Wireguard setup: no routing / DNS?

Borromini · June 8, 2019, 7:32pm

This is one to add to the pile, probably. I'm new to Wireguard (and the whole VPN thing altogether). What I would like to achieve seems pretty simple, but at the moment it's very elusive: access to my LAN with a remote client.

I have set up a Wireguard server on my OpenWrt router, and configured my Android client with the Wireguard app. The LAN is a 10.0.0.x subnet, with a very limited DHCP range (.30-.60). Wireguard interface gets a high IP outside that scope so there shouldn't be any collisions afaik.

I have 'backported' the latest Wireguard commits from master to 18.06, but it all compiled fine, and the connection gets established, so I do not think this is an issue, but I am mentioning it just in case.

The intention is for the remote client to have access to the whole LAN, so from what I gathered putting the whole subnet in allowed_ips is OK?

Server configuration - /etc/config/network:

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxx'
	option listen_port '8192'
	list addresses '10.0.0.248/29'

config wireguard_wg0
	option public_key 'xxxx'
	option persistent_keepalive '25'
	list allowed_ips '10.0.0.0/24'

/etc/config/firewall looks OK as well:

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '8192'
	option name 'Allow-Wireguard-Inbound'

The wireguard server seems to come up correctly and a connection gets established:

# wg
interface: wg0
  public key: xxxx
  private key: (hidden)
  listening port: 8192

peer: xxxx
  endpoint: 199.199.1xx.xxx:42268
  allowed ips: 10.0.0.0/24
  latest handshake: 36 seconds ago
  transfer: 130.29 KiB received, 53.94 KiB sent
  persistent keepalive: every 25 seconds

What I found out:

I can ping the router's LAN IP (10.0.0.1) from my smartphone (10.0.0.250) and vice versa.
Pinging any other LAN client from my smartphone does not work.
Pinging a remote IP from the smartphone (e.g. 8.8.8.8) does work.
Surfing does not, so it looks like DNS is being hijacked by the Wireguard connection, which should only handle 10.0.0.x connections?

I have tried allow_routed_ips (which pops up here in the forums quite a lot but does not seem to be meant for this kind of setup), makes no difference. I'm not sure what to do here...

Thank you!

tectonic · June 8, 2019, 7:55pm

I'd recommend reviewing this thread and, in particular, taking a look at the walkthrough that was authored as a result.

Borromini · June 8, 2019, 9:28pm

Thanks, but I have gone through both. And I haven't found the issue.

tectonic · June 8, 2019, 11:12pm

config wireguard_wg0
	option public_key 'xxxx'
	option persistent_keepalive '25'
	list allowed_ips '10.0.0.0/24'

list allowed_ips should be a single address within 10.0.0.248/29. E.g.10.0.0.249/32

Your Android client config should then look a bit like this (restrict AllowedIPs to your LAN subnet if you wish)

[Interface]
Address = 10.0.0.249
PrivateKey = <client's privatekey>
ListenPort = <port>

[Peer]
PublicKey = <server's publickey>
Endpoint = <server's ip>:8192
AllowedIPs = 0.0.0.0/0, ::/0

Make sure wg0 is in your lan firewall zone.

Borromini · June 9, 2019, 9:49am

Thanks - I modified my config, so allowed_ips is 10.0.0.250/32 (address I want the client to use).

config interface 'wg0'       
        option proto 'wireguard'      
        option private_key 'xxxx'
        option listen_port '8192'
        list addresses '10.0.0.248/29'

config wireguard_wg0   
        option public_key 'xxxx'
        option persistent_keepalive '25'  
        list allowed_ips '10.0.0.250/32'

I have done some further testing - with the 10.0.0.248/29 range under the 'wg' interface in /etc/config/network, I seem to be able to ping all IPs in that range, e.g.:

10.0.0.1 (set as DNS in the Wireguard client: responds fine.
10.0.0.248 (the Wireguard server): responds fine
10.0.0.249, 10.0.0.251: respond fine (unreachable, as they are not assigned)
10.0.0.247: outside the range, just hangs.

