Hi all, the wireguard server created followed the wireguard server docs. But can't connect to the internet from the client!
wg
interface: vpn
public key: XXXXXXX
private key: (hidden)
listening port: 51820
peer: XXXXXXXXX
preshared key: (hidden)
endpoint: 192.168.1.183:53589
allowed ips: 192.168.9.2/32, fdf1:e8a1:8d3f:9::2/128
transfer: 1.30 KiB received, 828 B sent
the client.conf
[Interface]
PrivateKey = XXXXXXXXXX
Address = 192.168.9.2/32
[Peer]
PublicKey = XXXXXXXXXX
AllowedIPs = 0.0.0.0/0
Endpoint = My_Public_IP:51820
Regards
ASFP
December 8, 2021, 8:48pm
2
route_allowed_ips is enabled?
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
cat /etc/config/network
cat /etc/config/firewall
1 Like
ASFP
December 8, 2021, 8:53pm
6
you posted the config including your private key. please correct...
sorry
root@OpenWrtLinkSys:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb7:dffc:8382::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '9.9.9.9'
list dns '149.112.112.112'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
list dns '9.9.9.9'
list dns '149.112.112.112'
option peerdns '0'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
list dns '2620:fe::fe'
list dns '2620:fe::9'
option reqprefix 'auto'
option reqaddress 'try'
option peerdns '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'vpn'
option proto 'wireguard'
option private_key 'XXXXXXXXX'
option listen_port '51820'
list addresses '192.168.9.1/24'
list addresses 'fdf1:e8a1:8d3f:9::1/64'
config wireguard_vpn 'wgclient'
option public_key 'XXXXXXX'
option preshared_key 'XXXXXXX'
list allowed_ips '192.168.9.2/32'
list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'
option route_allowed_ips '1'
root@OpenWrtLinkSys:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
list network 'lan'
list network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option dest_port '64738'
option src 'wan'
option name 'chawgMumble'
option src_dport '64738'
option target 'DNAT'
option dest_ip '192.168.1.213'
option dest 'lan'
config redirect
option dest_port '443'
option src 'wan'
option name 'chawgSSL'
option src_dport '443'
option target 'DNAT'
option dest_ip '192.168.1.213'
option dest 'lan'
config redirect
option dest_port '80'
option src 'wan'
option name 'chawgHTTP'
option src_dport '80'
option target 'DNAT'
option dest_ip '192.168.1.213'
option dest 'lan'
config redirect
option dest_port '51820'
option src 'wan'
option name 'VPNchawg'
option src_dport '51820'
option target 'DNAT'
option dest_ip '192.168.1.214'
option dest 'lan'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest_port '51820'
option src 'wan'
option name 'WireGuard'
option src_dport '51820'
option target 'DNAT'
option dest_ip '192.168.9.1'
option dest 'lan'
list proto 'udp'
root@OpenWrtLinkSys:~#
ASFP
December 8, 2021, 8:59pm
8
What are those for? normally you don't need to redirect incoming wireguard connections
'VPNchawg'
created for my pivpn device 192.168.1.214. id offline right now!
ASFP
December 8, 2021, 9:09pm
11
I don't understand why you have this rule. I'm not sure, but I think all of your VPN Traffic gets sent to 192.168.1.214 all the time. If your pivpn isn't online it's a black hole.
it's created for raspberrypi device on 192.168.1.214 since 2019
config redirect
option dest_port '51820'
option src 'wan'
option name 'VPNchawg'
option src_dport '51820'
option target 'DNAT'
option dest_ip '192.168.1.214'
option dest 'lan'
Then can't the client connect to the server at all.
ASFP
December 8, 2021, 9:16pm
13
Your client should be able to connect to the raspberry without this rule. Your firewall rules already allow this.
Ignore the raspberypi device. The device is turned off and the firewall rule is removed. My issue is with wireguard server on openwrt router. I can just connect from the client with this rule
config redirect
option dest_port '51820'
option src 'wan'
option name 'WireGuard'
option src_dport '51820'
option target 'DNAT'
option dest_ip '192.168.9.1'
option dest 'lan'
list proto 'udp'
but still no internet. disabling this post can't even connect the client with the openwrt router.
ASFP
December 8, 2021, 9:23pm
15
You don't need a redirect, just a simple allow rule.
config rule
option dest_port '51820'
option src 'wan'
option target 'ACCEPT'
list proto 'udp'
option name 'WireGuard'
This is the rule I have on my router.
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config rule
option dest_port '51820'
option src 'wan'
option name 'WireGuardDiva'
option target 'ACCEPT'
list proto 'udp'
Can again connect the client to the router RX TX, but still no internet!
Are you sure you don't have internet connectivity? You might simply have a DNS issue.
From your client peer, try pinging 8.8.8.8.
If that works, try pinging google.com -- that will fail if you don't have DNS setup properly on the remote (client) peer.
ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
let's see the latest files
psherman:
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb7:dffc:8382::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '9.9.9.9'
list dns '149.112.112.112'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
list dns '9.9.9.9'
list dns '149.112.112.112'
option peerdns '0'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
list dns '2620:fe::fe'
list dns '2620:fe::9'
option reqprefix 'auto'
option reqaddress 'try'
option peerdns '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'vpn'
option proto 'wireguard'
option private_key 'XXXXXXXXXXXXX'
option listen_port '51820'
list addresses '192.168.9.1/24'
list addresses 'fdf1:e8a1:8d3f:9::1/64'
config wireguard_vpn 'wgclient'
option public_key 'XXXXXXXXXXXXXXXX'
option preshared_key 'XXXXXXXXXXXX'
list allowed_ips '192.168.9.2/32'
list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'
option route_allowed_ips '1'
then
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
list network 'lan'
list network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option dest_port '64738'
option src 'wan'
option name 'chawgMumble'
option src_dport '64738'
option target 'DNAT'
option dest_ip '192.168.1.213'
option dest 'lan'
config redirect
option dest_port '443'
option src 'wan'
option name 'chawgSSL'
option src_dport '443'
option target 'DNAT'
option dest_ip '192.168.1.213'
option dest 'lan'
config redirect
option dest_port '80'
option src 'wan'
option name 'chawgHTTP'
option src_dport '80'
option target 'DNAT'
option dest_ip '192.168.1.213'
option dest 'lan'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config rule
option dest_port '51820'
option src 'wan'
option name 'WireGuardDiva'
option target 'ACCEPT'
list proto 'udp'
