Nie jesteś zalogowany. Proszę się zalogować lub zarejestrować.
eko.one.pl → Oprogramowanie / Software → Wireguard konfiguracja klienta na OpenWRT - post rozpaczy :)
Strony Poprzednia 1 2
Zaloguj się lub zarejestruj by napisać odpowiedź
W plikach tymczasowychj est gdzieś zapisane nic wyzeruje konfigurację
Nie ma czegoś takiego 
w strukturach kernela jest.
na 17 lat u tego samego dostawcy mam drugi raz taki przypadek.
Jak wan odłączę router działa stabilnie.
jak tylko wepnę wtyczkę do WAN jest ciągły restart routera.
nic zeruję ustawienia
Wiedziałem, że w którymś kościele dzwoni
(może źle opisałem sytuację)
- disconnect modem/WAN (to stop looping)
- ssh to router
- rm -rf /usr/data/bwmon
- reboot
https://eko.one.pl/forum/viewtopic.php?id=17068
No to nie routing tylko uszkodzone dane od bwmon, na dodatek to gargoyle i nic wspólnego z tematem wątku nie ma...
No wiem, ale na szybko szukałem
I że nie w temacie - sorki
Wracając do tematu wireguard.
Na serwerze dodałem adresację podsieci klienta (peer-a - 192.168.3.0/24)
[Interface]
ListenPort = 55055
PrivateKey = klucz
[Peer]
PublicKey = klucz
AllowedIPs = 10.9.0.4/32, 192.168.3.0/24
Endpoint = 5.172.250.001:5578
PersistentKeepalive = 25
W związku z tym, że peer łączy się tylko do serwera jego konfiguracja wygląda tak
root@OpenWrt:~# wg showconf wg0
[Interface]
ListenPort = 34573
PrivateKey = klucz
[Peer]
PublicKey = klucz
AllowedIPs = 0.0.0.0/0
Endpoint = 46.186.30.100:55055
PersistentKeepalive = 25
Po restarcie interfejsów sieciowych na serwerze głównym ping do podsieci peer-a działa tylko przez moment, zaś ping na klasę adresową wg działa bez problemu.
Zapomniałem jeszcze o czymś ?
root@Piratees:~# /etc/init.d/network restart
root@Piratees:~# ping 192.168.3.217
PING 192.168.3.217 (192.168.3.217): 56 data bytes
64 bytes from 192.168.3.217: seq=0 ttl=254 time=175.127 ms
64 bytes from 192.168.3.217: seq=1 ttl=254 time=194.759 ms
64 bytes from 192.168.3.217: seq=2 ttl=254 time=54.333 ms
64 bytes from 192.168.3.217: seq=3 ttl=254 time=69.207 ms
64 bytes from 192.168.3.217: seq=4 ttl=254 time=93.956 ms
64 bytes from 192.168.3.217: seq=5 ttl=254 time=50.859 ms
64 bytes from 192.168.3.217: seq=6 ttl=254 time=51.663 ms
64 bytes from 192.168.3.217: seq=7 ttl=254 time=91.708 ms
64 bytes from 192.168.3.217: seq=8 ttl=254 time=91.513 ms
64 bytes from 192.168.3.217: seq=9 ttl=254 time=70.330 ms
64 bytes from 192.168.3.217: seq=10 ttl=254 time=90.088 ms
64 bytes from 192.168.3.217: seq=11 ttl=254 time=89.753 ms
64 bytes from 192.168.3.217: seq=12 ttl=254 time=50.601 ms
64 bytes from 192.168.3.217: seq=13 ttl=254 time=89.359 ms
64 bytes from 192.168.3.217: seq=14 ttl=254 time=89.415 ms
64 bytes from 192.168.3.217: seq=15 ttl=254 time=57.075 ms
64 bytes from 192.168.3.217: seq=16 ttl=254 time=77.916 ms
64 bytes from 192.168.3.217: seq=17 ttl=254 time=96.435 ms
64 bytes from 192.168.3.217: seq=18 ttl=254 time=89.390 ms
64 bytes from 192.168.3.217: seq=19 ttl=254 time=68.153 ms
64 bytes from 192.168.3.217: seq=20 ttl=254 time=87.718 ms
