Wireguard traffic routing

dlakelan · May 1, 2021, 4:02pm

Tell the ISP router to route 10.14.0.0/24 through The wire guard server, it looks like its 192.168.10.130. No need for NAT

toolcap · May 1, 2021, 5:59pm

The ISP router is pretty dumb and setting static routes is an impossible task. The only reason the landlord wants to keep it is the landline phone.
Anyway, I scratched my head these days and it seems after all the help I got from the others the server seems to work as I needed it to work.

toolcap · May 1, 2021, 6:05pm

Thank you for your suggestion. In the meantime I made some changes (modifying the tunnel to use LAN addresses) and using the masquerading on the LAN zone did the trick.
Now, the entire system works as I wanted to.
After connecting to the WG server, I am able to connect with the rest of the LAN devices and also surf the internet through the ISP router.

toolcap · May 1, 2021, 7:03pm

I am sharing here the working network and the firewall configuration.
Thank you all very much for your support

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd14:2010:ab01::/48'
network.atm=atm-bridge
network.atm.vpi='1'
network.atm.vci='32'
network.atm.encaps='llc'
network.atm.payload='bridged'
network.atm.nameprefix='dsl'
network.atm.unit='root'
network.dsl=dsl
network.dsl.annex='b'
network.dsl.firmware='/lib/firmware/adsl.bin'
network.lan=interface
network.lan.type='bridge'
network.lan.proto='dhcp'
network.lan.ifname='eth0'
network.wan=interface
network.wan.ifname='dsl0'
network.wan.proto='pppoe'
network.wan.username='username'
network.wan.password='password'
network.wan.ipv6='1'
network.wan_dsl0_dev=device
network.wan_dsl0_dev.name='dsl0'
network.wan_dsl0_dev.macaddr='xx:xx:xx:xx:xx:xx'
network.wan6=interface
network.wan6.ifname='@wan'
network.wan6.proto='dhcpv6'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='...'
network.wg0.listen_port='51820'
network.wg0.addresses='192.168.10.131/32'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].public_key='...'
network.@wireguard_wg0[0].description='Phone'
network.@wireguard_wg0[0].persistent_keepalive='25'
network.@wireguard_wg0[0].allowed_ips='192.168.10.132/32'
network.@wireguard_wg0[0].route_allowed_ips='1'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='ACCEPT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].device='br-lan' 'eth0' 'radio0.network1' 'radio0.network2'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan wg0'
firewall.@zone[0].masq='1'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[1]=zone
firewall.@zone[1].name='wg_zone'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].device='wg0'
firewall.@zone[1].network='wg_zone'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='lan'
firewall.@forwarding[0].src='wg_zone'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wg_zone'
firewall.@forwarding[1].src='lan'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'

On the phone, the WG client configuration looks like this:

Address: 192.168.10.132/32
DNS Servers: 192.168.10.1 #ISP router's address

Peer configuration
Allowed IPs: 0.0.0.0/0
Endpoint: my-server:51820

eduperez · May 1, 2021, 9:32pm

In the firewall, your "lan" zone has networks "lan" and "wg0"; I think you should delete "wg0" here. Also, your "wg_zone" has "wg0" as a device (instead of a network) and a non existing "wg_zone" network.

toolcap · May 2, 2021, 8:06am

Indeed, "wg0" is now on the "lan" zone. Yesterday, I tried out a few things and placing "wg0" interface with the "lan" zone was one of them. I need to do a bit of cleanup and try out as suggested

system · May 12, 2021, 8:06am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.