Hello everyone,
I am trying to build a router in the lab on tl-wr1043nd V4, to be deploied on a remote location with mwan3 failover, guest network, and wireguard for remote access to location.
OpenWrt 18.06.2 r7676-cddd7b4c77 / LuCI openwrt-18.06 branch (git-19.079.57770-b99e77d)
WAN wired if = eth0.2 - 192.168.3.208
WAN lte if = usb0 - 192.168.42.129
LAN if = eth0.1 - 10.10.10.1
Wireguard if = wg0 - 10.110.0.1:5182
Windows 10 = 192.168.3.33
/etc/config/network
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option defaultroute '1'
option metric '10'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
option reqprefix 'auto'
config interface 'wanlte'
option ifname 'usb0'
option proto 'dhcp'
option defaultroute '1'
option metric '20'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.10.10.1'
option ipv6 '0'
option stp '1'
option igmp_snooping '1'
config interface 'guests'
option type 'bridge'
option ifname 'eth0.6'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.60.10.1'
option ipv6 '0'
option stp '1'
config interface 'wg0'
option proto 'wireguard'
option private_key 'SKRUtXcVzKVLM7r4Tr2+ctzD6c+G6ZJPPVchUBFbnno='
option listen_port '5182'
list addresses '10.110.0.1/24'
config wireguard_wg0
option public_key '1NOsPrf6C660VwITI/9MkqhlSjGHhMfDOpqaZssRhCk='
option description 'WireguardSparkx'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
Wireguard "client" peer config TunSafe windows 10 64bit
[Interface]
PrivateKey = SKRUtXcVzKVLM7r4Tr2+ctzD6c+G6ZJPPVchUBFbnno=
Address = 10.110.0.2/24
[Peer]
PublicKey = 1NOsPrf6C660VwITI/9MkqhlSjGHhMfDOpqaZssRhCk=
AllowedIPs = 10.10.10.0/24
Endpoint = 192.168.3.208:5182
PersistentKeepalive = 25
/etc/config/firewall
config zone
option name 'WireGuard'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'wg0'
option masq '1'
option mtu_fix '1'
config rule
option target 'ACCEPT'
option proto 'udp'
option name 'Allow-Wireguard-Inbound'
option dest_port '5182'
option src 'wan'
option family 'ipv4'
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.10.10.1 0.0.0.0 UG 0 0 0 lo - added by mwan3 for router generated traffic
0.0.0.0 192.168.3.1 0.0.0.0 UG 10 0 0 eth0.2
0.0.0.0 192.168.42.129 0.0.0.0 UG 20 0 0 usb0
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
10.60.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br-guests
10.110.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
192.168.3.0 0.0.0.0 255.255.255.0 U 10 0 0 eth0.2
192.168.42.0 0.0.0.0 255.255.255.0 U 20 0 0 usb0
ip route show
default via 10.10.10.1 dev lo
default via 192.168.3.1 dev eth0.2 proto static src 192.168.3.208 metric 10
10.10.10.0/24 dev br-lan proto kernel scope link src 10.10.10.1
10.60.10.0/24 dev br-guests proto kernel scope link src 10.60.10.1
10.110.0.0/24 dev wg0 proto kernel scope link src 10.110.0.1
192.168.3.0/24 dev eth0.2 proto static scope link metric 10
So far I got mwan3 to work and installed wireguard but I am stuck since no packets are going to wg0 interface although I CAN SEE the packets from windows on eth0.2 (wired wan)
from OpenWrt ping wg0 if -> ping 10.110.0.1
PING 10.110.0.1 (10.110.0.1): 56 data bytes
64 bytes from 10.110.0.1: seq=0 ttl=64 time=0.302 ms
64 bytes from 10.110.0.1: seq=1 ttl=64 time=0.285 ms
from OpenWrt -> tcpdump -i eth0.2 port not 22 and port 5182
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.2, link-type EN10MB (Ethernet), capture size 262144 bytes
08:59:14.161862 IP 192.168.3.33.53079 > 192.168.3.208.5182: UDP, length 148
08:59:20.161998 IP 192.168.3.33.53079 > 192.168.3.208.5182: UDP, length 148
08:59:26.162091 IP 192.168.3.33.53079 > 192.168.3.208.5182: UDP, length 148
from OpenWrt -> tcpdump -i wg0 port not 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
from OpenWrt -> lsmod | grep wire
ip6_udp_tunnel 1376 1 wireguard
udp_tunnel 2176 1 wireguard
wireguard 125152 0
Wireguard on Windows (TAP adapter seams to work ok)
[09:44:44] Loading file: C:\Program Files\TunSafe\Config\TunSafe.conf
[09:44:44] TAP Driver Version 9.21
[09:44:44] Added Route 10.10.10.0/24 => 10.110.0.1
[09:44:44] Sending handshake...
