bepis
January 27, 2021, 2:33pm
1
Hello,
I'm having some problems setting up wireguard on my home router (will atc as main peer - server), peers cannot talk to other peers if it is not the router itself.
I followed instruction here to setup WG on openwrt.
Example setting on peers:
[Interface]
Address = 192.168.9.10/32
PrivateKey = ...
[Peer]
PublicKey = ...
AllowedIPs = 0.0.0.0/0
... endpoint host - port...
sysctl ipv4 forwarding is enabled on router.
Port 51820 is forwarded and peers on the internet can join VPN.
Since peers can talk to router just fine, I figured I must've missed (misconfigured) firewall rules.
Is there any firewall rule for forwarding must be explicitly set on openwrt so that WG peers can send traffic?
1 Like
Post the output:
uci show firewall; wg show
bepis
January 27, 2021, 2:50pm
5
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.network='wireguard-vpn lan wireguard'
firewall.lan.forward='REJECT'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].name='guest'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].network='guest'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='guest'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-Guest-DNS'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].dest_port='53'
firewall.@rule[9].src='guest'
firewall.@rule[10]=rule
firewall.@rule[10].dest_port='67-68'
firewall.@rule[10].src='guest'
firewall.@rule[10].name='Allow-Guest-DHCP'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].proto='udp'
firewall.@redirect[1]=redirect
firewall.@redirect[1].dest_port='51820'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].name='Router-Wireguard'
firewall.@redirect[1].src_dport='51820'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].proto='udp'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].dest_ip='192.168.0.1'
firewall.wg=rule
firewall.wg.name='Allow-WireGuard'
firewall.wg.src='wan'
firewall.wg.dest_port='51820'
firewall.wg.proto='udp'
firewall.wg.target='ACCEPT'
firewall.@rule[13]=rule
firewall.@rule[13].dest_port='51820'
firewall.@rule[13].src='guest'
firewall.@rule[13].name='Allow-WireGuard-Guest'
firewall.@rule[13].target='ACCEPT'
firewall.@rule[13].proto='udp'
interface: wireguard
public key:
private key: (hidden)
listening port: 51820
peer:
preshared key: (hidden)
endpoint: :62312
allowed ips: 192.168.9.2/32
latest handshake: 12 seconds ago
transfer: 2.06 MiB received, 8.93 MiB sent
persistent keepalive: every 25 seconds
peer:
allowed ips: 192.168.9.3/32
persistent keepalive: every 25 seconds
1 Like
uci set firewall.lan.forward="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
The second peer has no handshake.
Make sure you are using unique key pair for each peer.
bepis
January 27, 2021, 3:58pm
7
Yes they do have unique key and working, I was just restarted the interface.
Thanks, setting lan forwarding rule do help somewhat, peers on lan network now can ping peer on the internet, but not vice versa. Do you know why?
1 Like
If the LAN PC is using Windows, allow ICMP/ping from outside the local subnet in the Windows firewall.
bepis
January 27, 2021, 6:13pm
9
Everythings working now, thank you
1 Like
system
Closed
February 6, 2021, 6:14pm
10
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.