1

Temat: wireguard ->openvpn

Mam problem z konfiguracją połączenia. OpenWRT stoi na wirtualce na serwerze. Ma dodane dwa interfejsy lan i wan. Na wanie chce aby wychodziło połączenie przez NordVPN (to już działa), a do lanu chciałbym się łączyć przez wireguard, to też już zrobiłem, łączy się i pinguje adres serwera wireguard, ale nie wychodzi na zewnątrz. Proszę o wskazówki co źle robię. (wiem że nordvpn udostępnia sam wireguard, ale chce to zrobic, bo bede tez z innych vpnów korzystać)

network:

config interface 'loopback'
    option device 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'xxx'

config device
    option name 'br-lan'
    option type 'bridge'
    list ports 'eth0'

config interface 'lan'
    option device 'br-lan'
    option proto 'dhcp'

config interface 'wan'
    option proto 'dhcp'
    option device 'eth1'
    option peerdns '0'
    list dns '103.86.96.100'
    list dns '103.86.99.100'

config interface 'wg0'
    option proto 'wireguard'
    option private_key 'xxx'
    option listen_port 'xxx'
    list addresses '10.9.0.1/24'

config wireguard_wg0
    option description 'debian'
    list allowed_ips '10.9.0.4/32'
    option route_allowed_ips '1'
    option persistent_keepalive '25'
    option public_key 'xxx'

firewall:

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    list network 'wan'
    list network 'wan6'
    list network 'WAN'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-IPSec-ESP'
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option name 'Allow-ISAKMP'
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config zone
    option name 'vpnfirewall'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    list network 'nordvpntun'

config forwarding
    option src 'lan'
    option dest 'vpnfirewall'

config rule
    option src 'wan'
    option target 'ACCEPT'
    option proto 'udp'
    option dest_port 'xxx'
    option name 'wireguard'

config zone
    option name 'wg'
    option input 'ACCEPT'
    option forward 'ACCEPT'
    option output 'ACCEPT'
    option masq '1'
    option network 'wg0'

config forwarding
    option src 'wg'
    option dest 'wan'

config forwarding
    option src 'wan'
    option dest 'wg'

config forwarding
    option src 'wg'
    option dest 'lan'

config forwarding
    option src 'lan'
    option dest 'wg'

2

Odp: wireguard ->openvpn

Na kliencie allowedip na 0.0.0.0

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

3 (edytowany przez KevinG 2022-09-27 11:58:07)

Odp: wireguard ->openvpn

konf klienta

cat /etc/wireguard/wg0.conf 
[Interface]
PrivateKey = xxx
Address = 10.9.0.4/32

[Peer]
PublicKey = xxx
AllowedIPs = 0.0.0.0/0
Endpoint = 192.168.1.149:xxx

z klienta

ping 10.9.0.1
PING 10.9.0.1 (10.9.0.1) 56(84) bytes of data.
64 bytes from 10.9.0.1: icmp_seq=1 ttl=64 time=0.853 ms
64 bytes from 10.9.0.1: icmp_seq=2 ttl=64 time=0.731 ms
^C
--- 10.9.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.731/0.792/0.853/0.061 ms


ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
From 10.9.0.1 icmp_seq=1 Destination Port Unreachable
From 10.9.0.1 icmp_seq=2 Destination Port Unreachable

Normalnie się łączy z opewrt, ale dalej nie idzie. A połączenie vpn działa prawidłowo.

4

Odp: wireguard ->openvpn

Zezwól jeszcze pomiędzy wg<> vpnfirewall czy jak tam sie to nazywa.

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

5

Odp: wireguard ->openvpn

Nie działa hmm

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    list network 'wan'
    list network 'wan6'
    list network 'WAN'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-IPSec-ESP'
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option name 'Allow-ISAKMP'
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config zone
    option name 'vpnfirewall'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    list network 'nordvpntun'

config forwarding
    option src 'lan'
    option dest 'vpnfirewall'

config rule
    option src 'wan'
    option target 'ACCEPT'
    option proto 'udp'
    option dest_port '55055'
    option name 'wireguard'

config zone
    option name 'wg'
    option input 'ACCEPT'
    option forward 'ACCEPT'
    option output 'ACCEPT'
    option masq '1'
    option network 'wg0'

config forwarding
    option src 'wg'
    option dest 'wan'

config forwarding
    option src 'wg'
    option dest 'lan'

config forwarding
    option src 'lan'
    option dest 'wg'

config forwarding
    option src 'wg'
    option dest 'vpnfirewall'

config forwarding                               
        option src 'vpnfirewall'                        
        option dest 'wg'

6

Odp: wireguard ->openvpn

Pokaż wynik

route -n

Masz niepotrzebny router, uszkodzony czy nie - chętnie przygarnę go.

7

Odp: wireguard ->openvpn

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.1        128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth1
10.8.0.0        0.0.0.0         255.255.0.0     U     0      0        0 tun0
10.9.0.0        0.0.0.0         255.255.255.0   U     0      0        0 wg0
10.9.0.4        0.0.0.0         255.255.255.255 UH    0      0        0 wg0
128.0.0.0       10.8.0.1        128.0.0.0       UG    0      0        0 tun0
xxxxx  192.168.1.1     255.255.255.255 UGH   0      0        0 br-lan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

8 (edytowany przez KevinG 2022-09-27 15:44:33)

Odp: wireguard ->openvpn

W telefonie dodałem klienta według poradnika i łączy się, ale nawet nie pinguje 10.9.0.1.

root@OpenWrt:~# wg
interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 55055

peer: xxx
  endpoint: 192.168.1.158:43461
  allowed ips: 10.9.0.4/32
  latest handshake: 1 minute, 4 seconds ago
  transfer: 4.64 KiB received, 5.07 KiB sent
  persistent keepalive: every 25 seconds

peer: xxx
  endpoint: 5.173.132.39:42268
  allowed ips: 10.9.0.3/32
  transfer: 22.98 KiB received, 18.91 KiB sent
  persistent keepalive: every 25 seconds

Drugi peer to android, widzę że nie może złapać handshake'a