Wireguard and multiple AllowedIPs

dev_r · March 1, 2023, 8:13am

Hi
I have Wireguard blocked, so I use ShadowSocks in UDP tunnel mode for it. I installed it from the OpenWRT packages

That is, the endpoint looks something like this:
Endpoint = 127.0.0.1:12000 (ss-tunnel local client address)

And for this configuration to work it is necessary to specify correctly the AllowedIPs in the configuration (the whole Internet 0.0.0.0/0 except the ip-address of the VPN-server). There are special calculators
for this, because WG does not have the DisallowedIPs parameter

But this configuration I can not add through the management interface, there is an error (see screenshot).

What can be the reason or what should I do?

PS GL-AXT1800 with 4.1.0

luochongjun · March 2, 2023, 2:31am

Can you share more configuration details?

dev_r · March 2, 2023, 6:45am

What exactly are you interested in? This is what the full configuration looks like and I can’t add it through the router’s interface, I get an error like in the screenshot above

[Interface]
Address = 10.201.196.11/24
DNS = 1.1.1.1
PrivateKey = KEY
MTU = 1280

[Peer]
PublicKey = KEY
PresharedKey = KEY
AllowedIPs = 10.0.0.0/24, 10.0.2.0/23, 10.0.4.0/22, 10.0.8.0/21, 10.0.16.0/20, 10.0.32.0/19, 10.0.64.0/18, 10.0.128.0/17, 10.1.0.0/16, 10.2.0.0/15, 10.4.0.0/14, 10.8.0.0/13, 10.16.0.0/12, 10.32.0.0/11, 10.64.0.0/10, 10.128.0.0/9
Endpoint = 127.0.0.1:12345
PersistentKeepalive = 25

This is a valid configuration and it works on the WG client on PC. This configuration also works with one AllowedIPs

Alternatively, I can add a route to the VPN server manually in the console, but this is inconvenient because the default gateway of the ISP may be different each time.

Maybe there are options on how I can otherwise make Wireguard work through ShadowSocks?

luochongjun · March 3, 2023, 11:42am

If you want routing to take effect, you first need to switch the proxy mode to Auto Detect
I tried your configuration in version 4.2.0 firmware and it works as normal.

Also, I’m curious, why is your endpoint 127.0.0.1? This might cause some exceptions, and I’m not sure if you can connect correctly.

dev_r · March 3, 2023, 11:52am

Yes, I switched to that mode. So you imported the configuration without errors? Where can I get this firmware version for my model?

This is the endpoint of the local ShadowSocks ss-tunnel daemon in udp-mode. It tunnels WG traffic to my WG server. This is necessary because my ISP blocks the WG protocol, so I have to pass his traffic through ShadowSocks. This works fine, the only problem is that for some reason I don’t have the WG configuration imported, which will automatically assign all the necessary routes for this to work.

Also, thank you for your replies

luochongjun · March 3, 2023, 12:00pm

I casually changed the public key and then added the configuration without encountering error, I used the 4.2 firmware.

dev_r · March 5, 2023, 11:17am

Unfortunately, it didn’t help. In 4.2 I have the same error However, I am glad to see in 4.2 support for Zerotier, but for some reason it has no “Allow default override” option yet, so it cannot be used as a replacement for Wireguard

jord · April 2, 2023, 6:01am

Sorry for my broken English.
I think this problem was caused by item overflow.

AllowedIPs = 10.0.0.0/24, 10.0.2.0/23, 10.0.4.0/22, 10.0.8.0/21, 10.0.16.0/20, 10.0.32.0/19, 10.0.64.0/18, 10.0.128.0/17, 10.1.0.0/16, 10.2.0.0/15, 10.4.0.0/14, 10.8.0.0/13, 10.16.0.0/12, 10.32.0.0/11, 10.64.0.0/10, 10.128.0.0/9

this descprition was parsed to following items, and gl.inet-GUI may crash when explain item mode

AllowedIPs = 10.0.0.0/24
AllowedIPs =10.0.2.0/23
AllowedIPs =10.0.4.0/22
AllowedIPs =10.0.8.0/21
AllowedIPs = …

hansome · April 3, 2023, 6:19am

Thanks for the feedback, will check and fix it.