Posted: Thu May 06, 2021 14:33 Post subject: Troubleshooting getting bidirectional wireguard VPN working
Hi,
I have been trying to get a bidirectional wireguard set up between my home ASUS router running the latest DD-WRT and a gl-inet OpenWRT travel router connect to my LTE phone.
Before trying this setup, I created an Ubuntu 20.04 VM on my home network and ran WG software and I was able to connect to all computers on my home network from the gl-inet router and all computers connected to it. But I was unable to make the reverse work. So I decided to set up the WG "server" on my home router instead.
So, now I have WG on my DD-WRT home router and I can connect from the gl-inet router. But this time the traffic is only flowing in the opposite direction. From any computer on my home network, I can connect to any computer that is connected to the remote gl-inet router. But I cannot connect from the remote computers back to my home network.
I cannot figure out what I'm doing wrong. I have read egc's excellent guides. I must be missing something stupid. I hope somebody can help!
IMPORTANT: the "home router" is actually a second router that is behind the main router at my home. I have a wife and daughter who need to work remotely and I don't want to interrupt them messing around with the network. So, I have simply forwarded the port 51825 from the main router to the second router. I don't know if that is sufficient!
Here is what things look like on the 2nd home router side:
By the way, I have tried both setting the LTE Endpoint explicitly, and disabling the LTE Endpoint. At the moment, it is disabled in the DD-WRT Tunnel UI so I'm not sure why it's showing up here. And I realize the LTE IPV4 address is going to change at least daily!
Here is the WG status on the 2nd home router:
root@DD-WRT:/# wg show
interface: oet1
public key: 6efzIrj66Kyrcjnu[etc]
private key: (hidden)
listening port: 51825
peer: NX8lrkZzKlYY/5a[etc]
endpoint: 172.58.219.209:31051
allowed ips: 192.168.8.0/24
latest handshake: 2 minutes, 50 seconds ago
transfer: 564 B received, 732 B sent
persistent keepalive: every 25 seconds
root@DD-WRT:/# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.15.1 0.0.0.0 UG 0 0 0 vlan2
10.0.0.0 * 255.255.255.0 U 0 0 0 oet1
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
172.58.219.209 192.168.15.1 255.255.255.255 UGH 0 0 0 vlan2
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
192.168.8.0 * 255.255.255.0 U 0 0 0 oet1
192.168.15.0 * 255.255.255.0 U 0 0 0 vlan2
On the remote gl-inet router, this is my setup:
root@GL-MT300N-V2:~# wg showconf wg0
[Interface]
ListenPort = 37042
PrivateKey = [My private key]
[Peer]
PublicKey = 6efzIrj66Kyrcjnu[etc]
AllowedIPs = 192.168.1.0/24
Endpoint = [My static home IP address]:51825
PersistentKeepalive = 25
root@GL-MT300N-V2:~# wg
interface: wg0
public key: NX8lrkZzKlYY/5a[etc]
private key: (hidden)
listening port: 37042
peer: 6efzIrj66Kyrcjnu[etc]
endpoint: [My static home IP address]:51825
allowed ips: 192.168.1.0/24
latest handshake: 13 seconds ago
transfer: 7.53 KiB received, 6.86 KiB sent
persistent keepalive: every 25 seconds
root@GL-MT300N-V2:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 172.20.10.1 0.0.0.0 UG 30 0 0 eth1
172.20.10.0 * 255.255.255.240 U 30 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 wg0
192.168.8.0 * 255.255.255.0 U 0 0 0 br-lan
[home static IP] 172.20.10.1 255.255.255.255 UGH 0 0 0 eth1
One thing I noticed is that the listening port number I configure on the remote gl-inet end is always different from what's show in the "peer configuration" on the dd-wrt router side.
Even if I set a "Peer Endpoint" on the dd-wrt side (my current LTE phone's IP address) and also set a listening port, and then use the same listening port in the client configuration on the gl-inet side, the listening port numbers don't match once the connection gets established.
Joined: 18 Mar 2014 Posts: 12873 Location: Netherlands
Posted: Thu May 06, 2021 15:41 Post subject:
On the server side (=your DDWRT router) you do not need to set an endpoint.
Setting it on the client side (the gl-inet) should do. The client contacts the server and advertises its IP address.
As you followed the guide I assume that CVE mitigation and NAT are disabled.
As NAT is disabled and the gl-inet is allowing that routers subnet (192.168.1.0) it should work and it does if I read your posting correctly.
The other way around the gl-inet probably is NATting the traffic and although you allow the gl-inet's subnet 192.168.8.0 that does not help if the traffic is NATted as all traffic has the IP address of the wg interface.
