Wireguard server

mk24 · January 21, 2023, 2:58pm

Internal services are accessed directly by opening the port on the WAN IP. This does not involve 192.168.1.1. It isn't necessary to include an IP at all, specifying src as wan means the interface(s) in the wan zone no matter what IP(s) they may have.

Example:

config rule
    option name 'Allow-http'
    option src 'wan'
    option dest_port 80
    option proto 'tcp'
    option target ACCEPT

Don't add any more lines than this. Firewall rules must match all the specified conditions to have an effect; if you add something unnecessary it is likely to stop working. (Adding src_port is also almost never applicable, since the default action for a web browser etc is to choose a random port to originate their connection.)

To allow incoming Wireguard, you would use wg0's listen_port and proto udp.

Neverrr · January 21, 2023, 6:23pm

Added rule for allow-http from your example, it's working, also added wg rule, still not handshaked, as it was said before I have other errors in the config, but don't know where.

Firewall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'REJECT'
        list network 'wan'
        list network 'wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'wg'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vpn'

config forwarding
        option src 'wg'
        option dest 'lan'

config forwarding
        option src 'wg'
        option dest 'wan'

config rule
        option name 'wg'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-http'
        option src 'wan'
        option dest_port '80'
        option proto 'tcp'
        option target 'ACCEPT'

psherman · January 21, 2023, 6:27pm

Are you able to reach the LuCI web interface (from a remote network... i.e. when you're not connected to your LAN)?

If so, that probably means there is a problem with the keys.
If not, it likely goes back to the CG-NAT issue.

BTW, I want to reiterate:

For the purposes of this test, though, it's useful to have it available. Once the VPN is functioning, you should remove this rule

Neverrr · January 21, 2023, 6:45pm

Are you able to reach the LuCI web interface (from a remote network... i.e. when you're not connected to your LAN)?

Yes, I able to reach outside.
Will try another peer. Could you please also check wether configs for wg is correct (IP's, allowed IP's,)

WG-interface

My phone's config

---interface---

name: home
private key: ***
public key: ***
ip address: 192.168.9.3/24
---peer---
public key: ***
preshared key: ***
ip-address of the server: ***.ddns.net:51820
allowed ip address: 0.0.0.0/0, ::/0

psherman · January 21, 2023, 6:49pm

Text form is much easier to read than screenshots... please post the text configs.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network

Neverrr · January 21, 2023, 6:55pm

Finally, added new peer and it's handshaked, now can open 192.168.1.1 but not opening any web sites, strange that the apps as whatsapp, telegram are working.

psherman · January 21, 2023, 6:56pm

from your remote peer, run the following tests:

ping 139.59.210.197
ping forum.openwrt.org

Neverrr · January 21, 2023, 6:58pm

etc/config/network

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda9:5c8b:63a6::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr '5c:02:14:31:b9:f9'
        option ipv6 '0'

config interface 'wan'
        option device 'wan'
        option type 'bridge'
        option proto 'pppoe'
        option username 'XXX'
        option password 'XXX'
        option ipv6 'auto'

config device
        option name 'eth0'
        option ipv6 '0'

config interface 'wwan'
        option proto 'dhcp'

config device
        option name 'wwan1-5G'

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'XXX='
        option listen_port '51820'
        list addresses '192.168.9.1/24'
        list addresses 'fdf1:e8a1:8d3f:9::1/64'

config wireguard_vpn 'wgclient'
        option preshared_key 'XXX'
        option public_key 'XXX='
        option private_key 'XXX='
        option description 'Phone'
        list allowed_ips '192.168.9.3/32'
        list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'
        option route_allowed_ips '1'

config wireguard_vpn
        option description 'home'
        option public_key 'XXX'
        option private_key 'XXX'
        list allowed_ips '192.168.9.3/32'
        option route_allowed_ips '1'
        option endpoint_host 'xxx.ddns.net'
        option endpoint_port '51820'
        option persistent_keepalive '25'

psherman · January 21, 2023, 6:59pm

these are not necessary on the 'server' side... you should remove them.

Neverrr · January 21, 2023, 7:08pm

It's ok

ping 139.59.210.197

PING 139.59.210.197 (139.59.210.197): 56 data bytes
64 bytes from [139.59.210.197](http://139.59.210.197/): icmp_seq=0 ttl=32 time=205.113 ms
64 bytes from [139.59.210.197](http://139.59.210.197/): icmp_seq=1 ttl=32 time=138.370 ms
64 bytes from [139.59.210.197](http://139.59.210.197/): icmp_seq=2 ttl=32 time=145.682 ms
64 bytes from [139.59.210.197](http://139.59.210.197/): icmp_seq=3 ttl=32 time=151.353 ms

--- 139.59.210.197 ping statistics ---
4 packets transmitted, 4 received, 0.00% packet loss
round-trip  min / avg / max = 138.370 / 160.130 / 205.113 ms

Not available, but maybe I'm trying to ping host name from phone ios for that I can't.

ping forum.openwrt.org

Invalid host name or IP address. Please check your Server Name.

psherman · January 21, 2023, 7:09pm

So the problem is DNS.

in your remote peer (phone or computer), add a DNS server 192.168.1.1

Neverrr · January 21, 2023, 7:18pm

Right, it’s working now. Thank you.

Thanks to all

system · January 31, 2023, 7:18pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.