Kreeze
January 14, 2024, 7:23pm
1
I have 2 Netgear R6260 routers running OpenWrt 22.03.5. One router is at my house, the other is at my parent's. I've configured a site to site Wireguard tunnel using the 10.100.0.0/24 subnet. My parents have a flat network with a single subnet configured on OpenWRT - 10.1.0.0/24. My house has a single subnet on OpenWRT - 172.16.0.0/24, however I also have VLANs behind my router on my Aruba S2500 switch - 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24, 10.0.10.0/24, and 10.0.255.0/24. OpenWRT hands out a lease to my switch, 172.16.0.2, and I have static routes to the VLANs that are configured on the switch using that IP as the gateway. No communication from the 10.0.0.0/16 subnets can reach the site to site VPN. I can ping the switch using its 172.16.0.2 IP from my parent's house. What am I missing to allow the static routes through the VPN? Let me know any other configuration that would be helpful to see.
My house:
config interface '[REDACTED]VPN'
option proto 'wireguard'
option private_key '[REDACTED]'
option listen_port '[REDACTED]'
list addresses '10.100.0.1/24'
config wireguard_[REDACTED]VPN
option description '[REDACTED]VPN'
option public_key '[REDACTED]'
list allowed_ips '10.100.0.0/24'
list allowed_ips '10.1.0.0/24'
option route_allowed_ips '1'
option endpoint_host '[REDACTED]'
option endpoint_port '[REDACTED]'
My parent's house:
config interface '[REDACTED]VPN'
option proto 'wireguard'
option private_key '[REDACTED]'
option listen_port '[REDACTED]'
list addresses '10.100.0.2/24'
config wireguard_[REDACTED]VPN
option description '[REDACTED]VPN'
option public_key '[REDACTED]'
option route_allowed_ips '1'
option endpoint_host '[REDACTED]'
option endpoint_port '[REDACTED]'
list allowed_ips '10.100.0.0/24'
list allowed_ips '172.16.0.0/24'
Static routing configured at my house:
config route
option interface 'lan'
option target '10.0.0.0/24'
option gateway '172.16.0.2'
config route
option interface 'lan'
option target '10.0.1.0/24'
option gateway '172.16.0.2'
config route
option target '10.0.2.0/24'
option gateway '172.16.0.2'
option interface 'lan'
config route
option interface 'lan'
option target '10.0.255.0/24'
option gateway '172.16.0.2'
config route
option interface 'lan'
option target '10.0.10.0/24'
option gateway '172.16.0.2'
egc
January 14, 2024, 8:26pm
3
On your parents house you probably also need to set a route to your 10.0.0.0/16 subnetlist allowed_ips '10.0.0.0/16'
Kreeze
January 14, 2024, 8:40pm
4
That's what I thought and I tried that, but no luck. Something strange I encountered when I first set up my network was that I couldn't set a static route of 10.0.0.0/16 with it's gateway as 172.16.0.2. I had to individually make my routes i.e. 10.0.0.0/24, 10.0.1.0/24...etc. So I also tried doing that in the allowed IPs, but it still doesn't work.
egc
January 15, 2024, 10:49am
5
For the record these should have a /32 mask, in this case it does not matter as you have only one peer per tunnel but if you have multiple peers the allowed IPs must not overlap.
When you add 10.0.0.0/16 to the allowed IPs on your parents it should get you a route for those subnets via the WG server.ip ro
Assuming the route is there and you have a handshake the problem could be on your side.
