Probably operator error - Please help. Cannot get Wireguard to work.
Opened this issue · 17 comments
Hi,
Please can I have some help. I don't know entirely what I'm doing wrong.
Context:
ISP router is 192.168.1.1 -> ERX is on DHCP with reservervation and port forwarding 12345 to 12345 and gets the ip address 192.168.1.3. ISP router provides DDNS service too which is proven correct when I ping that dns name the ip address resolves to match whatismyipaddress.org reported ip address.
Home LAN is on 192.168.100.0/24 and the ERX ip address is 192.168.100.254.
I have a pi hole on 192.168.100.220 with conditional forwarding to 192.168.100.254 for 192.168.100.0/24
Trying to test for connectivity using a proven smb connection with Kodi on an android phone. Tested with wifi and then using cellular to prove wireguard. only configuration applied to this is address of 10.250.250.2/32, peer public key is as per wgpublic.key and the phones public key is . The endpoint is the ISP router DDNS address port 12345. allowed ip's is 192.168.100.0/24 as I want all other cellular traffic to not go through wg.
Phone reports tx figures, but no rx figures when I attempt to connect via Kodi.
ERX installation instructions that I executed:
--start --
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20211208-1/e50-v2-v1.0.20211208-v1.0.20210914.deb
sudo dpkg -i e50-v2-v1.0.20211208-v1.0.20210914.deb
wg genkey | tee /config/auth/wgprivate.key | wg pubkey > wgpublic.key
configure
set interfaces wireguard wg0 address 10.250.250.1/24
set interfaces wireguard wg0 listen-port 12345
set interfaces wireguard wg0 route-allowed-ips true
set interfaces wireguard wg0 private-key /config/auth/wgprivate.key
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 protocol udp
set firewall name WAN_LOCAL rule 20 description 'WireGuard'
set firewall name WAN_LOCAL rule 20 destination port 12345
commit
save
exit
configure
set interfaces wireguard wg0 peer
set interfaces wireguard wg0 peer allowed-ips 10.250.250.2/32
commit
save
exit
configure
set interfaces wireguard wg0 peer
set interfaces wireguard wg0 peer allowed-ips 10.250.250.3/32
commit
save
exit
--end--
I thought it was a routing issue but I assumed that route-allowed-ips would route 192.168.0.0/24 to 10.250.250.1
I'm at my wits end. I've tried this 10 times or more on different occasions and always meet with failure.
Any help would be appreciated. Happy to drop some coffee money through if you can help me get it working.
Cheers
Simon
Just a guess .. My firewall rule on my ER is slightly different ..
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description 'Accept Wireguard VPN server connections'
set firewall name WAN_LOCAL rule 30 destination port 52820
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 30 source address 0.0.0.0/0
set firewall name WAN_LOCAL rule 30 state established enable
set firewall name WAN_LOCAL rule 30 state new enable
set firewall name WAN_LOCAL rule 30 state related enable
I don't think the related statement is required but the new and established are.
Your config on the ER looks fine to me. I can only think of three things
- On your android you set the address to 10.250.250.2/32 - I would set this to match the subnet of the server, e.g. 10.250.250.2/24 or at least 10.250.250.2/30. Otherwise I don't think it will be able to reach the server at 10.250.250.1
- Is it necessary to include the server in Allowed IPs on the client? I don't know the answer myself. You can try adding 10.250.250.0/24 to Allowed IPs on the client but it may not be necessary.
- Port forwarding is not working on the ISP router. Can you check on the ER-X if it's getting a connection from your phone? Run "sudo wg" and it should show the "latest handshake" for your android phone. If it doesn't show one, then I would suspect port forwarding is not working or maybe the keys are not set up correctly.
You also mentioned a pihole but I'm not sure how it's relevant. Are you wanting your phone to use the pihole for DNS while the tunnel is up? I would try connecting to your Kodi server by using its IP address first to eliminate this as a source of the problem.
Thank you all for your help, you've given me some things to think about. Will report back asap.
Still no joy :-( . Is it easy to test port forwarding to wireguard as I thought it wasn't chatty ? i.e. as it's UDP it won't respond unless you initiate an open connection correctly ?
I've found it, more by luck than judgement, I turned on logging for the firewall rule and saw the packets being dropped on the ERX. I did all I could on the wireguard rule but nothing would allow it......
Until I changed the default WAN_LOCAL rule 10 to allow NEW connections.