64 bytes from 192.168.3.217: seq=21 ttl=254 time=248.826 ms
64 bytes from 192.168.3.217: seq=22 ttl=254 time=90.198 ms
64 bytes from 192.168.3.217: seq=23 ttl=254 time=69.943 ms
64 bytes from 192.168.3.217: seq=24 ttl=254 time=87.767 ms
64 bytes from 192.168.3.217: seq=25 ttl=254 time=87.309 ms
64 bytes from 192.168.3.217: seq=26 ttl=254 time=86.164 ms
64 bytes from 192.168.3.217: seq=27 ttl=254 time=94.509 ms
64 bytes from 192.168.3.217: seq=28 ttl=254 time=86.796 ms
64 bytes from 192.168.3.217: seq=29 ttl=254 time=129.218 ms
64 bytes from 192.168.3.217: seq=30 ttl=254 time=89.339 ms
64 bytes from 192.168.3.217: seq=31 ttl=254 time=119.847 ms
64 bytes from 192.168.3.217: seq=32 ttl=254 time=97.988 ms
64 bytes from 192.168.3.217: seq=33 ttl=254 time=80.397 ms
64 bytes from 192.168.3.217: seq=34 ttl=254 time=79.956 ms
64 bytes from 192.168.3.217: seq=35 ttl=254 time=79.482 ms
64 bytes from 192.168.3.217: seq=36 ttl=254 time=87.300 ms
64 bytes from 192.168.3.217: seq=37 ttl=254 time=88.488 ms
64 bytes from 192.168.3.217: seq=38 ttl=254 time=81.034 ms
64 bytes from 192.168.3.217: seq=39 ttl=254 time=78.578 ms
64 bytes from 192.168.3.217: seq=40 ttl=254 time=79.381 ms
64 bytes from 192.168.3.217: seq=41 ttl=254 time=78.114 ms
64 bytes from 192.168.3.217: seq=42 ttl=254 time=57.966 ms
64 bytes from 192.168.3.217: seq=43 ttl=254 time=78.856 ms
64 bytes from 192.168.3.217: seq=44 ttl=254 time=77.496 ms
64 bytes from 192.168.3.217: seq=45 ttl=254 time=85.323 ms
64 bytes from 192.168.3.217: seq=46 ttl=254 time=77.108 ms
64 bytes from 192.168.3.217: seq=47 ttl=254 time=78.174 ms
64 bytes from 192.168.3.217: seq=48 ttl=254 time=77.308 ms
64 bytes from 192.168.3.217: seq=49 ttl=254 time=84.479 ms
64 bytes from 192.168.3.217: seq=50 ttl=254 time=76.683 ms
64 bytes from 192.168.3.217: seq=51 ttl=254 time=84.142 ms
64 bytes from 192.168.3.217: seq=52 ttl=254 time=77.002 ms
64 bytes from 192.168.3.217: seq=53 ttl=254 time=76.907 ms
64 bytes from 192.168.3.217: seq=54 ttl=254 time=95.574 ms
64 bytes from 192.168.3.217: seq=55 ttl=254 time=83.388 ms
64 bytes from 192.168.3.217: seq=56 ttl=254 time=84.208 ms
64 bytes from 192.168.3.217: seq=57 ttl=254 time=55.265 ms
64 bytes from 192.168.3.217: seq=58 ttl=254 time=70.541 ms
64 bytes from 192.168.3.217: seq=59 ttl=254 time=71.397 ms
64 bytes from 192.168.3.217: seq=60 ttl=254 time=78.124 ms
64 bytes from 192.168.3.217: seq=61 ttl=254 time=70.071 ms
64 bytes from 192.168.3.217: seq=62 ttl=254 time=77.876 ms
64 bytes from 192.168.3.217: seq=63 ttl=254 time=69.799 ms
64 bytes from 192.168.3.217: seq=64 ttl=254 time=69.477 ms
64 bytes from 192.168.3.217: seq=65 ttl=254 time=69.228 ms
64 bytes from 192.168.3.217: seq=66 ttl=254 time=69.111 ms
64 bytes from 192.168.3.217: seq=67 ttl=254 time=68.810 ms
^C
--- 192.168.3.217 ping statistics ---
85 packets transmitted, 68 packets received, 20% packet loss
round-trip min/avg/max = 50.601/85.504/248.826 ms
Przecież ci działa? Co to znaczy "tylko przez moment"?