So on your server you have to allow the ip address of the gl-inet's wg interface (10.0.0.2/32?) and also keep the 192.168.8.0/24
Also take note your local LAN clients have their own firewall and will proabably not allow traffic from other subnets so you have to tweak the firewall of the local LAN clients (or NAT traffic out of the router onto the local LAN with:
Code:
iptables -t nat -I POSTROUTING -o br0 -s $(nvram get oet1_ipaddr)/$(nvram get oet1_netmask) -j MASQUERADE
But this only works on the server you have to adapt the rule for the client or tweak the firewall of the local clients on the wg clients subnet
Setting "Allowed IPs" in the Peer Configuration on the dd-wrt side to 10.0.0.2/32,192.168.8.0/24 fixed it! Thank you very much.
So, I'm not quite understanding your firewall comment. At present, I have mac laptops on both ends and they can both ping and ssh to each other. In addition, I can reach web servers on both sides from the other side. If you could further explain what sort of firewall problem I might run into, I would appreciate it. Do you mean that on local machines the firewalls may be set to only allow traffic from the local subnet (knowing that all traffic from the Internet will get NAT'ed and will look like it's on the local subnet)? What's the solution?
I am having some trouble now with the connection breaking from time to time. Any issue with reducing the persistent keepalive time?
Okay, so now I have a different problem. As you know, I have two routers at home for my testing -- the main router and the dd-wrt router. The main router has subnet 192.168.15.0/24 and the dd-wrt router running wireguard has 192.168.1.0/24.
From the laptop connected to the gl-inet "wireguard client" I am NOT able to reach web servers on the home 192.168.15.0/24 network.
To fix this, I tried to add 192.168.15.0/24 to the "Allowed IPs" on the gl-inet side, but it doesn't help. Also, when I run the "route" command on the gl-inet router, I'm not seeing any route having been added for 192.168.15.0/24. Should this work?
Joined: 18 Mar 2014 Posts: 12873 Location: Netherlands
Posted: Thu May 06, 2021 16:31 Post subject:
AndrewL733 wrote:
Setting "Allowed IPs" in the Peer Configuration on the dd-wrt side to 10.0.0.2/32,192.168.8.0/24 fixed it! Thank you very much.
Glad it worked
AndrewL733 wrote:
Do you mean that on local machines the firewalls may be set to only allow traffic from the local subnet (knowing that all traffic from the Internet will get NAT'ed and will look like it's on the local subnet)? What's the solution?
Exactly some firewalls only allow their specific subnet others allow all private subnets maybe the MACs are doing this and you are fine, otherwise you have to tweak the firewall of said clients
AndrewL733 wrote:
I am having some trouble now with the connection breaking from time to time. Any issue with reducing the persistent keepalive time?
Joined: 18 Mar 2014 Posts: 12873 Location: Netherlands
Posted: Thu May 06, 2021 16:47 Post subject:
AndrewL733 wrote:
Okay, so now I have a different problem. As you know, I have two routers at home for my testing -- the main router and the dd-wrt router. The main router has subnet 192.168.15.0/24 and the dd-wrt router running wireguard has 192.168.1.0/24.
From the laptop connected to the gl-inet "wireguard client" I am NOT able to reach web servers on the home 192.168.15.0/24 network.
To fix this, I tried to add 192.168.15.0/24 to the "Allowed IPs" on the gl-inet side, but it doesn't help. Also, when I run the "route" command on the gl-inet router, I'm not seeing any route having been added for 192.168.15.0/24. Should this work?
Indeed I would assume that adding the 192.168.15.0/24 subnet to the allowed IP's of the gl-inet should route that subnet via the wg interface.
Maybe you have to reboot the router?
Make sure on your server (the DDWRT router) that NAT/Masquerade is enabled so that the traffic from the oet interface is NATted out to the primary router.
On Setup/Networking tab (under Port Setup) the oet1 interface should have Masquerade/NAT enabled
It looks as if there is a bug in the gl-inet code that sets up Wireguard. When I list 2 IP ranges in the "Allowed IPs" box -- for example, 192.168.1.0/24,192.168.15.0/24 -- only the first (192.168.1.0 - 255.255.255.0 -> wg0) gets reflected in the routing table. If I switch the order of the two address ranges, now 192.158.15.0 gets listed in the routing table. But both are never listed.
On the other hand, on the dd-wrt/ASUS router, when I add two ranges to the Allowed IPs (in that case, it was 10.0.0.2/32,192.168.8.0/24) I get a separate line in the routing table for each address range.
Anyway, I was able to work around the problem by setting the Allowed IPs on the gl-inet router to "192.168.0.0/16" which covered both the .1 and .15 subnets.
