Hey everyone! I am here with a problem which has been driving me nuts the past few weeks. My setup looks as following:
ISP-provided router which has direct internet access
Behind that router is my OpenWrt router
all my local devices connect to the OpenWrt router either via lan or wifi
it runs an OpenVPN client routing all my traffic though it (this has been working fine for years)
it also runs a web server serving a nextcloud instance which also works fine
now I want to add a wireguard server to connect to my network from outside
What already works:
connecting to the wireguard server when associated to the openwrt router, using its local ip as end point
handshake works for multiple clients and all traffic goes through the wireguard server
connecting to the wireguard server when associated to the ISP-provided internet facing router, using the lan ip provided by the isp router as end point
same as above, works perfectly
this tells me that wireguard is at least correctly set up
What is the problem:
connecting to the wireguard server from the internet does not work
I connect via a dyndns provider
this works fine for my web server
port forwards from the ISP-provided router to the OpenWrt router are set up and working
a scan via nmap shows that the ports for the webserver are open while the udp port for wireguard is open|filtered
using tcpdump on the wireguard port I see incoming traffic from the internet but for some reason my OpenWrt router does not answer when the connection comes from the internet
My conclusion so far is that something with my firewall settings is not correct. I've gone through all of it a dozen times but I cannot find the error. Here are my configs:
Alright, I have removed that setting. But the problem remains the same unfortunately. Wireguard clients can connect from the OpenWrt Lan and from ISP router Lan but not from the internet (again, I get incoming traffic on port 5892 according to tcpdump but my wireguard server does not answer...)
This way it should listen for all interfaces on my device, only on udp port 5892 and print the corresponding interface. Here is the output when I try to connect from the internet: https://pastebin.com/JDDymYc6
Note that I have replaced my public internet ip with a few ***
Also note that 192.168.178.55 is the lan/wan ip which my openwrt gets from the isp router. Apparently the OpenWrt router just doesn't send an answer back.
Now if I connect my phone to the isp router wifi and set wireguard end point to 192.168.178.55 wireguard works fine: https://pastebin.com/YTqceHF5
Let me know whether this is the output you wanted.
It was a typo, I meant eth1.2 , but the script did the job as well anyway.
Disable the vpn client and PBR. Is it working now that everything goes out of wan and not vpn?
Try something else, define the ingress interface for WG as wan and not everything. It shouldn't matter, but I remember another thread that it was conflicting.
Add wg0 interface in lan firewall zone and remove it from wg_server zone. It also shouldn't matter, but we need to rule out all possibilities.
Disabling vpn client and PBR: connecting from the internet now works fine!
Not sure I understood this one correctly. You mean the firewall rule for allowing incoming wg traffic? If so I did that and set the source zone to wan: no change; still not working
So I did that, restarted the network and it works. With VPN client and PBR enabled...
Which means something is not right with the wireguard zone. Since I would really like to work with separated zones, do you have any further ideas? Again, thank you for taking the time!
EDIT: I am sorry, point 3 is not working after all. After restarting the network the default route was going through wan and not the vpn client. After making sure the default route is set to the vpn client, it makes no difference whether wg0 interface is assigned to the lan zone or wg server zone: it does not work in any case. So the problem is rather related to PBR not working? Which would be strange since it works fine for my web server and I can also create working rules for specific domains...
Ok restore back the protocol to udp, change verbosity setting to 2 and post the following: cat /etc/config/vpn-policy-routing , /etc/init.d/vpn-policy-routing support, as well as the output of /etc/init.d/vpn-policy-routing reload
@stangri is it a typo in the readme that although WG uses UDP, your example uses TCP?
Only as a user, don't have any code.
Do you see anything weird here by any chance? I've been looking at it for a couple of days but all seems correct. And when PBR is disabled it works fine.
Is OpenVPN tunnel utilizing tcp ot udp? I'd recommend trying to switch it to TCP and see if it helps. I can't recall the reason exactly, but for the VPN server/client scenarios README recommends using different protocols for them, could it be the same here?