I czemu na serwerze masz w peerze wpisany endpoint? To ten openwrt łączy się do serwera, prawda? Czemu masz jeszcze w drugą stronę?
tak działa tylko przez moment.
w peerze mam tak - tak mi pokazywało poprzez wydanie komendy wg show wg0
Kopiując config - na serwerze jest tak:
config wireguard_wg0
option public_key 'klucz'
option route_allowed_ips '1'
list allowed_ips '10.9.0.4/32'
list allowed_ips '192.168.3.0/24'
option persistent_keepalive '25'
option description 'ZTE286R'
Na kliencie jest tak:
config interface 'wg0'
option proto 'wireguard'
option private_key 'klucz'
list addresses '10.9.0.4/32'
Nie mogę się dostać do klasy adresowej 192.168.3.0/24 peer-a z adresacji serwera.
Od peer-a do serwera widzę wszystkie IP
Pokaż ponownie całe konfigi a nie wycinki. Komplet:
uci show network
uci show firewall
Zarówno z serwera jak i klienta.
serwer
root@Piratees:/# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd2f:f89b:a423::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='172.20.1.245'
network.lan.dns='172.20.1.245'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan.ipv6='0'
network.wan_eth0_2_dev=device
network.wan_eth0_2_dev.name='eth0.2'
network.wan_eth0_2_dev.macaddr='d8:07:b6:b6:81:d3'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 0t'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='klucz'
network.wg0.listen_port='55055'
network.wg0.addresses='10.9.0.1/24'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].public_key='klucz'
network.@wireguard_wg0[0].route_allowed_ips='1'
network.@wireguard_wg0[0].allowed_ips='10.9.0.2/32'
network.@wireguard_wg0[0].persistent_keepalive='25'
network.@wireguard_wg0[0].description='android'
network.@wireguard_wg0[1]=wireguard_wg0
network.@wireguard_wg0[1].public_key='klucz'
network.@wireguard_wg0[1].route_allowed_ips='1'
network.@wireguard_wg0[1].allowed_ips='10.9.0.3/32'
network.@wireguard_wg0[1].persistent_keepalive='25'
network.@wireguard_wg0[1].description='Leo-PL'
network.@wireguard_wg0[2]=wireguard_wg0
network.@wireguard_wg0[2].public_key='klucz'
network.@wireguard_wg0[2].route_allowed_ips='1'
network.@wireguard_wg0[2].allowed_ips='10.9.0.4/32' '192.168.3.0/24'
network.@wireguard_wg0[2].persistent_keepalive='25'
network.@wireguard_wg0[2].description='ZTE286R'
root@Piratees:/# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].enforce_dhcp_assignments='1'
firewall.@defaults[0].force_router_dns='1'
firewall.@defaults[0].flow_offloading='1'
firewall.@defaults[0].flow_offloading_hw='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@include[0].reload='1'
firewall.@include[1]=include
firewall.@include[1].type='script'
firewall.@include[1].path='/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
firewall.@include[1].family='IPv4'
firewall.@include[1].reload='1'
firewall.ra_443_4443=remote_accept
firewall.ra_443_4443.local_port='443'
firewall.ra_443_4443.remote_port='4443'
firewall.ra_443_4443.proto='tcp'
firewall.ra_443_4443.zone='wan'
firewall.ra_22_22=remote_accept
firewall.ra_22_22.local_port='22'
firewall.ra_22_22.remote_port='22'
firewall.ra_22_22.proto='tcp'
firewall.ra_22_22.zone='wan'