It could be a firewall issue so lets look at the broader picture:using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall
ip ro
wg show
Note your local LAN clients will/could have their own firewall and will not allow traffic from the parents side by default so the local LAN clients firewall has to be tweaked also to allow traffic from 10.1.0.0/24
Kreeze
January 15, 2024, 2:44pm
6
My house:
root@KREEZE-FW:~# ubus call system board
{
"kernel": "5.10.176",
"hostname": "KREEZE-FW",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Netgear R6260",
"board_name": "netgear,r6260",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.5",
"revision": "r20134-5f15225c1e",
"target": "ramips/mt7621",
"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
}
}
root@KREEZE-FW:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd56:b957:ef12::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '172.16.0.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
option metric '1'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'HomeVPN'
option proto 'wireguard'
option private_key '[REDACTED]'
option listen_port '[REDACTED]'
list addresses '10.0.100.1/24'
config wireguard_HomeVPN
option description 'KREEZE-7T'
option public_key '[REDACTED]'
option private_key '[REDACTED]'
option preshared_key '[REDACTED]'
option route_allowed_ips '1'
list allowed_ips '10.0.100.2/32'
config route
option interface 'lan'
option target '10.0.0.0/24'
option gateway '172.16.0.2'
config route
option interface 'lan'
option target '10.0.1.0/24'
option gateway '172.16.0.2'
config route
option target '10.0.2.0/24'
option gateway '172.16.0.2'
option interface 'lan'
config route
option interface 'lan'
option target '10.0.255.0/24'
option gateway '172.16.0.2'
config route
option interface 'lan'
option target '10.0.10.0/24'
option gateway '172.16.0.2'
config interface 'wanb'
option proto 'dhcp'
option device 'lan4'
option metric '2'
config interface 'wanb6'
option device 'lan4'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'MyHouseVPN'
option proto 'wireguard'
option private_key '[REDACTED]'
option listen_port '[REDACTED]'
list addresses '10.100.0.1/24'
config wireguard_MyHouseVPN
option description 'ParentsVPN'
option public_key '[REDACTED]'
option route_allowed_ips '1'
option endpoint_host '[REDACTED]'
option endpoint_port '[REDACTED]'
list allowed_ips '10.100.0.0/24'
list allowed_ips '10.1.0.0/24'
root@KREEZE-FW:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option band '2g'
option cell_density '0'
option htmode 'HT40'
option channel 'auto'
option disabled '1'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option band '5g'
option cell_density '0'
option channel 'auto'
option htmode 'VHT80'
option disabled '1'
config wifi-iface 'wifinet0'
option device 'radio1'
option mode 'ap'
option ssid '[REDACTED]'
option encryption 'psk2'
option key '[REDACTED]'
option network 'lan'
option disabled '1'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid '[REDACTED]'
option encryption 'psk2'
option key '[REDACTED]'
option network 'lan'
option disabled '1'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid '[REDACTED]'
option encryption 'psk2'
option key '[REDACTED]'
option network 'lan'
option disabled '1'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid '[REDACTED]'
option encryption 'psk2'
option key '[REDACTED]'
option network 'lan'
option disabled '1'
root@KREEZE-FW:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
option flow_offloading '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'HomeVPN'
list network 'MyHouseVPN'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wanb'
list network 'wanb6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option family 'ipv4'
list icmp_type 'echo-request'
option target 'DROP'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'DROP'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'Firewall'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HomeVPN'
list proto 'udp'
option src 'wan'
option src_dport '[REDACTED]'
option dest_port '[REDACTED]'
option dest_ip '10.0.100.1'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'MyHouseVPN'
list proto 'udp'
option src 'wan'
option src_dport '[REDACTED]'
option dest_ip '10.100.0.1/32'
option dest_port '[REDACTED]'
root@KREEZE-FW:~# ip ro
default via [My House Public IP Gateway] dev wan proto static src [My House Public IP] metric 1
10.0.0.0/24 via 172.16.0.2 dev br-lan proto static
10.0.1.0/24 via 172.16.0.2 dev br-lan proto static
10.0.2.0/24 via 172.16.0.2 dev br-lan proto static
10.0.10.0/24 via 172.16.0.2 dev br-lan proto static
10.0.100.0/24 dev HomeVPN proto kernel scope link src 10.0.100.1
10.0.100.2 dev HomeVPN proto static scope link
10.0.255.0/24 via 172.16.0.2 dev br-lan proto static
10.1.0.0/24 dev MyHouseVPN proto static scope link
10.100.0.0/24 dev MyHouseVPN proto static scope link
[My House Public IP Subnet] dev wan proto static scope link metric 1
[Parents House Public IP] via [My House Public IP Gateway] dev wan proto static metric 1
172.16.0.0/24 dev br-lan proto kernel scope link src 172.16.0.1
root@KREEZE-FW:~# wg show
interface: HomeVPN
public key: [REDACTED]
private key: (hidden)
listening port: [REDACTED]
peer: [REDACTED]
preshared key: (hidden)
