Joined: 18 Mar 2014 Posts: 12834 Location: Netherlands
Posted: Wed Apr 01, 2020 10:44 Post subject:
boebeng wrote:
Hi all,
Thank you @egc for your excellent setup guidance and also the scripts (ddwrt-wireguard-client-script.sh)! I've managed to make a site to site connection with 2 dd-wrt routers. However i still have a problem that the WG server & it's LAN clients can't ping the WG client's LAN.
Here are the conditions:
1. I have a modem (192.168.1.1) with wrt1900ac behind it (192.168.1.2 with subnet 192.168.5.0/24, double NAT) and I've made necessary port forwarding to make WG works
2. wrt1900ac as the server with WG IP address 10.10.0.1, LAN subnet is 192.168.5.0/24, AC68U as client with WG IP address 10.10.0.5, LAN subnet is 10.19.1.0/24
3. wrt1900ac (10.10.0.1) and AC68U (10.10.0.5) can ping each other.
LAN client of AC68U (10.19.1.0/24) CAN ping wrt1900ac (10.10.0.1) & it's LAN client (192.168.5.0/24).
But wrt1900ac (10.10.0.1) and it's LAN client (192.168.5.0/24) CAN'T ping AC68U LAN client (10.19.1.0/24).
192.168.5.0/24 CAN ping only AC68U (10.10.0.5) but not it's LAN client (10.19.1.0/24)
4. I made a crosscheck, on the WG server/wrt1900ac:
root@WRT1900AC:~# ip route get 10.19.1.1
10.19.1.2 via 192.168.1.1 dev eth1 src 192.168.1.2
on WG client/AC68U
root@RT-AC68U:~# ip route get 192.168.5.1
192.168.5.1 dev oet1 src 10.10.0.5
It seems on the wrt1900ac, the existing iptables rules is routing 10.19.1.0/24 on eth0 to the modem (192.168.1.1), while it should be routed on oet1 to 10.10.0.1.
Question:
1. Does egc script for ddwrt client only allow access from WG client to WG server and not vice versa?
2. How to route the 10.19.1.0/24 via oet 1 to 10.10.0.1?
Thank you in advance!
Does the script only run on the client side?
Has it NAT enabled in the script?
Did you disable the CVE patch on the server side?
Joined: 18 Mar 2014 Posts: 12834 Location: Netherlands
Posted: Wed Apr 01, 2020 11:39 Post subject:
boebeng wrote:
egc wrote:
[size=12]
Does the script only run on the client side?
Has it NAT enabled in the script?
Did you disable the CVE patch on the server side?
The route on the server indeed appears wrong, where does it come from?
Hi,
Yes, script is running only on the client side
Yes, WGNAT enabled on the script
Yes, CVE is disabled on both server and client
I mistype the IP, it should be
root@WRT1900AC:~# ip route get 10.19.1.1
10.19.1.1 via 192.168.1.1 dev eth1 src 192.168.1.2
Sorry for the confusion!
On the server side you want to route everything for your local clients subnet via the tunnel so try the following: remove the other rule and add the rule below, save in Administration/Save Firewall:
On the server side you want to route everything for your local clients subnet via the tunnel so try the following: remove the other rule and add the rule below, save in Administration/Save Firewall:
Code:
ip route add 10.19.1.0/24 dev oet1
Assuming oet1 is your tunnel
reboot the router and hope for the best
I've add the new route, but I still can't ping 10.19.1.0/24
Here are some more infos after I add the "ip route add 10.19.1.0/24 dev oet1" to save firewall & reboot
Code:
root@WRT1900AC:~# ip route show
default via 192.168.1.1 dev eth1
10.10.0.0/24 dev oet1 scope link src 10.10.0.1
10.19.1.0/24 dev oet1 scope link
127.0.0.0/8 dev lo scope link
192.168.1.0/24 dev eth1 scope link src 192.168.1.2
192.168.5.0/24 dev br0 scope link src 192.168.5.1
Code:
root@WRT1900AC:~# ip route get 10.19.1.1
10.19.1.1 dev oet1 src 10.10.0.1
Code:
root@WRT1900AC:~# ping -c 4 10.19.1.1
PING 10.19.1.1 (10.19.1.1): 56 data bytes
ping: sendto: No error information
Joined: 18 Mar 2014 Posts: 12834 Location: Netherlands
Posted: Wed Apr 01, 2020 14:43 Post subject:
Well perhaps i missed your build number older builds did not unbridge the oet interface and thus no firewall rules so make sure the oet interface is unbridged on Setup/Networking
Well perhaps i missed your build number older builds did not unbridge the oet interface and thus no firewall rules so make sure the oet interface is unbridged on Setup/Networking
Reboot both routers and if you do not have bidirectional access head over to the troubleshooting section of the guide and dump the necessary information, also show pictures of the WireGuard page from client and server so that I can see your settings
Hi egc,
wrt1900ac is using r42557 and AC68U is using r42747.