firewall.openvpn_include_file=include
firewall.openvpn_include_file.path='/etc/openvpn.firewall'
firewall.openvpn_include_file.reload='1'
firewall.vpn_zone=zone
firewall.vpn_zone.name='vpn'
firewall.vpn_zone.device='tun0'
firewall.vpn_zone.input='ACCEPT'
firewall.vpn_zone.output='ACCEPT'
firewall.vpn_zone.forward='ACCEPT'
firewall.vpn_zone.mtu_fix='1'
firewall.vpn_zone.masq='1'
firewall.vpn_lan_forwarding=forwarding
firewall.vpn_lan_forwarding.src='lan'
firewall.vpn_lan_forwarding.dest='vpn'
firewall.lan_vpn_forwarding=forwarding
firewall.lan_vpn_forwarding.src='vpn'
firewall.lan_vpn_forwarding.dest='lan'
firewall.ra_openvpn=remote_accept
firewall.ra_openvpn.zone='wan'
firewall.ra_openvpn.local_port='1194'
firewall.ra_openvpn.remote_port='1194'
firewall.ra_openvpn.proto='tcp'
firewall.vpn_wan_forwarding=forwarding
firewall.vpn_wan_forwarding.src='vpn'
firewall.vpn_wan_forwarding.dest='wan'
firewall.redirect_enabled_number_0=redirect
firewall.redirect_enabled_number_0.name='home'
firewall.redirect_enabled_number_0.src='wan'
firewall.redirect_enabled_number_0.dest='lan'
firewall.redirect_enabled_number_0.proto='tcp'
firewall.redirect_enabled_number_0.src_dport='8080'
firewall.redirect_enabled_number_0.dest_ip='172.20.1.100'
firewall.redirect_enabled_number_0.dest_port='8080'
firewall.redirect_enabled_number_1=redirect
firewall.redirect_enabled_number_1.name='home'
firewall.redirect_enabled_number_1.src='wan'
firewall.redirect_enabled_number_1.dest='lan'
firewall.redirect_enabled_number_1.proto='udp'
firewall.redirect_enabled_number_1.src_dport='8080'
firewall.redirect_enabled_number_1.dest_ip='172.20.1.100'
firewall.redirect_enabled_number_1.dest_port='8080'
firewall.redirect_enabled_number_2=redirect
firewall.redirect_enabled_number_2.name='apache'
firewall.redirect_enabled_number_2.src='wan'
firewall.redirect_enabled_number_2.dest='lan'
firewall.redirect_enabled_number_2.proto='tcp'
firewall.redirect_enabled_number_2.src_dport='80'
firewall.redirect_enabled_number_2.dest_ip='172.20.1.100'
firewall.redirect_enabled_number_2.dest_port='80'
firewall.redirect_enabled_number_3=redirect
firewall.redirect_enabled_number_3.name='apache'
firewall.redirect_enabled_number_3.src='wan'
firewall.redirect_enabled_number_3.dest='lan'
firewall.redirect_enabled_number_3.proto='udp'
firewall.redirect_enabled_number_3.src_dport='80'
firewall.redirect_enabled_number_3.dest_ip='172.20.1.100'
firewall.redirect_enabled_number_3.dest_port='80'
firewall.redirect_enabled_number_4=redirect
firewall.redirect_enabled_number_4.name='monit'
firewall.redirect_enabled_number_4.src='wan'
firewall.redirect_enabled_number_4.dest='lan'
firewall.redirect_enabled_number_4.proto='tcp'
firewall.redirect_enabled_number_4.src_dport='2812'
firewall.redirect_enabled_number_4.dest_ip='172.20.1.100'
firewall.redirect_enabled_number_4.dest_port='2812'
firewall.redirect_enabled_number_5=redirect
firewall.redirect_enabled_number_5.name='monit'
firewall.redirect_enabled_number_5.src='wan'
firewall.redirect_enabled_number_5.dest='lan'
firewall.redirect_enabled_number_5.proto='udp'
firewall.redirect_enabled_number_5.src_dport='2812'