I suspect this is expected behaviour, but I need to reach e.g. 10.0.0.15. I tried expanding allowed_ips, but that doesn't do anything.

wg0 is in the LAN zone:

# uci show firewall.@zone[0]
firewall.cfg02dc81=zone
firewall.cfg02dc81.name='lan'
firewall.cfg02dc81.input='ACCEPT'
firewall.cfg02dc81.output='ACCEPT'
firewall.cfg02dc81.forward='ACCEPT'
firewall.cfg02dc81.network='lan' 'wg0'

tectonic · June 9, 2019, 10:43am

Please could you post your Android client config, redacting anything sensitive, of course.

Borromini · June 9, 2019, 10:52am

Client configuration:

[Interface]
Address = 10.0.0.250/32
DNS = 10.0.0.1
PrivateKey = xxxx

[Peer]
AllowedIPs = 10.0.0.0/24
Endpoint = bladi.bla:8192
PersistentKeepalive = 25
PublicKey = xxxx

Should I set a port? From what I read ListenPort = <port> is not mandatory under [Interface]? It says 'random' by default.

tectonic · June 9, 2019, 11:12am

That looks fine to my (admittedly, untrained) eye.

I might be wide-of-the-mark here, so apologies in advance if this turns out to be more 'wild goose' than 'golden goose', but given your LAN is in 10.0.0.x subnet, try putting you wg0 interface in a different subnet; say 10.0.1.0/24, so that you end up with something like this:

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxx'
	option listen_port '8192'
	list addresses '10.0.1.0/24'

config wireguard_wg0
	option public_key 'xxxx'
	option persistent_keepalive '25'
	list allowed_ips '10.0.1.250/32'

Then, modify your Android client config accordingly:

[Interface]
Address = 10.0.1.250/32
PrivateKey = xxxx

[Peer]
AllowedIPs = 10.0.0.0/16
Endpoint = bladi.bla:8192
PersistentKeepalive = 25
PublicKey = xxxx

Borromini · June 9, 2019, 11:50am

Thanks @tectonic. I was thinking the fact I'm using LAN ranges might be an issue, and it turns out it was. I switched the Wireguard interface to a 10.0.10.x subnet, added the firewall zone and forwarding rules, and I now am able to ping 10.0.0.15 and SSH into it. So it works!

However, problem #2: I am still losing WAN DNS on my smartphone. I can ping sites by IP address but no name resolution when I enable the Wireguard connection on my smartphone... (and the Wireguard connection is only meant to route 10.0.x.x traffic).

Edit: solved by setting a public DNS server (e.g. Quad9) in the client configuration. Works fine for my needs. I hope this is not a security issue?

Thank you for your help and patience!

So the settings below work.

Client configuration:

[Interface]
Address = 10.0.10.250/32
DNS = 9.9.9.9
PrivateKey = xxxx

[Peer]
AllowedIPs = 10.0.0.0/16
Endpoint = <snip>
PersistentKeepalive = 25
PublicKey = xxxx

OpenWrt (server) configuration:

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxx'
	option listen_port '8192'
	list addresses '10.0.10.0/24'

config wireguard_wg0
	option public_key 'xxxx'
	option persistent_keepalive '25'
	list allowed_ips '10.0.10.250/32'
	option description 'Android Smartphone'

tectonic · June 9, 2019, 3:27pm

Great! Glad that's working for you.

You don't necessarily need to put the Wireguard interface in its own firewall zone: it could sit in your LAN firewall zone. It depends on whether you need the extra level of control that you'd gain from putting it in its own zone.

Sorry, I'm not sure what to suggest for your DNS problem, but good that you've found a solution that works. I suspect changing AllowedIPs to 0.0.0.0/0 in your Android client config might do the trick. But, then again, it sounds like you want to restrict access to 10.0.0.0/16.

All the best.

system · June 19, 2019, 3:27pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.