Correct calculation of WireGuard client IP?

Technical Support for Routers VPN, DNS, Leaks
1

I have a Brume 2. On my WireGuard server configuration, I have my IPv4 Address set to 10.0.0.233/29. DHCP operates in 10.0.0.100 to 10.0.0.199. Below that, I use for manual assignments.

When I add a profile, the Client IP calculates as 10.0.0.2/29.

If this is the IP that will be assigned to my “iPhone”, as the client, is this Client IP calculation appropriate? I was expecting a calculation of 10.0.0.234. I say expecting, but it’s more like, hoping, because I hope I’m right about what this number means. For context, I only, today, looked up what this /# means after the IP address (TIL about CIDR Notation).

2023-07-02-21959 Clipboard
2023-07-02-21959 Clipboard2404×998 143 KB

2023-07-02-22023 Clipboard
2023-07-02-22023 Clipboard2140×906 63.1 KB

Adding to the/my confusion, the Virtual IP that my iPhone is assigned doesn’t (appear to) match: 10.0.0.2/32

2023-07-02-25724 Clipboard
2023-07-02-25724 Clipboard2084×784 56.7 KB

2

Is that screenshot of Reddit of r/openwrt or r/networking or the like? If so please reset your Burme 2 back to the stock settings & discard any configuration changes/files instead of keeping them when you then upgrade the firmware to the latest stable version (GL GUI → System → Upgrade).

The GL GUI handles much of the ‘heavy lifting’ behind the scenes in OpenWrt (the underlying OS) already. You’re looking to reset to a clean slate.

Once WG is up & running as expected then worry about SMB.

3

I have not performed any of the ipv4 commands. To avoid further confusion, I have removed that section from my original post.

I am in the process of resetting (hold for 10 seconds) the Brume 2, multiple times over the past few days, in aim of my desired setup.

I have been able to see up/down data from my connected client in the VPN dashboard and the WireGuard app in my iPhone. I have had inconsistent and unrepeatable results with accessing any resources on my network through the WireGuard VPN. All of these resources are available when I’m on the LAN.

This situation has led me looking for things that don’t seem right to my extremely newbie eyes. I noticed that the Virtual IP seems off, thus this post.

So, back to the question about WG - the calculated IP address - the Virtual IP that my “iPhone” is assigned doesn’t (appear to) be correct. Is it?: 10.0.0.2/32

4

That’s a valid subnet (/32) for one IP address. It seems fine. Here’s what a WG conf looks like for Proton VPN’s free level VPN service:

[Interface]
# Bouncing = 0
# NAT-PMP (Port Forwarding) = off
# VPN Accelerator = on
PrivateKey = [redacted]=
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]
# US-FREE#311051
PublicKey = [redacted]=
AllowedIPs = 0.0.0.0/0
Endpoint = 146.70.147.98:51820

The ‘#’ are just comments; they wouldn’t do anything as far as we’re concerned (they’re Proton VPN specific for their paid tier). This is an example of the conf file that your iPhone WG app would use or if you were to ‘drag & drop’ the file into GL GUI → VPN → WireGuard Client → Add Configuration → Upload File .

The [Peer]'s Endpoint would be the VPN ‘server’ IP the Client app/device connects to. :51820 is the standard UDP port for WG.

When you set up the VPN WG Server on the GL device I would just accept whatever the defaults are. Skip the ‘See More’ option. The resulting conf file to import into your iPhone WG should be just fine. If not, we have a bug to file w/ the devs.

Yeah; it’s why I think it better to work on just establishing the WG link first before going in & compounding matters. One step at a time, as it were.

5

It’s the last part of the IP address that seems wrong.

On the WG server, I’ve set the ipv4 value to 10.0.0.233/29

.233/29 - what I want from this is for the WG server to only assign IP addresses from .234 and above (.235, .236, etc. )

But, my one and only configuration has an IP of 10.0.0.2.

That’s not what I wanted (and, it also happens to be a reserved IP address for another machine. )

How can my WG server, with an ipv4 value of 10.0.0.233/29, create a profile with an address of 10.0.0.2/32?

6

Wait… are you trying to put the DHCP subnet and the VPN WG Server on the same LAN segment? That’s not going to work if you are. Quick & dirty:

  • Set your LAN to to the default 192.168.8.0/24 . That’ll give you 255 (256 minus the router’s) IPs to assign behind the router.
  • Set your VPN WG Server to whatever the defaults are.
  • Connect up the conf & test a WG client (eg: iPhone) communicates to the Web
  • VPN WG Server is going to have a wholly different IP range & subnet for the VPN than your LAN
  • GL GUI has other options for allowing inter-LAN resources to communicate to WG Clients via the WG Server

LAN Network Defaults

GL GUI → Network → LAN:

  • Router IP Address: 192.168.8.1
  • Maximum Number of User: 150
  • Start IP Address: 192.168.8.100
  • End IP Address: 192.168.249
  • DHCP Gateway: Optional # ie: no value

(Assumes firmware 4.2.1-release4)

7

Thanks. Starting over this time yielded the results I was after.

My lan still exists at 10.0.0.x; Brume 2 = 10.0.0.1

WG’s tunnel address is 10.0.8.1/24 (so as not to conflict with the default Open VPN server (which I am not using at the moment)) and I have both masquerading and Allow Remote Access LAN enabled. I took the defaults for the client config.

With my iPhone disconnected from wifi, I connected to the VPN and could get to the Brume 2 admin page at 10.0.0.1. Not only that, but I could actually get to my SMB server, on my Mac, using my Mac’s IP address of 10.0.0.2.

This is really good, and exactly the use case for my Brume 2 (which I kinda enjoy, having had tinkered with OpenWRT back in 2005/6).

I have another question about DNS, but I’ll ask that in a separate thread. Thanks again.

1 Like