firewall.redirect_enabled_number_5.dest_ip='172.20.1.100'
firewall.redirect_enabled_number_5.dest_port='2812'
firewall.redirect_enabled_number_6=redirect
firewall.redirect_enabled_number_6.name='home'
firewall.redirect_enabled_number_6.src='wan'
firewall.redirect_enabled_number_6.dest='lan'
firewall.redirect_enabled_number_6.proto='tcp'
firewall.redirect_enabled_number_6.src_dport='443'
firewall.redirect_enabled_number_6.dest_ip='172.20.1.100'
firewall.redirect_enabled_number_6.dest_port='443'
firewall.redirect_enabled_number_7=redirect
firewall.redirect_enabled_number_7.name='home'
firewall.redirect_enabled_number_7.src='wan'
firewall.redirect_enabled_number_7.dest='lan'
firewall.redirect_enabled_number_7.proto='udp'
firewall.redirect_enabled_number_7.src_dport='443'
firewall.redirect_enabled_number_7.dest_ip='172.20.1.100'
firewall.redirect_enabled_number_7.dest_port='443'
firewall.redirect_enabled_number_8=redirect
firewall.redirect_enabled_number_8.name='xbox'
firewall.redirect_enabled_number_8.src='wan'
firewall.redirect_enabled_number_8.dest='lan'
firewall.redirect_enabled_number_8.proto='tcp'
firewall.redirect_enabled_number_8.src_dport='3074'
firewall.redirect_enabled_number_8.dest_ip='172.20.1.158'
firewall.redirect_enabled_number_8.dest_port='3074'
firewall.redirect_enabled_number_9=redirect
firewall.redirect_enabled_number_9.name='xbox'
firewall.redirect_enabled_number_9.src='wan'
firewall.redirect_enabled_number_9.dest='lan'
firewall.redirect_enabled_number_9.proto='udp'
firewall.redirect_enabled_number_9.src_dport='3074'
firewall.redirect_enabled_number_9.dest_ip='172.20.1.158'
firewall.redirect_enabled_number_9.dest_port='3074'
firewall.redirect_enabled_number_10=redirect
firewall.redirect_enabled_number_10.name='rodek'
firewall.redirect_enabled_number_10.src='wan'
firewall.redirect_enabled_number_10.dest='lan'
firewall.redirect_enabled_number_10.proto='tcp'
firewall.redirect_enabled_number_10.src_dport='8081'
firewall.redirect_enabled_number_10.dest_ip='192.168.1.1'
firewall.redirect_enabled_number_10.dest_port='8080'
firewall.redirect_enabled_number_11=redirect
firewall.redirect_enabled_number_11.name='rodek'
firewall.redirect_enabled_number_11.src='wan'
firewall.redirect_enabled_number_11.dest='lan'
firewall.redirect_enabled_number_11.proto='udp'
firewall.redirect_enabled_number_11.src_dport='8081'
firewall.redirect_enabled_number_11.dest_ip='192.168.1.1'
firewall.redirect_enabled_number_11.dest_port='8080'
firewall.redirect_enabled_number_12=redirect
firewall.redirect_enabled_number_12.name='ipcam'
firewall.redirect_enabled_number_12.src='wan'
firewall.redirect_enabled_number_12.dest='lan'
firewall.redirect_enabled_number_12.proto='tcp'
firewall.redirect_enabled_number_12.src_dport='9999'
firewall.redirect_enabled_number_12.dest_ip='172.20.1.114'
firewall.redirect_enabled_number_12.dest_port='80'
firewall.redirect_enabled_number_13=redirect
firewall.redirect_enabled_number_13.name='ipcam'
firewall.redirect_enabled_number_13.src='wan'
firewall.redirect_enabled_number_13.dest='lan'
firewall.redirect_enabled_number_13.proto='udp'
firewall.redirect_enabled_number_13.src_dport='9999'
