Wireguard Server setup with 23.5.x

a-z · January 26, 2024, 2:29pm

I'm following the documentantion here:

when I get to the point of the firewall

Firewall

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.network="${VPN_IF}"
uci add_list firewall.lan.network="${VPN_IF}"
uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${VPN_PORT}"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"
uci commit firewall
service firewall restart

on the terminal I get this print:

OpenWrt Terminal

Section @forwarding[1] option 'dest' specifies invalid value 'WG_0'
Section @forwarding[1] skipped due to invalid options

Does anyone why is an invalid option? this is from the documented wiki, I think I did the previous version in 22.x.x and didn't have any issue before.

pavelgl · January 26, 2024, 3:43pm

The script does not create any forwardings. By default, only @forwarding[0] (lan=>wan) exists.
This must be something you created, and probably WG_0 is not a valid firewall zone name.

a-z · January 26, 2024, 4:23pm

I did not create the script is literally from the official openwrt documents I just copy and paste and is a clean installation in openwrt 23.5.x.

So I'm trying to understand why I get this print. The last update for this was last year around november 2023. The previous versions used 'WG_0' this version uses 'VPN'

Thank you, I appreciate your response. I'll keep reading the documentation, maybe I did something wrong. I'll load in another environment with 22.x to see if I can replicate the same problem.

pavelgl · January 26, 2024, 4:55pm

I never said you created the script.

This sets names for the lan and wan firewall zones (not really necessary).

This adds the wireguard interface to the lan firewall zone.

a-z:

uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${VPN_PORT}"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"

This opens the firewall for incoming wireguard connections originating from wan.

So the (forwarding) error must be caused by some leftover from a previous configuration(s).
You can always consult the default firewall configuration by checking /rom/etc/config/firewall.

psherman · January 26, 2024, 5:48pm

I agree with this conclusion.
Specifically:

There is nowhere in the wg server script that an interface or zone would be called WG_0 -- this does suggest that something in the original config must have had that name, and therefore it must be a vestige from some previous configuration (functional and/or attempted).

Let's take a look at your config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

a-z · January 26, 2024, 6:45pm

I think both are right it seems is a left over in the firewall, I run this old backup script before and got the same errors, so I went to check the documentation and it was updated in November so I thought must be some changes, run the new version and got the same issues.

I'm not running the wireguard server, I didn't want to lose more time, since this needs to be in production, so I used another device with linux and run pivpn and made the adjustments for firewall.

But still I wanted to check what was wrong. I'll try to setup wg server later in another device.

old backup script

#!/bin/ash

# Install packages
opkg update

#The package name has changed
#opkg install wireguard
opkg install wireguard-tools
 
# Configuration parameters
WG_IF="WG_0"
WG_PORT="51820"
WG_ADDR="192.168.9.1/24"
WG_ADDR6="fdf1:7610:d152:3a9c::1/64"

# Generate and exchange the keys
umask u=rw,g=,o=
wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
wg genpsk > wg.psk
 
WG_KEY="$(cat wgserver.key)"
WG_PSK="$(cat wg.psk)"
WG_PUB="$(cat wgserver.pub)"

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@forwarding[0]="lan_wan"
uci del_list firewall.lan.network="${WG_IF}"
uci add_list firewall.lan.network="${WG_IF}"
uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${WG_PORT}"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci set network.${WG_IF}.listen_port="${WG_PORT}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"
 
# Add VPN peers
uci -q delete network.wgclient
uci set network.wgclient="wireguard_${WG_IF}"
uci set network.wgclient.public_key="${WG_PUB}"
uci set network.wgclient.preshared_key="${WG_PSK}"
uci add_list network.wgclient.allowed_ips="${WG_ADDR%.*}.0/${WG_ADDR#*/}"
uci add_list network.wgclient.allowed_ips="${WG_ADDR6%/*}/${WG_ADDR6#*/}"
uci commit network
/etc/init.d/network restart

new script



# Install packages
opkg update
opkg install wireguard-tools
 
# Configuration parameters
VPN_IF="vpn"
VPN_PORT="51820"
VPN_ADDR="192.168.9.1/24"
VPN_ADDR6="fd00:9::1/64"
# Generate keys
umask go=
wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
wg genpsk > wgclient.psk
 
# Server private key
VPN_KEY="$(cat wgserver.key)"
 
# Pre-shared key
VPN_PSK="$(cat wgclient.psk)"
 
# Client public key
VPN_PUB="$(cat wgclient.pub)"

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.network="${VPN_IF}"
uci add_list firewall.lan.network="${VPN_IF}"
uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${VPN_PORT}"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"
uci commit firewall
service firewall restart

# Configure network
uci -q delete network.${VPN_IF}
uci set network.${VPN_IF}="interface"
uci set network.${VPN_IF}.proto="wireguard"
uci set network.${VPN_IF}.private_key="${VPN_KEY}"
uci set network.${VPN_IF}.listen_port="${VPN_PORT}"
uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}"
uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}"
 
# Add VPN peers
uci -q delete network.wgclient
uci set network.wgclient="wireguard_${VPN_IF}"
uci set network.wgclient.public_key="${VPN_PUB}"
uci set network.wgclient.preshared_key="${VPN_PSK}"
uci add_list network.wgclient.allowed_ips="${VPN_ADDR%.*}.2/32"
uci add_list network.wgclient.allowed_ips="${VPN_ADDR6%:*}:2/128"
uci commit network
service network restart

Network Settings

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd55:8f4e:c83a::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.105.10.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'wan'
	option device 'eth0'
	option proto 'pppoe'
	option username 'redacted'
	option password 'redacted'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option delegate '0'
	option ipv6 '0'

Firewall

/etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'

config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config redirect
option name 'Divert-DNS, port 53'
option src 'lan'
option dest 'lan'
option src_dport '53'
option dest_port '53'
option target 'DNAT'

config rule
option name 'Reject-DoT, port 853'
option src 'lan'
option dest 'wan'
option dest_port '853'
option proto 'tcp'
option target 'REJECT'

config forwarding
option src 'lan'
option dest 'WG_0'. <---- suspect config forwarding

config redirect
option dest 'lan'
option target 'DNAT'
option name 'PiVPN-WireGuard'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_ip '10.105.10.91'
option dest_port '51820'

psherman · January 26, 2024, 6:46pm

Yup... that wasn't created by the latest script.