, the only thing I had to do on my previous router was to port forward to the RPi as per my initial post. If it makes any difference, I do have DDNS properly configured on the router, and it is updating the public IP correctly.

psherman · January 4, 2025, 6:04pm

For a proper test, you need to try to connect from a different network -- your phone on cellular (with wifi disabled) would work for this purpose.

That said, if you are unable to get a handshake while on cellular, you can try doing this internally by connecting back to WiFi again and changing the endpoint host to 192.168.10.100 (this would be done on the phone or laptop in the peer configuration section of the respective Wireguard config). This way you'll be able to see if you're getting a handshake in general while locally connected. This will tell us if your Pi w/ WireGuard is working properly.

Also, you might want to add a route on your OpenWrt router:

10.9.9.0/24 via 192.168.10.100

drfox · January 4, 2025, 6:19pm

Thank you psherman. I'm getting the idea that I should configure the router as the WG server. Let me do that, and I will get back to you if (when ) I get in trouble

psherman · January 4, 2025, 6:26pm

Yes, I would recommend putting WG on the router itself... it's much easier (and we can help you with that configuration, too; for troubleshooting your Pi w/ Debian, you'd need to get help from other sources).