firewall.redirect_enabled_number_13.dest_ip='172.20.1.114'
firewall.redirect_enabled_number_13.dest_port='80'
firewall.redirect_enabled_number_14=redirect
firewall.redirect_enabled_number_14.name='mqtt'
firewall.redirect_enabled_number_14.src='wan'
firewall.redirect_enabled_number_14.dest='lan'
firewall.redirect_enabled_number_14.proto='tcp'
firewall.redirect_enabled_number_14.src_dport='1883'
firewall.redirect_enabled_number_14.dest_ip='172.20.1.122'
firewall.redirect_enabled_number_14.dest_port='1883'
firewall.redirect_enabled_number_15=redirect
firewall.redirect_enabled_number_15.name='mqtt'
firewall.redirect_enabled_number_15.src='wan'
firewall.redirect_enabled_number_15.dest='lan'
firewall.redirect_enabled_number_15.proto='udp'
firewall.redirect_enabled_number_15.src_dport='1883'
firewall.redirect_enabled_number_15.dest_ip='172.20.1.122'
firewall.redirect_enabled_number_15.dest_port='1883'
firewall.@rule[9]=rule
firewall.@rule[9].src='wan'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].proto='udp'
firewall.@rule[9].dest_port='55055'
firewall.@rule[9].name='wireguard'
firewall.@zone[3]=zone
firewall.@zone[3].name='wg'
firewall.@zone[3].input='ACCEPT'
firewall.@zone[3].forward='ACCEPT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].masq='1'
firewall.@zone[3].network='wg0'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].src='wg'
firewall.@forwarding[4].dest='wan'
firewall.@forwarding[5]=forwarding
firewall.@forwarding[5].src='wan'
firewall.@forwarding[5].dest='wg'
firewall.@forwarding[6]=forwarding
firewall.@forwarding[6].src='wg'
firewall.@forwarding[6].dest='lan'
firewall.@forwarding[7]=forwarding
firewall.@forwarding[7].src='lan'
firewall.@forwarding[7].dest='wg'
klient
root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.vpn=interface
network.vpn.device='tun0'
network.vpn.proto='udp'
network.globals=globals
network.globals.ula_prefix='fd2f:9386:1c3a::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth0.1'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ip6assign='60'
network.lan.netmask='255.255.255.0'
network.lan.ipaddr='192.168.3.1'
network.lan.dns='8.8.8.8'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 2 3 5 0t'
network.wan=interface
network.wan.delay='15'
network.wan.proto='ncm'
network.wan.device='/dev/ttyACM0'
network.wan.ifname='usb1'
network.wan.apn='darmowy'
network.wan.dns='8.8.8.8'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='klucz'
network.wg0.addresses='10.9.0.4/32'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].public_key='klucz'
network.@wireguard_wg0[0].route_allowed_ips='1'
network.@wireguard_wg0[0].allowed_ips='0.0.0.0/0'
network.@wireguard_wg0[0].endpoint_host='piratee.no-ip.pl'
network.@wireguard_wg0[0].endpoint_port='55055'
network.@wireguard_wg0[0].persistent_keepalive='25'
network.@wireguard_wg0[0].description='ZTE286R'
root@OpenWrt:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='false'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpn'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].masq='1'
firewall.@zone[2].network='vpn'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='vpn'