On Setup - Networking, both routers have oet1 unbridged and Masquerade/NAT enabled.
Finally I managed to get it work by adding 10.19.1.0/24 on the server's allowed IP. I guess since this is a peer to peer connection, both sides must define which subnet they're intending to access.
So I learned a lot today and thank you very much for taking some time to look onto my problem and giving me some guidance, I'm a happy guy now!
Joined: 18 Mar 2014 Posts: 12834 Location: Netherlands
Posted: Wed Apr 01, 2020 17:54 Post subject:
boebeng wrote:
egc wrote:
Well perhaps i missed your build number older builds did not unbridge the oet interface and thus no firewall rules so make sure the oet interface is unbridged on Setup/Networking
Reboot both routers and if you do not have bidirectional access head over to the troubleshooting section of the guide and dump the necessary information, also show pictures of the WireGuard page from client and server so that I can see your settings
Hi egc,
wrt1900ac is using r42557 and AC68U is using r42747.
On Setup - Networking, both routers have oet1 unbridged and Masquerade/NAT enabled.
Finally I managed to get it work by adding 10.19.1.0/24 on the server's allowed IP. I guess since this is a peer to peer connection, both sides must define which subnet they're intending to access.
So I learned a lot today and thank you very much for taking some time to look onto my problem and giving me some guidance, I'm a happy guy now!
Just want to say thank you for this excellent guide. I got WireGuard working on my Netgear R7000 and Android client in no time.
The only thing that is causing me some problems is accessing SMB shares from my phone to my internal file server (Linux Samba). But that is another story and I'll have to check my Windows/SMB settings locally.
Joined: 18 Mar 2014 Posts: 12834 Location: Netherlands
Posted: Thu Apr 02, 2020 9:20 Post subject:
avalx wrote:
Just want to say thank you for this excellent guide. I got WireGuard working on my Netgear R7000 and Android client in no time.
The only thing that is causing me some problems is accessing SMB shares from my phone to my internal file server (Linux Samba). But that is another story and I'll have to check my Windows/SMB settings locally.
Joined: 10 Jul 2012 Posts: 28 Location: Sint Maarten, D.W.I
Posted: Sat Apr 04, 2020 14:05 Post subject:
egc wrote:
Scripts for setup DDWRT router as a Wireguard client
#=======BEGIN ddwrt-wireguard-client-script.sh=========
SCRIPT="/tmp/ddwrt-wireguard-client-script.sh"
cat << "EOF" > $SCRIPT
#!/bin/sh
(
#DEBUG= # uncomment/comment to enable/disable debug mode
SLEEP=0 # runs continuously executing every [SLEEP] seconds, if SLEEP=0 it runs only once
WGNAT= # uncomment/comment to enable/disable SNAT over the oet interface
WGPEER=0 # do not change
WGDELRT="/tmp/wg-delete-routes"
[ ${DEBUG+x} ] && set -x
while :; do
#checks if interface is enabled if not continue
if [ "$(nvram get oet_tunnels)" -eq 1 ] && [ "$(nvram get oet1_en)" -eq 0 ]; then
logger "$(basename $0)[$$] No tunnel interface enabled, going to sleep"
(while read route; do $route; done < $WGDELRT) >/dev/null 2>&1
#WGIF= #this wil recreates routes when Disabled/Enabled
else
#wait for interface
SLEEPCT=0
#this will recreates all routes when run everytime
WGIF=
while [ -z $WGIF ]; do
sleep 10
WGIF="$(wg | awk '/interface/ {gsub("interface:", "", $2); print $2}')"
SLEEPCT=$((SLEEPCT+10))
if [ $SLEEPCT -gt 60 ]; then
logger "$(basename $0)[$$] Could not detect Wireguard interface after $SLEEPCT seconds, going to sleep"
break
elif [ ! -z $WGIF ]; then
(while read route; do $route; done < $WGDELRT) 2>&1 > /dev/null
logger "$(basename $0)[$$] it took $SLEEPCT seconds to get the Wireguard interface up, now excuting"
#egc: MASQUERADE over the wireguard interface
