Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

USG as wireguard server, Client has no internet connection #100

Open
sunnysk opened this issue Sep 8, 2021 · 9 comments
Open

USG as wireguard server, Client has no internet connection #100

sunnysk opened this issue Sep 8, 2021 · 9 comments

Comments

@sunnysk
Copy link

sunnysk commented Sep 8, 2021
edited
Loading

i follow the readme useage step by step, and success installed the wireguard on the USG. then I can use a android phone connect to the wireguard, also i can use the android phone to visit my nas server. At this moment , my android phone cant connect to the internet, only have the LAN connection. I'm not familiar with the router os. so anyone can help me to solve this problem. Thx a lot
@sunnysk sunnysk changed the title USG USG as wireguard server has no internet connection Sep 8, 2021
@sunnysk sunnysk changed the title USG as wireguard server has no internet connection USG as wireguard server, Client has no internet connection Sep 8, 2021
@dc361
Copy link

dc361 commented Sep 12, 2021

Perhaps someone with USG experience can jump in as I do not have one of the units to test - but - I see that the USG example shows peers connecting only to the network 'inside' the USG and not the internet. Perhaps you would need to add 0.0.0.0/0 to the allowed IPs for your android peer.

@sunnysk
Copy link
Author

sunnysk commented Sep 16, 2021

Perhaps someone with USG experience can jump in as I do not have one of the units to test - but - I see that the USG example shows peers connecting only to the network 'inside' the USG and not the internet. Perhaps you would need to add 0.0.0.0/0 to the allowed IPs for your android peer.

I was using the 0.0.0.0/0 for the android peer. Still cant visit the internet, only has lan connection.

@andreheuer
Copy link

Hi all,
I do have the same issue. I can access all local networks (i.e. also VLANs) even though the networks are isolated, but I cannot access any internet (WAN) address / ip. It seems that some routing is missing, but I have no clue were to add etc.
Can someone support please?

@peacey
Copy link
Collaborator

peacey commented Nov 17, 2021

I don't have a USG, but this seems like a symptom of not having proper masquerade (SNAT) rules setup for your WAN interface. Either that or there is a firewall rule blocking packets from travelling from WireGuard to WAN.

To really figure out what's happening, I would do a tcpdump on the USG: sudo tcpdump -ni any host 1.1.1.1 then run ping 1.1.1.1 on the WireGuard client. See how the packets travel and if it is being SNATed on the WAN. For a control test, you can do the same tcpdump, but ping from a USG LAN client instead to see what it should look like when it works.

@andreheuer
Copy link

Thank you for this hint. It is almost what I have expected. The ping is send out, but response received:
This is how it looks like from my Wireguard client:

15:57:55.241875 IP 10.0.80.2 > 1.0.0.1: ICMP echo request, id 13479, seq 0, length 64
15:57:55.242096 IP 10.0.80.2 > 1.0.0.1: ICMP echo request, id 13479, seq 0, length 64
15:57:56.247051 IP 10.0.80.2 > 1.0.0.1: ICMP echo request, id 13479, seq 1, length 64
15:57:56.247224 IP 10.0.80.2 > 1.0.0.1: ICMP echo request, id 13479, seq 1, length 64
15:57:57.250794 IP 10.0.80.2 > 1.0.0.1: ICMP echo request, id 13479, seq 2, length 64
15:57:57.250976 IP 10.0.80.2 > 1.0.0.1: ICMP echo request, id 13479, seq 2, length 64

And this is how it looks like from a normal client with working internet acccess:

15:56:41.138409 IP 10.0.10.7 > 1.0.0.1: ICMP echo request, id 2, seq 1, length 64
15:56:41.138662 IP 10.0.10.7 > 1.0.0.1: ICMP echo request, id 2, seq 1, length 64
15:56:41.151375 IP 1.0.0.1 > 10.0.10.7: ICMP echo reply, id 2, seq 1, length 64
15:56:41.151622 IP 1.0.0.1 > 10.0.10.7: ICMP echo reply, id 2, seq 1, length 64
15:56:42.138916 IP 10.0.10.7 > 1.0.0.1: ICMP echo request, id 2, seq 2, length 64
15:56:42.139158 IP 10.0.10.7 > 1.0.0.1: ICMP echo request, id 2, seq 2, length 64
15:56:42.151357 IP 1.0.0.1 > 10.0.10.7: ICMP echo reply, id 2, seq 2, length 64
15:56:42.151553 IP 1.0.0.1 > 10.0.10.7: ICMP echo reply, id 2, seq 2, length 64

However, I cannot differentiate if it is a NAT issue or due to firewall rules blocking the ping reply. Do you have more insights? Your support is really appreciated, thank you!

@peacey
Copy link
Collaborator

peacey commented Nov 20, 2021
edited
Loading

Hi @andreheuer,

Surprisingly, I don't see the NAT in the output in either case. Did you do a tcpdump on "any" interface or just on your LAN interface? Can you do a tcpdump on your WAN interface and try again? You are doing the tcpdump directly on the USG in SSH, not the clients right? Also, is 10.10.10.0/24 your WAN subnet or LAN subnet?

Also, is there a way to export all your firewall rules and show them? This way we can inspect them to see if they're blocking forwarding packets or not doing masquerade. I think you can export your whole config by running mca-ctrl -t dump-cfg. Copy all of it and paste it in a text file and upload it here.

@andreheuer
Copy link

andreheuer commented Nov 20, 2021
edited
Loading

Hi @peacey,

you directly pointed me to my issue. Seemed to be a layer 8 problem ;-) I do have a kind of double NAT, as behind the USG is another router. As I have created a new network for the Wireguard user, I almost forgot to add a static route to this first router. Now I have added the static route and internet routing works like a charm!

Thank you!

@sunnysk
Copy link
Author

sunnysk commented Nov 22, 2021

@andreheuer could you show me your solution config please? Thank you !

@andreheuer
Copy link

@sunnysk it is almost the standard config for wireguard. I have moved the firewall rules into the UI, so they are not in the config json:

{
	"service": {
		"nat": {                                       
			"rule": {                   
				"5999": {                        
					"exclude": "''",        
					"outbound-interface": "eth0",
					"type": "masquerade"
				}
			}
		}
	},
   "interfaces": {
        "wireguard": {
            "wg0": {
                "description": "Wireguard VPN",
                "address": [
                    "10.0.80.1/24"
                ],
                "firewall": {
                    "in": {
                        "name": "LAN_IN"
                    },
                    "local": {
                        "name": "LAN_LOCAL"
                    },
                    "out": {
                        "name": "LAN_OUT"
                    }
                },
                "listen-port": "62133",
                "mtu": "1500",
                "peer": [{
                    "XXXXXXX": {
                        "allowed-ips": [
                            "10.0.80.2/32"
                        ],
                        "persistent-keepalive": 25
                    }
                },
                {
                    "XXXXXXX": {
                        "allowed-ips": [
                            "10.0.80.3/32"
                        ],
                        "persistent-keepalive": 25
                    }
                }
                ],
                "private-key": "XXXXXXXX",
                "route-allowed-ips": "true"
            }
        }
    }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@peacey @dc361 @sunnysk @andreheuer