Wireguard setup + firewall rules via CLI?

NETWORKING SOLUTIONS
22

With a /32 mask nothing can be routed through the tunnel. You need a smaller value, a /24 is simple and will be perfect.
At the time I didn’t have the IP addresses map so I suggested that 10.10.10.2/24 might be correct.

I don’t know either where 10.10.10.2/24 comes from. Just keep the 192.168.11.0/24 network.

The setting is there wireguard is the same everywhere but the value is 0 which is correct for a server.

No. The purpose is different, contrary to the wan the wg interface is an internal network one.

Easy. A lan network for the FB (192.168.178.0/24), another lan network for the RUTX (192.168.179.0/24 for example) and yet another one to connect the two using the wg protocol. 192.168.11.0/24 is perfectly fine there, a 10.x.y.0/24 or 172.[16…31].x.0/24 will work equally well.
With the correct Allowed IPs at both ends of the tunnel any device at one side will be able to reach any device at the other side.

1 Like
23

Regarding the tunnel:

Or rather 10.10.10.0/24?

I understand and now have:

  • RUT: 192.168.11.0/24
  • FB: 192.168.178.0/24
  • WG tunnel: 10.10.10.0/24
24

10.10.10.2/24 means IP address 10.10.10.2 and netmask 255.255.255.0
10.10.10.0/24 is just a shortcut to designate a network it is not an IP address.

1 Like
25

Well, I knew that, but I did not know that a tunnel address is really just one IP / at least that is what I now understand from your post, but maybe I misunderstand you).

I assume that the tunnel (address) setting must be an IP range, e.g.:

  • RUT network: 192.168.11.0/24 (e.g. 192.168.11.1 for the RUT itself)
  • FB network: 192.168.178.0/24 (e.g. 192.168.178.1 for the FritzBox itself)
  • WireGuard tunnel network: 10.10.10.0/24
  • RUT: 10.10.10.1
  • FritzBox: 10.10.10.2
26

A few thoughts about changes that I might need to consider to achieve the following:

  • Devices on the RUTX11 network (phones, laptops, IoT devices) should be able to access devices on the FritzBox network (at home) via the WireGuard tunnel.
  • Devices on the RUTX11 network should also be able to communicate with each other without going through the WireGuard tunnel—this would keep local traffic on the RUTX11 network rather than routing it through my home network. This makes communication between devices on the same local network faster and doesn’t overload the tunnel.
  • When connected to FritzBox Wi-Fi at home, the RUTX11 should be able to act as a bridge, allowing me to access both the home network (FritzBox) and any devices connected to the RUTX11 (my mobile devices, laptops, etc.), without traffic routing back to the home network unnecessarily.

If I have understood it correctly, this means that I have to set Allowed IPs as follows:

  • RUT (network 192.168.11.0/24):
[Peer]
PublicKey = <FritzBox_Public_Key>
AllowedIPs = 192.168.178.0/24     # Only route home network traffic to FritzBox
  • FritzBox (network 192.168.178.0/24):
[Peer]
PublicKey = <RUTX11_Public_Key>
AllowedIPs = 192.168.11.0/24     # Allow access to RUT network from FritzBox

Furthermore, I assume that WG allows that devices can communicate to each other within the same network without tunneling, as the aforementioned AllowedIPs settings do not route local traffic through the tunnel. If this correct, I do not need to set up something else to achieve this, right?

27

This is correct and will be enough. Albeit not necessary you might want to add 10.10.10.2/32 to the Allowed IPs list on the FB and 10.10.10.1/24 to the Allowed IPs list of the RUTX11. This way the tunnel interfaces will be directly reachable without having to supply additional routes.

1 Like
28

Humm no set the FB to 10.10.10.1 and the RUT to 10.10.10.2 this will be easier to maintain over the long term. If you add another router it will be 10.10.10.3 and so on.

1 Like
29

The possibilities for changes on the Fritzbox side are very limited, i.e. I cannot add/change Allowed IPs there. Should I nevertheless add 10.10.10.1/24 on the RUT’s WG peer side? Like so under the RUT WG peer settings?

grafik
grafik480×168 2.72 KB

.
And below is what I now have on the RUT WG interface setting (after also consulting ChatGPT):

grafik
grafik290×118 2.17 KB

.
There is not really a Tunnel addresses setting, except on the QR settings tab, but I understood that I can ignore that one (still reads 192.168.11.2/32), because it is only used to create a QC code. Or did I get that wrong?

