summaryrefslogtreecommitdiff
path: root/_posts/2023-07-02-shoot-foot-wireguard.md
blob: 41fda9ae79eb5473523c35039e23f441a0981b2a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
---
layout: post
title: Shooting yourself into the foot with Wireguard
date: 2023-07-02 20:11 +0200
lang: en
categories: tech
description: "The pitfalls of WireGuard, what can go wrong. A personal experience report."
---

Sunday afternoon. I'm sitting somewhere outside away from home.
Suddenly I remember I forgot to switch my roomba on. Ugh.
But no worries, I got a Wireguard connection set up, so I can
connect to home and switch it on from there.

Hm. Unfortunately I can't connect to my home router (OpenWRT). Did the dynamic DNS address fail
to update again? Now that I think about it, I can't remember I actually I ever
tested the connection. I tested the connection once when my OpenWRT router was still
running in a VM. Maybe I forgot to set up some things?

{% linked_image
  url="https://pics.uvokchee.de/upload/2023/07/02/20230702201107-0ecdfc52.png"
  img="https://pics.uvokchee.de/i.php?/upload/2023/07/02/20230702201107-0ecdfc52-sm.png"
  alt="A diagram showing the network components of my Wireguard setup."
%}

But hey, no worries, I'll simply connect to my VPS, and let the Wireguard
routing do its job. Just move the `AllowedIP=0.0.0.0/24`
setting from the OpenWRT endpoint to the VPS endpoint
on the smartphone.

I can ping my VPS' Wireguard address, but unfortunately,
pings to my OpenWRT "do nothing".
ping doesn't show any output, simply seems stuck. Weird.

Well, okay, I after I finished enjoying the outsides, I went home
to try to figure out what went wrong.

Well, lets see, what are the AllowedIPs...

{% linked_image
  url="https://pics.uvokchee.de/upload/2023/07/02/20230702201107-5df12e17.png"
  img="https://pics.uvokchee.de/i.php?/upload/2023/07/02/20230702201107-5df12e17-sm.png"
  alt="Same diagram as before. Added: AllowedIPs."
%}

Hm. Seems good enough.
The smartphone pings to the VPS get answered all right. The AllowedIPs match there.
On the VPS via SSH, I can..... not ping my OpenWRT router. Hm.

Ugh, oh yeah! NAT. Let's edit the Wireguard config on OpenWRT to send `KeepAlive`
packages. Also, I noticed I didn't set a firewall `INPUT` rule in OpenWRT to
allow packages from the upstream router to the Wireguard port. Let's fix that.
(That makes the `KeepAlive` unnecessary technically. *However*, I want to avoid
possible dynamic DNS problems as well. So let my OpenWRT just regularly send a keep-alive).

So let's test again...
ping from Smartphone to VPS work. ping from VPS to OpenWRT work.

ping from Smartphone to OpenWRT... Still stuck. The heck?

Okay, let's see the configs again. Very carefully.

{% linked_image
  url="https://pics.uvokchee.de/upload/2023/07/02/20230702201107-597a7b3d.png"
  img="https://pics.uvokchee.de/i.php?/upload/2023/07/02/20230702201107-597a7b3d-sm.png"
  alt="Same diagram. Added on OpenWRT, AllowedIP setting for Smartphone."
%}

Well, oops. I still had the smartphone set up as a possible client on OpenWRT.
Apparently, the ping from my smartphone went through my VPS to OpenWRT just fine
It was just... when trying to send the ping reply, OpenWRT / Wireguard found the `AllowedIP`
setting for the smartphone and probably tried to send the reply directly.
Which isn't possible, since the smartphone naturally has no endpoint address set.
(And no, there was no routing entry for the smartphone itself).

So, to test if this is the problem, I removed the `AllowedIP` setting from the
smartphone on the OpenWRT config. And... the ping works.

I can't keep it like that, though. So... I added back the `AllowedIP`
setting to the smartphone, and instead modified the config
on Wireguard for Android. Let everything Wireguard-internal
route via OpenWRT.
(Reminder: longest prefix wins. `/24` is longer than `/0`).

{% linked_image
  url="https://pics.uvokchee.de/upload/2023/07/02/20230702203947-9169ae4a.png"
  img="https://pics.uvokchee.de/i.php?/upload/2023/07/02/20230702203947-9169ae4a-sm.png"
  alt="Same diagram, fixed AllowedIPs on smartphone."
%}

Et voilá! ping still works.

Only... I still couldn't start my roomba. No wonder, OpenWRT was configured not to allow
any `FORWARD`ing from the Wireguard zone.
(Masquerading on the Wireguard zone was already enabled by the way.)
So, after adding the zone with my roomba
to the list the Wireguard zone is allowed to forward to, I could reach my roomba as well.

All is good... Until the next time something breaks.