Hello guys. I am trying to setup a s2s vpn connection between my Slate AX wireguard server at the office and RPi4 OpenWrt client at home but after a week a lot of unsuccessful attempts, I was hoping somebody here could help me.
My office Slate AX router (192.168.0.10 WAN and 192.168.1.1 LAN) is behind the ISP modem (which i have access to and the LAN ip is 192.168.0.1). I have started WG server and enabled Lan Access which makes it possible to access all the LAN devices from WG client(from home using RPi4 as client).
However, if i want to access home lan devices from my office, it is not working. The RPi4 is behind my ISP modem too, which i also have access to and i have a third device(a router) where i connect all my home devices whether wifi/cable.
The ISP home modem has a LAN ip 192.168.10.1.
The RPi4 has a LAN ip 192.168.20.1 and the last node (router) has a LAN ip 192.168.3.1.
So i have made sure there are no conflicts when it comes to IPs and tried all the config I could find on the internet regarding my situation but I could not make it work. I have noticed that accessing luci on my Slate Ax shows Unsupported protocol type at the WGSERVER interface.
I will post my config for both devices.
Thank you in advance for any help you might give to me.
Slate AX (Wireguard server at the office):
cat /etc/config/wireguard_server
config servers 'main_server'
option address_v4 '10.0.0.1/24'
option port '51820'
option fwmark '0x80000'
option ipv6_enable '0'
option masq '1'
option private_key 'xxxx='
option public_key 'xxxx='
option access 'ACCEPT'
config peers 'peer_1736'
option name 'home'
option peer_id '1736'
option presharedkey_enable '0'
option dns '64.6.xx.xx'
option allowed_ips '0.0.0.0/0,::/0'
option mtu '1420'
option persistent_keepalive '25'
option public_key 'dxxx='
option private_key 'xxxx='
option client_ip '10.0.0.2/24'
option deprecated '0'
cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'wwan'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option input 'DROP'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config rule 'process_mark'
option name 'process_mark'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 65533'
option target 'MARK'
option set_xmark '0x80000/0x80000'
config rule 'wan_in_conn_mark'
option name 'wan_in_conn_mark'
option src 'wan'
option dest '*'
option set_xmark '0x80000/0x80000'
option target 'MARK'
option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x80000/0x80000'
option enabled '0'
config rule 'lan_in_conn_mark_restore'
option name 'lan_in_conn_mark_restore'
option src 'lan'
option dest '*'
option set_xmark '0x80000/0x80000'
option target 'MARK'
option extra '-m connmark --mark 0x80000/0x80000 -j CONNMARK --restore-mark'
option enabled '0'
config rule 'out_conn_mark_restore'
option name 'out_conn_mark_restore'
option dest '*'
option set_xmark '0x80000/0x80000'
option target 'MARK'
option extra '-m connmark --mark 0x80000/0x80000 -j CONNMARK --restore-mark'
option enabled '0'
config include 'swap_wan_in_conn_mark'
option type 'script'
option reload '1'
option enabled '0'
option path '/etc/firewall.swap_wan_in_conn_mark.sh'
config rule 'block_dns'
option name 'block_dns'
option src '*'
option device 'br-+'
option dest_port '53'
option target 'REJECT'
option enabled '0'
config include 'gls2s'
option type 'script'
option path '/var/etc/gls2s.include'
option reload '1'
config include 'glblock'
option type 'script'
option path '/usr/bin/gl_block.sh'
option reload '1'
config zone
option name 'guest'
option network 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config forwarding
option src 'guest'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule
option name 'Allow-DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config include 'vpn_server_policy'
option type 'script'
option path '/etc/firewall.vpn_server_policy.sh'
option reload '1'
option enabled '1'
config rule 'sambasharewan'
option src 'wan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'DROP'
config rule 'sambasharelan'
option src 'lan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'ACCEPT'
config rule 'glnas_ser'
option src 'wan'
option dest_port '6000-6002'
option dest_proto 'tcp'
option target 'DROP'
config rule 'webdav_wan'
option src 'wan'
option dest_port '6008'
option dest_proto 'tcp'
option target 'DROP'
config forwarding 'wgserver2wgclient'
option src 'wgserver'
option dest 'wgclient'
option enabled '1'
config forwarding 'wgserver2ovpnclient'
option src 'wgserver'
option dest 'ovpnclient'
option enabled '1'
config rule 'wgserver_allow'
option name 'wgserver_allow'
option target 'ACCEPT'
option src 'wan'
option proto 'udp tcp'
option family 'ipv4'
option dest_port '51820'
option enabled '1'
config zone 'wgserver'
option name 'wgserver'
option output 'ACCEPT'
option mtu_fix '1'
option network 'wgserver'
option masq '1'
option masq6 '1'
option input 'ACCEPT'
option enabled '1'
config forwarding 'wgserver2wan'
option src 'wgserver'
option dest 'wan'
option enabled '1'
config forwarding 'lan2wgserver'
option src 'lan'
option dest 'wgserver'
option enabled '1'
config forwarding 'wgserver2lan'
option src 'wgserver'
option dest 'lan'
option enabled '1'
config zone 'wgclient'
option masq '1'
option masq6 '1'
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xx:xx:xx::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
config device
option name 'eth1'
option macaddr 'xx:xx:xx:xx:xx:xx'
config device
option name 'eth2'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option isolate '0'
option ipaddr '192.168.1.1'
config device
option name 'eth0'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan'
option device 'eth0'
option force_link '0'
option ipv6 '0'
option proto 'static'
option ipaddr '192.168.0.10'
option gateway '192.168.0.1'
option netmask '255.255.255.0'
option peerdns '0'
option dns '8.8.8.8'
option metric '10'
config interface 'wan6'
option proto 'dhcpv6'
option disabled '1'
option device '@wan'
config switch
option name 'switch0'
option reset '0'
option enable_vlan '0'
config interface 'tethering6'
option proto 'dhcpv6'
option disabled '1'
option device '@tethering'
config interface 'wwan6'
option proto 'dhcpv6'
option disabled '1'
option device '@wwan'
config interface 'guest'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option ip6assign '60'
option multicast_querier '1'
option igmp_snooping '0'
option isolate '0'
option bridge_empty '1'
option disabled '1'
config interface 'wwan'
option proto 'dhcp'
config rule 'policy_bypass_vpn'
option mark '0x60000/0x60000'
option lookup '53'
option priority '53'
config rule 'policy_via_vpn'
option mark '0x80000/0x80000'
option lookup '52'
option priority '52'
config rule 'policy_dns'
option mark '0x100000/0x100000'
option lookup '51'
option priority '51'
config interface 'wgserver'
option proto 'wgserver'
option config 'main_server'
option disabled '0'
Any config at home on my OpeWrt RPi4 client:
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xx:xx:xx::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'WAN'
option proto 'dhcp'
option device 'eth1'
option peerdns '0'
list dns '64.6.xx.xx'
option metric '20'
config interface 'wg0'
option proto 'wireguard'
option private_key 'xx='
list dns '64.6.xx.xx'
option metric '10'
list addresses '10.0.0.2/24'
config wireguard_wg0
option description 'Imported peer configuration'
option public_key 'xx='
option persistent_keepalive '25'
option endpoint_host 'xx.glddns.com'
option endpoint_port '51820'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
list allowed_ips '192.168.3.0/24'
option route_allowed_ips '1'
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'WAN'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wg0'
option masq '1'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'wan'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
if there are other details you might need, please let me know.
Thank you again.