firewall.@forwarding[1].dest='areo'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='lan'
firewall.@forwarding[2].dest='vpn'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='vpn'
firewall.@forwarding[3].dest='lan'
firewall.@rule[10]=rule
firewall.@rule[10].src='wan'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].proto='udp'
firewall.@rule[10].dest_port='55055'
firewall.@rule[10].name='wireguard'
firewall.@zone[3]=zone
firewall.@zone[3].name='wg'
firewall.@zone[3].input='ACCEPT'
firewall.@zone[3].forward='ACCEPT'
firewall.@zone[3].output='ACCEPT'
firewall.@zone[3].masq='1'
firewall.@zone[3].network='wg0'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].src='wg'
firewall.@forwarding[4].dest='wan'
firewall.@forwarding[5]=forwarding
firewall.@forwarding[5].src='wan'
firewall.@forwarding[5].dest='wg'
firewall.@forwarding[6]=forwarding
firewall.@forwarding[6].src='wg'
firewall.@forwarding[6].dest='lan'
firewall.@forwarding[7]=forwarding
firewall.@forwarding[7].src='lan'
firewall.@forwarding[7].dest='wg'
Pokaz jeszcze wynik na serwerze:
route -n
ping 192.168.3.1
root@Piratees:/# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 46.186.0.1 0.0.0.0 UG 0 0 0 eth0.2
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.9.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
10.9.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 wg0
10.9.0.3 0.0.0.0 255.255.255.255 UH 0 0 0 wg0
10.9.0.4 0.0.0.0 255.255.255.255 UH 0 0 0 wg0
10.10.1.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
46.186.0.0 0.0.0.0 255.255.248.0 U 0 0 0 eth0.2
172.20.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.1.0 10.8.0.4 255.255.255.0 UG 0 0 0 tun0
192.168.2.0 10.8.0.6 255.255.255.0 UG 0 0 0 tun0
192.168.3.0 10.8.0.7 255.255.255.0 UG 0 0 0 tun0
root@Piratees:/# ping 192.168.3.1
PING 192.168.3.1 (192.168.3.1): 56 data bytes
Edit:
a to nie miesza z openvpn (klient wyłączony ale routing został)
192.168.3.0 10.8.0.7 255.255.255.0 UG 0 0 0 tun0
Ej, no właśnie, ty masz routing przez openvpn robiony a nie wireguarda...
bo chciałbym docelowo może przejść z openvpn na wireguard-a
i zostawiłem konfigurację na serwerze openvpn i klienta wyłączyłem.
(nie usunąłem routingu w pliku konfiguracyjnym openvpn)
Zaraz zobaczę czy to tego wina.
Edit:
Wyłączyłem ręcznie usługę i jest dalej to samo
root@Piratees:/etc/openvpn# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default host-46-186-0-1 0.0.0.0 UG 0 0 0 eth0.2
10.9.0.0 * 255.255.255.0 U 0 0 0 wg0
10.9.0.2 * 255.255.255.255 UH 0 0 0 wg0
10.9.0.3 * 255.255.255.255 UH 0 0 0 wg0
10.9.0.4 * 255.255.255.255 UH 0 0 0 wg0
46.186.0.0 * 255.255.248.0 U 0 0 0 eth0.2
172.20.1.0 * 255.255.255.0 U 0 0 0 br-lan
root@Piratees:/etc/openvpn# ping 192.168.3.1
PING 192.168.3.1 (192.168.3.1): 56 data bytes
Zrestartuj wireguarda, bo widzisz że w tablicach routingu tego nie masz. One się tworzą podczas startu tylko.
Wyłączyłem usługę openvpn i zrestartowałem interfejsy sieciowe.
Ping zaczął działać.
Ale o dziwo jak z crona podniósł się openvpn pingi działają dalej.
Ale nic, trzeba się po prostu zdecydować openvpn czy wireguard.