echo "iptables -t nat -D POSTROUTING -o $WGIF -j MASQUERADE" > $WGDELRT
[ ${WGNAT+x} ] && iptables -t nat -I POSTROUTING -o $WGIF -j MASQUERADE
#egc: provide way out if set to client and everything is routed vie the oet interface
# use route add -host because the endpoint can be a host name
echo "route del -host $(nvram get ${WGIF}_rem${WGPEER}) gw $(nvram get wan_gateway) dev $(get_wanface)" >> $WGDELRT
route add -host $(nvram get ${WGIF}_rem${WGPEER}) gw $(nvram get wan_gateway) dev $(get_wanface)
#egc:add routes based on allowed IP's
for aip in $(nvram get ${WGIF}_aip${WGPEER} | sed "s/,/ /g"); do
#echo $aip #debug
echo "ip route del $aip dev $WGIF" >> $WGDELRT
ip route add $aip dev $WGIF
done
#end add routes
ip route flush cache
fi
done
fi
#stop running if sleep=0
[ $SLEEP -gt 0 ] && sleep $SLEEP || break
done
) 2>&1 | logger -t $(basename $0)[$$]
EOF
chmod +x $SCRIPT
nohup $SCRIPT > /dev/null 2>&1 &
#=======END ddwrt-wireguard-client-script.sh=========
I followed your instructions and used the script above to set up a WireGuard Client.
There is a handshake.
Code:
root@router:~# wg
interface: oet1
public key: 1dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxJ=
private key: (hidden)
listening port: 51840
peer: FO1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxjzM=
endpoint: 190.2.141.162:51840
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 12 seconds ago
transfer: 184 B received, 584 B sent
persistent keepalive: every 25 seconds
I reached this far with other scripts also. Then I had no internet connection, anymore. Maybe because of the routing.
AFAIK the routing table is not set the right way:
Code:
root@router:~# ip route show
default via 192.168.3.1 dev vlan2
127.0.0.0/8 dev lo scope link
172.16.0.0/24 dev br0 scope link src 172.16.0.1
190.2.141.162 via 192.168.3.1 dev vlan2
192.168.3.0/24 dev vlan2 scope link src 192.168.3.9
I don't have the knowledge to change it; can you assist me with it?
I saw in another thread you asked for results out of messages:
Code:
root@router:/tmp# grep -i wireguard /var/log/messages
Apr 4 17:31:20 router user.info root: Enable WireGuard interface oet1 on port 51840
Apr 4 17:31:20 router user.info root: Establish WireGuard tunnel with peer endpoint 190.2.141.162:51840
Apr 4 17:32:12 router user.info root: Enable WireGuard interface oet1 on port 51840
Apr 4 17:32:13 router user.info root: Establish WireGuard tunnel with peer endpoint 190.2.141.162:51840
Apr 4 17:32:14 router user.info root: Enable WireGuard interface oet1 on port 51840
Apr 4 17:32:14 router user.info root: Establish WireGuard tunnel with peer endpoint 190.2.141.162:51840
Apr 4 17:32:24 router user.notice ddwrt-wireguard-client-script.s: /tmp/ddwrt-wireguard-client-script.sh: line 28: can't open /tmp/wg-delete-routes: no such file
Apr 4 17:32:24 router user.notice root: ddwrt-wireguard-client-script.sh[2410] it took 10 seconds to get the Wireguard interface up, now excuting
Apr 4 17:32:24 router user.notice ddwrt-wireguard-client-script.s: ip: RTNETLINK answers: File exists
Apr 4 17:32:25 router user.notice ddwrt-wireguard-client-script.s: ip: RTNETLINK answers: No such process
Apr 4 17:32:25 router user.notice root: ddwrt-wireguard-client-script.sh[2611] it took 10 seconds to get the Wireguard interface up, now excuting
Apr 4 17:32:25 router user.notice ddwrt-wireguard-client-script.s: ip: RTNETLINK answers: File exists
Apr 4 17:47:06 router user.notice ddwrt-wireguard-client-script.s: ip: RTNETLINK answers: No such process
Apr 4 17:47:06 router user.notice root: ddwrt-wireguard-client-script.sh[3079] it took 10 seconds to get the Wireguard interface up, now excuting
Apr 4 17:47:06 router user.notice ddwrt-wireguard-client-script.s: ip: RTNETLINK answers: File exists
To complete it all, I attached a txt-file with more results you asked for in other threads.
