tusc / wireguard-kmod

WireGuard for UDM series routers
https://www.wireguard.com/
349 stars 18 forks source link

Wireguard tunnel is up but nothing reachable #58

Closed shepart closed 2 years ago

shepart commented 2 years ago

Hi,

I did everything as described in the instructions. https://github.com/tusc/wireguard-kmod I can connect with the wireguard server and the tunnel is up an running correct.

My problem is, I can´t reach nothing.

I'm surprised that I see the client's public IP in the logs instead of the client's WG interface IP. Mar 30 09:13:04 ubnt user.warn kernel: [ 4247.003212] IN=eth8 OUT= MAC=78:45:58:e4:33:81:06:b5:5d:1f:7d:fe:08:00 SRC=202.61.x.x DST=91.65.x.x LEN=176 TOS=0x00 PREC=0x00 TTL=53 ID=26432 PROTO=UDP SPT=32940 DPT=51825 LEN=156

My environment:

UDM-PRO 1.11.4
Corporate network: 192.168.20.0/24

wg server config

[Interface]
Address = 192.168.20.10/24
ListenPort = 51825
PrivateKey = 4B2dbxxxxxxxxxxxxxxxxxxxxxxxxxxmyLxyVHs=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o bro -j MASQUERADE
[Peer]
PublicKey =  HnUZ5K8xxxxxxxxxxxxxxxxxxxxxxxlJTQqtn4=
AllowedIPs = 192.168.20.11/32

wg cient config

[Interface]
Address = 192.168.20.11/32
PrivateKey = MPx7f4GxxxxxxxxxxxxxxxxxxxxxxxxxxvrPbno=

[Peer]
PublicKey = lhZCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx18=
Endpoint = x.x.x.x:51825
AllowedIPs = 192.168.20.0/24

PersistentKeepalive = 25

Firewall rules as described in the instructions.

You have any ideas ?

peacey commented 2 years ago

Hi @shepart,

I see a couple problems with your configuration.

First, the wireguard subnet should not be the same as any UDMP network. It should a completely unique subnet not overlapping any UDMP network subnets. If it's the same as another UDMP subnet, the router will have the same subnet route attached to the wireguard tunnel and UDMP network interface, and it will cause issues with routing being confused where to go.

Second, you shouldn't be adding any masquerade rules on the UDMP for br0. That will definitely screw up your LAN. You should remove the PostUp/PostDown entries from your wireguard server config and restart the UDMP for a fresh start. The UDMP is the wireguard server, correct?

Third, once you fix the subnet and masquerade, you should run wg and see if you are getting a handshake. If you are getting a handshake, try to ping the wireguard client from the UDMP.

Finally, your log entry that you showed is for your WAN interface eth8, so of course it's going to show the WAN IP. When you send a packet on the wireguard tunnel, wireguard encrypts the packet and sends the encrypted packet on the WAN interface to the peer's WAN IP. You are seeing the encrypted packet in your log. If you want to see the WG IP packets (as in the unencrypted packets), you should look at packets on the wireguard tunnel interface, wg0.

shepart commented 2 years ago

@peacey 🥇 you are my hero. Now it works! How can i donate you ?

Putting UDMP network and WG network together was the problem. My masquerade rules was desperation :)

Yes the UDMP is my wireguard server.

One more question: How can i look at the packets on the wireguard tunnel interface, wg0 on the UDPM.

peacey commented 2 years ago

No problem! You should ask @tusc how to donate. He is the owner of the project.

To look at packets on wg0, use tcpdump in SSH on UDMP:

tcpdump -i wg0
shepart commented 2 years ago

No problem! You should ask @tusc how to donate. He is the owner of the project.

To look at packets on wg0, use tcpdump in SSH on UDMP:

tcpdump -i wg0

Thanks @tusc please send me some donate informations

shepart commented 2 years ago

@peacey

I´am confused now. First is used this manual : https://github.com/boostchicken-dev/udm-utilities/wiki/Run-a-Wireguard-VPN-server-on-UDM-Pro

Look at Step 1 there. You told me the "wireguard subnet should not be the same as any UDMP network" and I understand that, but I do not unterstand how i can now access from VPN Client to a VLAN on the UDMP.

I can not select the wireguard network in UDMP firewall setup drop down menu. If I allow any any in "LAN IN" it makes no difference.

peacey commented 2 years ago

@shepart, that tutorial is telling you to create a non-DHCP network. So there is no subnet attached to it. They do that there to help with firewall rules if you want to be more strict, but none of that is necessary. You only really need the WAN LOCAL firewall rule for your wireguard port.

Your configuration should work fine without any of that additional setup. However, if you want to access a UDMP LAN subnet from wireguard, you need to add the UDMP LAN subnet to AllowedIPs on the client wireguard config. So you'll need to add both the wireguard subnet and UDMP subnet to the AllowedIPs. For example, assuming 10.0.33.0/23 is the wireguard subnet you're using, and 192.168.20.0/24 is the UDMP LAN subnet, then the client wireguard config should have:

AllowedIPs = 10.0.33.0/24,192.168.20.0/24
shepart commented 2 years ago

@peacey Ìt means everybody can get access everywhere if he knows the right networks and i can nothing do, to prevent this ? My plan to allow access for different wg clients via multiple wg interfaces (e.g. wg0, wg1) to different VLANs. I will decide the allowed networks and not the user :)

Or am I thinking too complicated?

peacey commented 2 years ago

If you want more security like blocking access to other networks, you should add firewall rules on the UDMP to block that access.

But I recommend getting it working without any extra firewall rules first for your sanity, then add the blocking firewall rules and test again to set it's still working.

shepart commented 2 years ago

@peacey Ok, if I have more questions i will report.

big thanks

shepart commented 2 years ago

@peacey sorry, i need help. I have access to any VLAN/Subnet which is defined at UDM after connecting wireguard with all allowed IPs/Subnets. How can i block access to subnet 192.168.110/24 from my wireguard client 192.168.100.11 over the UDMP Firewall and not the WG Client configuration?

I created a test Rule with

2nd rest rule

access to client 192.168.110.50 in subnet 192.168.110.0/24 is not possible but to the gateway of the subnet 192.168.110.1.

What did I wrong ?

shepart commented 2 years ago

for the firewall rules, which type i need for the wireguard Clients on UDMP ? LAN local? because the wg clients are "internal" in the UDMP or which type is the right one?

shepart commented 2 years ago

OK, i figured out, UDMP UI dont know the wg interface(s), so i can not create rules for wireguard interface/networks, correct ?

peacey commented 2 years ago

Hi @shepart,

Sorry for my late reply. Firewall rules won't work as-is because as you found out, UDMP doesn't consider wg0 as part of it's firewall groups (LOCAL/IN/OUT).

You will have to manually add the wireguard interface to their firewall groups in SSH first, then you can use Unifi Network to add rules in the GUI like you would any other network.

See this post on how to add the wireguard interface to the firewall groups.

shepart commented 2 years ago

Hi @shepart,

Sorry for my late reply. Firewall rules won't work as-is because as you found out, UDMP doesn't consider wg0 as part of it's firewall groups (LOCAL/IN/OUT).

You will have to manually add the wireguard interface to their firewall groups in SSH first, then you can use Unifi Network to add rules in the GUI like you would any other network.

See this post on how to add the wireguard interface to the firewall groups.

perfect, THANKS!!!