(myślałem, że mogą dwie usługi pracować równolegle)
root@Piratees:/etc/openvpn# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default host-46-186-0-1 0.0.0.0 UG 0 0 0 eth0.2
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
10.9.0.0 * 255.255.255.0 U 0 0 0 wg0
10.9.0.2 * 255.255.255.255 UH 0 0 0 wg0
10.9.0.3 * 255.255.255.255 UH 0 0 0 wg0
10.9.0.4 * 255.255.255.255 UH 0 0 0 wg0
10.10.1.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
46.186.0.0 * 255.255.248.0 U 0 0 0 eth0.2
172.20.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.1.0 10.8.0.4 255.255.255.0 UG 0 0 0 tun0
192.168.2.0 10.8.0.6 255.255.255.0 UG 0 0 0 tun0
192.168.3.0 * 255.255.255.0 U 0 0 0 wg0
root@Piratees:/etc/openvpn# ping 192.168.3.217
PING 192.168.3.217 (192.168.3.217): 56 data bytes
64 bytes from 192.168.3.217: seq=7 ttl=254 time=84.287 ms
64 bytes from 192.168.3.217: seq=8 ttl=254 time=85.481 ms
64 bytes from 192.168.3.217: seq=9 ttl=254 time=64.033 ms
64 bytes from 192.168.3.217: seq=10 ttl=254 time=63.787 ms
64 bytes from 192.168.3.217: seq=11 ttl=254 time=64.534 ms
64 bytes from 192.168.3.217: seq=12 ttl=254 time=73.503 ms
64 bytes from 192.168.3.217: seq=13 ttl=254 time=63.277 ms
64 bytes from 192.168.3.217: seq=14 ttl=254 time=63.018 ms
64 bytes from 192.168.3.217: seq=15 ttl=254 time=62.778 ms
64 bytes from 192.168.3.217: seq=16 ttl=254 time=256.593 ms
64 bytes from 192.168.3.217: seq=17 ttl=254 time=70.503 ms
64 bytes from 192.168.3.217: seq=18 ttl=254 time=59.113 ms
64 bytes from 192.168.3.217: seq=19 ttl=254 time=346.608 ms
64 bytes from 192.168.3.217: seq=20 ttl=254 time=77.338 ms
64 bytes from 192.168.3.217: seq=21 ttl=254 time=109.927 ms
64 bytes from 192.168.3.217: seq=22 ttl=254 time=58.721 ms
64 bytes from 192.168.3.217: seq=23 ttl=254 time=64.760 ms
64 bytes from 192.168.3.217: seq=24 ttl=254 time=64.302 ms
64 bytes from 192.168.3.217: seq=25 ttl=254 time=64.010 ms
64 bytes from 192.168.3.217: seq=26 ttl=254 time=72.890 ms
64 bytes from 192.168.3.217: seq=27 ttl=254 time=63.629 ms
64 bytes from 192.168.3.217: seq=28 ttl=254 time=56.502 ms
64 bytes from 192.168.3.217: seq=29 ttl=254 time=56.250 ms
64 bytes from 192.168.3.217: seq=30 ttl=254 time=55.983 ms
64 bytes from 192.168.3.217: seq=31 ttl=254 time=55.885 ms
^C
--- 192.168.3.217 ping statistics ---
83 packets transmitted, 83 packets received, 0% packet loss
round-trip min/avg/max = 43.553/116.465/1645.256 ms
Bo masz już routing i openvpn przy poniesieniu nie może zrobić takiej trasy. Jak uruchomisz odwrotnie to znów będzie problem.
Wywal te trasy z openvpn po prostu.
Dziękuję za pomoc
Pomyślę i zdecyduję czy wireguard czy openvpn.
Wątek może nie idealnie dopasowany ale zapytam tutaj.
Zaktualizowałem openwrt z 19.07 na 21.02 na routerze robiącym za głupi AP wpiętym za routerem brzegowym bez openwrt.
Odtworzyłem sobie konfigurację wireguard i nawet działa. Wi-fi w tej chwili jeszcze nie skonfigurowane na R6220.
Oczywiście odtworzyłem nie z backup-u z wersji 19.07 tylko "z palca" sobie wyklinałem.
Problemem jest brak połączenia wi-fi z routera brzegowego bez openwrt na niektórych telefonach komórkowych.
Po odpięciu R6220 wszystko działa. O co chodzi?
Jak to mówią co mam piernik do wiatraka? Przy wcześniejszej konfiguracji wszystko działało?
Na AP nie wyłączyłeś serwera dhcp i rozgłasza się w sieci dając hostom innego gatewaya niż powinien.
Tak, wątek nie jest idealny do tego pytania.
Oczywiście jak zawsze odpowiedź w punkt. Dziękuję za przypomnienie.
Postaram się poprawić i na drugi raz pisać we właściwym temacie. Przepraszam i proszę o wyrozumiałość.
Strony Poprzednia 1 2
Zaloguj się lub zarejestruj by napisać odpowiedź
eko.one.pl → Oprogramowanie / Software → Wireguard konfiguracja klienta na OpenWRT - post rozpaczy :)
Forum oparte o PunBB, wspierane przez Informer Technologies, Inc