[09:44:50] Retrying handshake, attempt 2...
[09:44:56] Retrying handshake, attempt 3...
[09:45:02] Retrying handshake, attempt 4...
[09:45:08] Retrying handshake, attempt 5...
[09:45:12] Deleted Route 10.10.10.0/24 => 10.110.0.1
from OpenWrt -> netstat -plantu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1290/uhttpd
tcp 0 0 192.168.42.105:53 0.0.0.0:* LISTEN 12183/dnsmasq
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 12183/dnsmasq
tcp 0 0 10.60.10.1:53 0.0.0.0:* LISTEN 12183/dnsmasq
tcp 0 0 10.10.10.1:53 0.0.0.0:* LISTEN 12183/dnsmasq
tcp 0 0 192.168.3.208:53 0.0.0.0:* LISTEN 12183/dnsmasq
tcp 0 0 10.110.0.1:53 0.0.0.0:* LISTEN 12183/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 929/dropbear
tcp 0 0 192.168.3.208:22 192.168.3.33:9664 ESTABLISHED 20919/dropbear
tcp 0 0 192.168.3.208:22 192.168.3.33:6740 ESTABLISHED 3360/dropbear
tcp 0 0 192.168.3.208:22 192.168.3.33:6736 ESTABLISHED 2113/dropbear
tcp 0 0 192.168.3.208:80 192.168.3.33:15451 ESTABLISHED 1290/uhttpd
tcp 0 0 192.168.3.208:80 192.168.3.33:15505 ESTABLISHED 1290/uhttpd
tcp 0 0 192.168.3.208:80 192.168.3.33:15504 ESTABLISHED 1290/uhttpd
tcp 0 0 192.168.3.208:22 192.168.3.33:15537 ESTABLISHED 15321/dropbear
tcp 0 0 :::80 :::* LISTEN 1290/uhttpd
tcp 0 0 fe80::b87e:feff:fe2c:88eb:53 :::* LISTEN 12183/dnsmasq
tcp 0 0 ::1:53 :::* LISTEN 12183/dnsmasq
tcp 0 0 fe80::9ade:d0ff:fea8:acbc:53 :::* LISTEN 12183/dnsmasq
tcp 0 0 fe80::9ade:d0ff:fea8:acbc:53 :::* LISTEN 12183/dnsmasq
tcp 0 0 fe80::9ade:d0ff:fea8:acbc:53 :::* LISTEN 12183/dnsmasq
tcp 0 0 :::22 :::* LISTEN 929/dropbear
udp 0 0 192.168.42.105:53 0.0.0.0:* 12183/dnsmasq
udp 0 0 127.0.0.1:53 0.0.0.0:* 12183/dnsmasq
udp 0 0 10.60.10.1:53 0.0.0.0:* 12183/dnsmasq
udp 0 0 10.10.10.1:53 0.0.0.0:* 12183/dnsmasq
udp 0 0 192.168.3.208:53 0.0.0.0:* 12183/dnsmasq
udp 0 0 10.110.0.1:53 0.0.0.0:* 12183/dnsmasq
udp 0 0 0.0.0.0:5182 0.0.0.0:* -
udp 0 0 0.0.0.0:67 0.0.0.0:* 12183/dnsmasq
udp 0 0 :::546 :::* 11731/odhcp6c
udp 0 0 fe80::b87e:feff:fe2c:88eb:53 :::* 12183/dnsmasq
udp 0 0 ::1:53 :::* 12183/dnsmasq
udp 0 0 fe80::9ade:d0ff:fea8:acbc:53 :::* 12183/dnsmasq
udp 0 0 fe80::9ade:d0ff:fea8:acbc:53 :::* 12183/dnsmasq
udp 0 0 fe80::9ade:d0ff:fea8:acbc:53 :::* 12183/dnsmasq
udp 0 0 :::5182 :::* -
udp 0 0 :::123 :::* 2139/ntpd
10.110.0.1:53 and 0.0.0.0:5182 show that wireguard is working (correct me if i'm wrong)
It looks to me like the kernel "magic" isn't taking place for wireguard modules since packets are not going from wan to wg0.
Any help would be appreciated to track down this issue.