Shooting yourself into the foot with Wireguard
Sunday afternoon. I’m sitting somewhere outside away from home. Suddenly I remember I forgot to switch my roomba on. Ugh. But no worries, I got a Wireguard connection set up, so I can connect to home and switch it on from there.
Hm. Unfortunately I can’t connect to my home router (OpenWRT). Did the dynamic DNS address fail to update again? Now that I think about it, I can’t remember I actually I ever tested the connection. I tested the connection once when my OpenWRT router was still running in a VM. Maybe I forgot to set up some things?
But hey, no worries, I’ll simply connect to my VPS, and let the Wireguard
routing do its job. Just move the AllowedIP=0.0.0.0/24
setting from the OpenWRT endpoint to the VPS endpoint
on the smartphone.
I can ping my VPS’ Wireguard address, but unfortunately, pings to my OpenWRT “do nothing”. ping doesn’t show any output, simply seems stuck. Weird.
Well, okay, I after I finished enjoying the outsides, I went home to try to figure out what went wrong.
Well, lets see, what are the AllowedIPs…
Hm. Seems good enough. The smartphone pings to the VPS get answered all right. The AllowedIPs match there. On the VPS via SSH, I can….. not ping my OpenWRT router. Hm.
Ugh, oh yeah! NAT. Let’s edit the Wireguard config on OpenWRT to send KeepAlive
packages. Also, I noticed I didn’t set a firewall INPUT
rule in OpenWRT to
allow packages from the upstream router to the Wireguard port. Let’s fix that.
(That makes the KeepAlive
unnecessary technically. However, I want to avoid
possible dynamic DNS problems as well. So let my OpenWRT just regularly send a keep-alive).
So let’s test again… ping from Smartphone to VPS work. ping from VPS to OpenWRT work.
ping from Smartphone to OpenWRT… Still stuck. The heck?
Okay, let’s see the configs again. Very carefully.
Well, oops. I still had the smartphone set up as a possible client on OpenWRT.
Apparently, the ping from my smartphone went through my VPS to OpenWRT just fine
It was just… when trying to send the ping reply, OpenWRT / Wireguard found the AllowedIP
setting for the smartphone and probably tried to send the reply directly.
Which isn’t possible, since the smartphone naturally has no endpoint address set.
(And no, there was no routing entry for the smartphone itself).
So, to test if this is the problem, I removed the AllowedIP
setting from the
smartphone on the OpenWRT config. And… the ping works.
I can’t keep it like that, though. So… I added back the AllowedIP
setting to the smartphone, and instead modified the config
on Wireguard for Android. Let everything Wireguard-internal
route via OpenWRT.
(Reminder: longest prefix wins. /24
is longer than /0
).
Et voilá! ping still works.
Only… I still couldn’t start my roomba. No wonder, OpenWRT was configured not to allow
any FORWARD
ing from the Wireguard zone.
(Masquerading on the Wireguard zone was already enabled by the way.)
So, after adding the zone with my roomba
to the list the Wireguard zone is allowed to forward to, I could reach my roomba as well.
All is good… Until the next time something breaks.
Kommentare / Comments
Kommentare werden von mir selbst auf einem anderen Server über Isso gehostet.
Comments are hosted by myself on another server, powered by Isso.