Thank you for your patience. Now server and client are again exchanging keep-alive packets which is a good sign (I guess).
My next test it to try to ping the server but no dice. I can ping the client but not the server.
What would be the next step?
PING 10.8.1.1 (10.8.1.1) 56(84) bytes of data.
From 192.168.0.1 icmp_seq=1 Destination Host Unreachable
PING 10.8.1.2 (10.8.1.2) 56(84) bytes of data.
64 bytes from 10.8.1.2: icmp_seq=1 ttl=64 time=0.488 ms
To access a LAN on the other side of Wireguard, the LAN's IP must be an allowed_ip on this side.
Also the firewall needs to allow forwarding between the zone with the wg tunnel, and the lan zone, if the tunnel is not already in the lan zone.
Let's review both sides again.... network and firewall configs.
OK, client:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '.....::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.0.1'
option delegate '0'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '0'
option enable_vlan4k '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 5t'
config interface 'wwan'
option proto 'dhcp'
config interface 'WG_VPN'
option proto 'wireguard'
option private_key '....='
list addresses '10.8.1.2/24'
config wireguard_WG_VPN
option endpoint_host '....'
option endpoint_port '5p9'
option description 'VPNserver'
option public_key '...='
option private_key 'S...='
option persistent_keepalive '25'
option route_allowed_ips '1'
config device
option name 'WG_VPN'
option ipv6 '0'
config device
option name 'wlan0'
option ipv6 '0'
config device
option name 'eth0.2'
option type '8021q'
option ifname 'eth0'
option vid '2'
option ipv6 '0'
config device
option name 'eth0'
option ipv6 '0'
= = = = = = = = = = = = = = = = = =
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list device 'br-lan'
option family 'ipv4'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'REJECT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option family 'ipv6'
list src_ip '....::/10'
option target 'REJECT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
list icmp_type 'bad-header'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'neighbour-advertisement'
list icmp_type 'neighbour-solicitation'
list icmp_type 'packet-too-big'
list icmp_type 'router-advertisement'
list icmp_type 'router-solicitation'
list icmp_type 'time-exceeded'
list icmp_type 'unknown-header-type'
option target 'REJECT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
list icmp_type 'bad-header'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'unknown-header-type'
option target 'REJECT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config zone
option name 'WG_VPN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list network 'WG_VPN'
config forwarding
option src 'lan'
option dest 'WG_VPN'
config forwarding
option src 'WG_VPN'
option dest 'wan'
config forwarding
option src 'WG_VPN'
option dest 'lan'
Client side:
Please change this to a non-overlapping subnet. This is necessary. It could be 192.168.213.1 for example.
Delete these:
Delete the device line below:
Thanks. I am aware of the overlapping subnet issue but that will have to wait because it would require making changes that I cannot do right now due to other computers at both ends. I will have to find the right moment for that and probably I will have to change the client side, which is local to me. I want to make absolutely sure everything else is working right before I do that.
Maybe I can think of something like firing up an extra computer with a different subnet just for testing but I am trying to keep it simple as even keeping simple is too complicated for me.
I have made the other changes but still cannot ping 10.8.1.1
This is what the client looks like now:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '...::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.0.1'
option delegate '0'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '0'
option enable_vlan4k '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 5t'
config interface 'wwan'
option proto 'dhcp'
config interface 'WG_VPN'
option proto 'wireguard'
option private_key '...='
list addresses '10.8.1.2/24'
config wireguard_WG_VPN
option endpoint_host '....'
option endpoint_port '5p9'
option description 'VPNserver'
option public_key '...='
option private_key '...='
option persistent_keepalive '25'
option route_allowed_ips '1'
config device
option name 'eth0'
option ipv6 '0'
= = = = = = = = = = = = = = = = =
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
option family 'ipv4'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'REJECT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option family 'ipv6'
list src_ip '...::/10'
option target 'REJECT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
list icmp_type 'bad-header'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'neighbour-advertisement'
list icmp_type 'neighbour-solicitation'
list icmp_type 'packet-too-big'
list icmp_type 'router-advertisement'
list icmp_type 'router-solicitation'
list icmp_type 'time-exceeded'
list icmp_type 'unknown-header-type'
option target 'REJECT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
list icmp_type 'bad-header'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'unknown-header-type'
option target 'REJECT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config zone
option name 'WG_VPN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list network 'WG_VPN'
config forwarding
option src 'lan'
option dest 'WG_VPN'
config forwarding
option src 'WG_VPN'
option dest 'wan'
config forwarding
option src 'WG_VPN'
option dest 'lan'
= = = = = = = = = = = = = = = = =
It looks like you are missing
list allowed_ips '0.0.0.0/0'
In
It looks like you are missing
YES!!!! Thank You! That finally did the trick! I can see with Traceroute that my traffic goes out to the Internet at the other end of the tunnel. So it is working. It has taken me over a month to get here! Thank you all for your help and patience!
I guess the first thing will be to back up all configs so I can always recover to this point if anything goes wrong.
Now, I want to be able to enable and disable the tunnel with the click of a button or script. I tried simply disabling the WG_VPN interface but then I have no internet access at all.
How can I do it so that I can enable the VPN or disable it and have traffic go out the usual non-vpn route?
BTW, the router takes something like 2.5 minutes to reboot which I do not understand. It doesn't take my main computer that long.
Edit: it is taking longer now. In the log I see this error which is probably what is slowing the router down. The log is flooded with this:
daemon.err odhcpd[1390]: Failed to send to ff02::1%lan@br-lan (Network unreachable)
It looks like IPV6 related. What can I do about this?
On power-up LUCI also gives the error "XHR request timed out" which might be related.
The log is flooded with this error and I cannot find a solution on the internet. Any ideas? Should I start another thread?
[timestamp] daemon.err odhcpd[1389]: Failed to send to ff02::1%lan@br-lan (Network unreachable)
I found this thread but do not quite understand it.
I'm honestly not sure how helpful a thread from eight years ago is supposed to be anyway.
Well, I found something which seems to work. I'll have to wait and see if I broke anything else in the process.
If IPv6 DHCP is not being used at all, odhcpd can have DHCPv6 disabled to avoid these messages.
# get the current setting for dhcpv6 in /etc/config/dhcp
uci get dhcp.lan.dhcpv6
The default value is "server".
server
Disable dhcpv6 and commit the change.
uci set dhcp.lan.dhcpv6=disabled
uci commit
Confirm the new value is "disabled".
uci get dhcp.lan.dhcpv6