endpoint: [My Phone Public IP]
allowed ips: 10.0.100.2/32
latest handshake: 21 hours, 13 minutes, 45 seconds ago
transfer: 4.43 MiB received, 18.59 MiB sent
interface: MyHouseVPN
public key: [REDACTED]
private key: (hidden)
listening port: [REDACTED]
peer: [REDACTED]
endpoint: [My Parent's Public IP]
allowed ips: 10.100.0.0/24, 10.1.0.0/24
latest handshake: 1 minute, 20 seconds ago
transfer: 1.80 GiB received, 3.24 GiB sent
My parent's:
root@Parents-FW:~# ubus call system board
{
"kernel": "5.10.176",
"hostname": "Parents-FW",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Netgear R6260",
"board_name": "netgear,r6260",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.5",
"revision": "r20134-5f15225c1e",
"target": "ramips/mt7621",
"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
}
}
root@Parents-FW:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd1a:5b0d:3ae9::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.1.0.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'HomeVPN'
option proto 'wireguard'
option private_key '[REDACTED]'
option listen_port '[REDACTED]'
list addresses '10.1.100.1/24'
config wireguard_HomeVPN
option description 'KREEZE-7T'
option public_key '[REDACTED]'
option private_key '[REDACTED]'
option preshared_key '[REDACTED]'
list allowed_ips '10.1.100.2/32'
option route_allowed_ips '1'
config interface 'ParentsVPN'
option proto 'wireguard'
option private_key '[REDACTED]'
option listen_port '[REDACTED]'
list addresses '10.100.0.2/24'
config wireguard_ParentsVPN
option description 'MyHouseVPN'
option public_key '[REDACTED]'
option route_allowed_ips '1'
option endpoint_host '[My House Public IP]'
option endpoint_port '[REDACTED]'
list allowed_ips '10.100.0.0/24'
list allowed_ips '172.16.0.0/24'
list allowed_ips '10.0.0.0/16'
config wireguard_HomeVPN
root@Parents-FW:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid '[REDACTED]'
option encryption 'psk2'
option key '[REDACTED]'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid '[REDACTED]'
option encryption 'psk2'
option key '[REDACTED]'
root@Parents-FW:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'HomeVPN'
list network 'ParentsVPN'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HomeVPN'
list proto 'udp'
option src 'wan'
option src_dport '[REDACTED]'
option dest_ip '10.1.0.1'
option dest_port '[REDACTED]'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'ParentsVPN'
list proto 'udp'
option src 'wan'
option src_dport '[REDACTED]'
option dest_ip '10.100.0.2'
option dest_port '[REDACTED]'
root@Parents-FW:~# ip ro
default via [Parents Public IP Gateway] dev wan src [Parents Public IP]
10.0.0.0/16 dev ParentsVPN scope link
10.1.0.0/24 dev br-lan scope link src 10.1.0.1
10.1.100.0/24 dev HomeVPN scope link src 10.1.100.1
10.1.100.2 dev HomeVPN scope link
10.100.0.0/24 dev ParentsVPN scope link
[My House Public IP] via [Parents Public IP Gateway] dev wan
[Parents House Public IP Subnet] dev wan scope link src [Parents Public IP]
172.16.0.0/24 dev ParentsVPN scope link
root@Parents-FW:~# wg show
interface: HomeVPN
public key: [REDACTED]
private key: (hidden)
listening port: [REDACTED]
peer: [REDACTED]
preshared key: (hidden)
endpoint: [My House Public IP]
allowed ips: 10.1.100.2/32
latest handshake: 20 hours, 9 minutes, 8 seconds ago
transfer: 1.99 MiB received, 7.71 MiB sent
interface: ParentsVPN
public key: [REDACTED]
private key: (hidden)
listening port: [REDACTED]
peer: [REDACTED]
endpoint: [My House Public IP]
allowed ips: 10.100.0.0/24, 172.16.0.0/24, 10.0.0.0/16
latest handshake: 56 seconds ago
transfer: 65.79 KiB received, 437.54 KiB sent
egc
January 15, 2024, 6:52pm
7
Remove this from your home, you already have the tunnel configured (MyHouseVPN)
also remove that interface from the firewall
Remove this from your parents:
also remove that interface from the firewall
(You can have multiple tunnels but with different addresses, ports etc.)
The routes look OK, on both sides the WG interface is in the lan zone which is OK.
The rules to open up the WG listen port can be changed in a simple access rule, so delete both redirect rules of the WG interfaces and use the rule below (placed in /etc/config/firewall) just replace 51810 with the listen port of your WG interface:
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51810'
option proto 'udp'
option target 'ACCEPT'
this should be done on both sides.
Afterwards reboot both routers
Kreeze
January 15, 2024, 9:24pm
8
I should have mentioned, I have a separate wireguard tunnel configured on both routers so that I can connect other peers (i.e. my phone) directly to each location when I need to. I made them separate from the site to site tunnel on purpose (think of it as an out of band management). They are using different ports/subnets from the site to site (10.0.100.0/24 and 10.1.100.0/24). So, I won't be removing those.
1 Like
egc
January 16, 2024, 6:47am
9
There are no security concerns.
I am not 100% sure why the redirect rules are not working, it could be that the firewall classifies the redirected traffic as "invalid".
Edit: I think it is because the destination ip is wrong that should be the routers lan ip address.
system
January 26, 2024, 6:48am
10
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.