I believe due to the fact that the rule is higher than the wireguard rule is drops new connections before it even gets to the wireguard rule.
Am I doing something really bad by allowing this ?
name WAN_LOCAL {
default-action drop
description "WAN to router"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
log disable
state {
established enable
invalid disable
new enable
related enable
}
}
I can't imagine that this should be the fix, as otherwise it would have affected anyone who was instantiating a connection externally and would have been noticed a long time ago ? Unless all the connections normally get established outbound which would negate the need for the firewall rule anyway. What have I done wrong ?
Adding new enable to your rule 10 is definitely bad as it allows any probe from the internet to interact with your router. The proper place for the "new enable" is in the wireguard port rule 20. When the new connection on the proper port is forwarded to the wireguard software the handshake with appropriate keys will determine if any data gets through.
Yeah you should probably put your rule 10 back the way it was. Although you are double-firewalled right now with the ISP router in front of your edgerouter, so it's not like any random internet user can try to SSH into the edgerouter at the moment. I guess if you're confident in the ISP router's firewall you could leave things the way you have them, just be aware that this basically disables the WAN_LOCAL firewall.
It is tough to test port forwarding with Wireguard, as you mentioned it isn't chatty and uses UDP. But since opening up rule 10 fixes your issue, I think port forwarding on your ISP router must be working fine.
You said I turned on logging for the firewall rule and saw the packets being dropped on the ERX . I noticed in your config snippet, you have enable-default-log which logs the default action, but you have logging disabled for rule 10. This means the drops you were seeing in the log were the result of the default rule and not rule 10. So rule 10 isn't dropping them, and rule 20 isn't accepting them either, which is why they're hitting the default rule. You could try set firewall name WAN_LOCAL rule 20 state new enable as dc361 mentioned. It won't hurt but I don't think it will solve the problem. I never specify a state on firewall rules like this and my understanding is the edgerouter applies the rule to all states if you don't specify one.
Could you post one of those log events? Remove your IP address from it before you post. That might help to figure out what's happening. Here's a sample of one of mine for a successful connection
[WAN_LOCAL-110-A]IN=eth1.3000 OUT= MAC=[REMOVED] SRC=[PHONE IP] DST=[ROUTER WAN IP] LEN=176 TOS=0x00 PREC=0x00 TTL=120 ID=47689 PROTO=UDP SPT=11860 DPT=51820 LEN=156
| Jan 17 18:36:13 | ubnt kernel: [WAN_LOCAL-default-D]IN=eth1 OUT= MAC=xx:xx:xx:etc SRC=192.168.1.1 DST=192.168.1.3 LEN=176 TOS=0x00 PREC=0x00 TTL=63 ID=35371 DF PROTO=UDP SPT=59823 DPT=12345 LEN=156 |
|---|---|
| Jan 17 18:36:09 | ubnt kernel: [WAN_LOCAL-default-D]IN=eth1 OUT= MAC=xx:xx:xx:etc SRC=192.168.1.1 DST=192.168.1.3 LEN=176 TOS=0x00 PREC=0x00 TTL=63 ID=34989 DF PROTO=UDP SPT=59823 DPT=12345 LEN=156 |
I know in theory all packets will be dumped unless they match a rule, and if they match the rule then they'll be passed on, but it only works when I do it on rule 10. Everything is the same on rule 20 apart from the protocol specifically being set to udpo but it doesn't work.
Did you check the stats for your firewall rule to see if the packets are getting through the correct firewall rule. Also check the rule closely again please to make sure there isn't a funny character or space where it shouldn't be found.
Okay, it seems to be working now. I competey deleted the rule and created it again. I know it seems odd but sometimes it just seems flakey when doing it through the web page and/or ssh. modifying it didn't work and the exported configuration looks exactly the same but not it's working. Thanks all.
If don't know if github does dm's but if you pass on your paypal email addresses I'll drop each of you 5$ for the attempt at assistance. Cheers
congratulations! No need to send along the 5$ as I was glad to help.
Yeah I'm just glad you got it working. I was really scratching my head when I saw your firewall rule there.
If you want to send money to someone, you could send it here https://www.wireguard.com/donations/ . None of us would be here without Jason and company.
Hi, just to let you know I did donate to Jason as soon as I got it working. It really is is powerful piece of simple software which is perfect for my needs. Thanks :-)