WireGuard server on OpenWrt behind NAT

castillofrancodamian · March 26, 2022, 10:25pm

I have a netbook that I use as a server and thought I'd install OpenWrt. It's behind an internet gateway router that also has OpenWrt. I have installed WireGuard and configured with the following:

root@servidor:~# cat /etc/config/network 

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'GJByMmcB9yX4HIouWtZGOAXRvn4swNW8uQQv9LvtcEw='
        option listen_port '30000'
        list addresses '10.0.0.1/24'
        option delegate '0'

config wireguard_wg0
        option description 'grand-prime'
        option public_key 'CzVEwRpd+BZ/PUXZyaF6vle2m25WkkanWXFPqyzpiF8='
        list allowed_ips '10.0.0.2/32'
        option route_allowed_ips '1'

root@servidor:~# cat /etc/config/firewall

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

The problem is that I can't access the internet. On the client (which uses a mobile network) I see TX and RX. On the server with OpenWrt too. I use an app on the client for Ping and iperf. I only have ping and iperf response from 10.0.0.1 and the LAN IP of the server. I can't access any site via browser using the domain (for example google.com) or enter 1.1.1.1 showing Cloudflare services. The funny thing is that I see in AdGuardHome, which is installed on the server, the requests from the client. I can only enter the LAN IP and wg0 of the server from the client and I can see LuCI. I can't seem to access any upstream network that is outside of the server.

The client configuration is with address 10.0.0.2/32, DNS 10.0.0.1, port 30000, allowed IPs 0.0.0.0/0, and endpoint is a DDNS domain pointing to the WAN of the main router. I have also already forwarded port 30000/udp to the server.

psherman · March 27, 2022, 1:51am

Let's see your complete config files for the server as well as the main router... please make sure it is clear which is which.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

castillofrancodamian · March 27, 2022, 2:37am

The main router has the subnet 192.168.1.0/24 and the server has the IP 192.168.1.60 using dhcp.

root@servidor:~# cat /etc/config/network 

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'
        option delegate '0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'GJByMmcB9yX4HIouWtZGOAXRvn4swNW8uQQv9LvtcEw='
        option listen_port '30000'
        list addresses '10.0.0.1/24'
        option delegate '0'
        option defaultroute '0'

config wireguard_wg0
        option description 'grand-prime'
        option public_key 'CzVEwRpd+BZ/PUXZyaF6vle2m25WkkanWXFPqyzpiF8='
        list allowed_ips '10.0.0.2/32'
        option route_allowed_ips '1'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'wg0'
        option ipv6 '0'

root@servidor:~# cat /etc/config/firewall 

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

psherman · March 27, 2022, 3:02am

remove these two lines:

        option delegate '0'
        option defaultroute '0'

On your main router, add a route:
10.0.0.0/24 via 192.168.1.60

castillofrancodamian · March 29, 2022, 5:53pm

It has worked and I have only removed option defaultroute '0'. The other option doesn't because I understand that it disables IPv6 (among other options) since I don't use it.

system · April 8, 2022, 5:54pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.