I changed my router IP from 192.168.1.0/24 to 172.16.0.0/24 range, and set a static WAN IP (192.168.3.9, gateway 192.168.3.1). The 192.168.3.1 is also a router (not in my place). I added a port forwarding:
Code:
External Port Start 51820
External Port End 51850
Protocol TCP/UDP
Internal Port Start 51820
Internal Port End 51850
Server IP Address or Hostname 192.168.3.9
I hope you can help me getting it to work.
Thank you in advance. _________________ Netgear R6700v3 (from MAR2020) - Firmware: DD-WRT v3.0-r42819 std (03/30/20)
WireGuard provider: TunSafe (www.tunsafe.com)
At tunsafe.com I downloaded a configuration file. In that file, there is also a DNS: 1.1.1.1
I must not use it somewhere, right?
Joined: 18 Mar 2014 Posts: 12834 Location: Netherlands
Posted: Sat Apr 04, 2020 14:51 Post subject:
OK ,there is something really odd , your interface oet1 is configured as a point-to-ppoint setup (netmask 255.255.255.255) therefore there is no route.
Your pictures show something different it show a netmask of 255.0.0.0 that is the right one and should make a route.
The Allowed IP's are also wrong it should be
Code:
0.0.0.0/1,128.0.0.0/1
That is detailed in the guide
Change the allowed IP's, Save/Apply and reboot the router then show (after about a minute):
ifconfig
ip route show
wg
Joined: 10 Jul 2012 Posts: 28 Location: Sint Maarten, D.W.I
Posted: Sat Apr 04, 2020 15:05 Post subject:
My apologizes, I saw the netmask mistake when I made the screenshot, but I put the ifconfig already in the text. I edited it later, but you were too fast in replying
After making the adjustments, I have the following results:
Code:
root@router:~# ip route show
0.0.0.0/1 dev oet1 scope link
default via 192.168.3.1 dev vlan2
10.0.0.0/8 dev oet1 scope link src 10.12.199.205
127.0.0.0/8 dev lo scope link
128.0.0.0/1 dev oet1 scope link
172.16.0.0/24 dev br0 scope link src 172.16.0.1
190.2.141.162 via 192.168.3.1 dev vlan2
192.168.3.0/24 dev vlan2 scope link src 192.168.3.9
root@router:~#
root@router:~#
root@router:~# wg
interface: oet1
public key: 3xxxxxxxxxxxxxxxxxxxxxxxxxI=
private key: (hidden)
listening port: 51840
peer: Fxxxxxxxxxxxxxxxxxxxxxxxxxx=
endpoint: 190.2.141.162:51840
allowed ips: 0.0.0.0/1, 128.0.0.0/1
latest handshake: 1 minute, 2 seconds ago
transfer: 13.27 KiB received, 269.23 KiB sent
persistent keepalive: every 25 seconds
The is no WAN internet connection. I had to delete the 'firewall script' to get connected to the world again.
Joined: 10 Jul 2012 Posts: 28 Location: Sint Maarten, D.W.I
Posted: Sat Apr 04, 2020 15:27 Post subject:
Another edit in the post I made was that TunSafe comes up with a DNS (1.1.1.1) that I do not put anywhere in the settings. Should I put it as Peer DNS? _________________ Netgear R6700v3 (from MAR2020) - Firmware: DD-WRT v3.0-r42819 std (03/30/20)