WWAN0 through wireguard tunnel

adamolsson · March 27, 2022, 2:48pm

I can only connect through my wireguard server when hooked up to LAN and not when connected only with WWAN0 (LTE)

I have a wireguard conf working when connected to LAN (with another dhcpserver)

config interface 'logger_wg'
        option proto 'wireguard'
        option private_key 'XXX'
        list addresses '10.8.0.3/24'

config wireguard_logger_wg 'wgserver'
        option public_key 'XXX'
        option endpoint_host 'XXX
        option endpoint_port '51820'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '10.8.0.0/24'

I also have WWAN0 working connecting to the internet (can ping internet hosts) but I cannot reach my wireguard other wireguardpeer

wwan0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:100.X.X.X  P-t-P:100.X.X.X  Mask:255.255.255.248
          inet6 addr: fe80::b326:25e6:5dd3:8d70/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:4102 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3643 errors:0 dropped:0 overruns:0 carrier:0

logger_wg Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.3  P-t-P:10.8.0.3  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:234 errors:1 dropped:265 overruns:0 carrier:0

root@iron:~# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1): 56 data bytes
^C
--- 10.8.0.1 ping statistics ---
16 packets transmitted, 0 packets received, 100% packet loss

root@iron:~# ping -I logger_wg 10.8.0.1
PING 10.8.0.1 (10.8.0.1): 56 data bytes
^C
--- 10.8.0.1 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

I dont want all traffic to go through the wireguard connection.

How can I route the traffic to allow destined traffic to 10.8.0.0/24 network to go through when connected only through the WWAN link?

psherman · March 27, 2022, 3:06pm

What type of connection does your “server” have to the internet? Is it also LTE? Or is it cable/dsl/fiber?

adamolsson · March 27, 2022, 3:07pm

The peer I wanna reach is a VULTR VPS, I suppose fiber..

psherman · March 27, 2022, 3:08pm

Do you have normal connectivity on the “client” system when the wg tunnel is not running?

adamolsson · March 27, 2022, 3:13pm

The WG connection works fine when I connect a LAN-cable from my home network to the LTE device. Then I can ping 10.8.0.1 and reach services on the VPS.

To me it seems like a routing issue where the WWAN0 cannot reach that 10.8.0.0/24 but I'm uncertain how to set it up too. I could also be completely wrong.

I can still reach the internet as well when the WWAN0 and WG-tunnel is up like pinging 1.1.1.1 works fine.

psherman · March 27, 2022, 3:15pm

Let’s look at your config files

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

adamolsson · March 27, 2022, 3:21pm

root@openwrt:~# cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd54:d957:b85e::/48'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.214'
        option metric '100'
        option gateway '192.168.1.1'
        list dns '9.9.9.9'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 0t'

config interface 'logger_wg'
        option proto 'wireguard'
        option private_key 'XXXX'
        list addresses '10.8.0.3/24'

config wireguard_logger_wg 'wgserver'
        option public_key 'XXX'
        option endpoint_host 'XXX'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '10.8.0.0/24'

config interface 'wwan0'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option ifname 'wwan0'
        option auth 'none'
        option pdptype 'ipv4v6'

config device
        option name 'logger_wg'


root@openwrt:~# cat /etc/config/firewall
config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'DROP'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone 'wan'
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 logger_wg wwan0'
        option input 'DROP'
        option forward 'DROP'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config include
        option path '/etc/firewall.user'

config rule
        option target 'ACCEPT'
        option name 'wg'
        option family 'ipv4'
        list src_ip '10.8.0.1'
        option dest_port '9100'
        option src 'wan'
´´´

EDIT: Also adding this after googling a bit more

root@openwrt:~# ip route
default via 100.86.X.X dev wwan0 
VPS.IP.X.X via 192.168.1.1 dev br-lan  metric 100
100.86.X.X/29 dev wwan0 scope link  src 100.86.X.X
192.168.1.0/24 dev br-lan scope link  metric 100

Thanks for looking into this!

psherman · March 27, 2022, 3:33pm

adamolsson:

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.214'
        option metric '100'
        option gateway '192.168.1.1'
        list dns '9.9.9.9'

Try removing the gateway from the LAN interface.

psherman · March 27, 2022, 3:34pm

adamolsson:

config rule
        option target 'ACCEPT'
        option name 'wg'
        option family 'ipv4'
        list src_ip '10.8.0.1'
        option dest_port '9100'
        option src 'wan'

This should not be necessary. Remove this rule.

psherman · March 27, 2022, 3:46pm

Remove gateway from the LAN interface definition.

adamolsson · March 27, 2022, 3:49pm

Took some while to test this for me.

When I remove the gateway the wireguard interface won't start anymore so I added the gateway back and the wg interface pops right up again.

Seems you found whats wrong, still unsure how I would fix it

psherman · March 27, 2022, 3:52pm

Is there a reason you are connecting LAN-LAN between this and the upstream router? If your ultimate goal is to be able to use the LTE WAN, the best option is to connect the upstream network as a WAN connection, not LAN. Then you can remove the LAN's gateway address and it should work properly.

adamolsson · March 27, 2022, 3:56pm

Thanks for sticking around still!

The idea of using LAN-LAN is only for configuration reasons, I have no other idea of how I would do it without.

The final idea would be:
Use eth-wan if available (be a dhcp client)
Use LTE WAN if ETH-WAN not available
Being able reach a wireguard peer on any connection type

psherman · March 27, 2022, 4:36pm

Make your ethernet connection a WAN connection and then connect your computer to the this device's LAN for local for administration.