ChatGPT summarised this for me as follows after I asked them about the impossibility to set up Tunnel addresses on the Fritzbox side (well, on the RUT side, it seems to be that QR settings tab):

What Does This Mean for the Tunnel Setup?

  1. FritzBox’s Tunnel IP Range: The FritzBox is using 192.168.178.1/24 for its own local WireGuard address, which is fine for your home network. However, this doesn’t define the actual tunnel network range, as that’s implicitly defined by the peers.
  • The Tunnel network itself is defined on the RUTX11 side with its own address (10.10.10.0/24), and that’s what the FritzBox will route traffic through when it’s directed to the RUTX11’s network (192.168.11.0/24).
  1. No Direct Tunnel Address on FritzBox: From the FritzBox settings you’ve shown, it does not look like the FritzBox is explicitly using a tunnel address (e.g., 10.10.10.1/24) for the VPN itself. Instead, it’s routing to the RUTX11 network (192.168.11.0/24) via the WireGuard tunnel. So, you don’t need to manually set up the tunnel IP range on the FritzBox, as it will route traffic based on the Peer’s AllowedIPs.

Conclusion:

  • FritzBox has the WireGuard interface set to 192.168.178.1/24 (which is the local address for the WireGuard connection).
  • The RUTX11’s tunnel network (10.10.10.0/24) is implicitly set on the RUTX11 side and doesn’t need to be manually configured in FritzBox unless you’re routing additional traffic through that specific range.
  • The FritzBox Peer settings with AllowedIPs = 192.168.11.0/24 mean that it will send traffic destined for the RUTX11 network through the WireGuard tunnel, which is already correctly set up.

To sum it up, here is my updated /etc/config/network WG-related part:

config interface 'Home'
        option listen_port '51820'
        option proto 'wireguard'
        option private_key '-----='
        list dns '1.1.1.1'
        option mtu '1280'
        option metric '3'
        option disabled '0'
        list addresses '192.168.11.0/24'
        list addresses '10.10.10.0/24'

config wireguard_Home 'FB7590AX'
        option force_tunlink '0'
        option tunlink 'any'
        option endpoint_port '-----'
        option description 'Fritzbox 7590 AX ISDN'
        option preshared_key '-----='
        option public_key '-----='
        option persistent_keepalive '25'
        option endpoint_host '-----.myfritz.net'
        option route_allowed_ips '1'
        list allowed_ips '192.168.178.0/24'
        list allowed_ips '10.10.10.0/24'
        list allowed_ips '10.10.10.1/24'

I understand that the list addresses '192.168.11.0/24' is the local RUT network and the list addresses '10.10.10.0/24' is the WG tunnel network. And the list allowed_ips '192.168.178.0/24', list allowed_ips '10.10.10.0/24', and list allowed_ips '10.10.10.1/24' mean that these 3 networks (IP ranges) can be routed through the tunnel.

Should be ok like this, I hope, though I wonder a bit, how a 10.10.10.0/24 can be routed through itself - at least it appears in both places (list addresses and list allowed_ips). :thinking:

In the end, I want that all devices on one network can reach all devices on the other network and vice versa. With this setting (if it is correct), I hopefully will be able to later add some restrictions (not on the Fritzbox side, though, which is really limited - except for creating further WG peers, of course).

PS:

Well, I cannot change this, as it seems, or can I?

30

??? Are you sure ?

You can safely ignore everything QR-code related on the RUTX side.

There is no obvious reason why you could not change the tunnel address on the FB side.

No. ChatGPT has hallucinations forget about it.
Keep 10.10.10.0/24 for the wg subnetwork.
So on the FB set the wg interface address to 10.10.10.1/24, and Allowed IPs to 192.168.11.0/24 + 10.10.10.2/32

On the RUTX:
set the address to 10.10.10.2/24, set Allowed IPs to 192.168.178.0/24 + 10.10.10.0/24
delete the option listen_port line

Result:

config interface 'Home'
        option proto 'wireguard'
        option private_key '-----='
        list dns '1.1.1.1'
        option mtu '1280'
        option metric '3'
        option disabled '0'
        list addresses '10.10.10.2/24'

config wireguard_Home 'FB7590AX'
        option force_tunlink '0'
        option tunlink 'any'
        option endpoint_port '-----'
        option description 'Fritzbox 7590 AX ISDN'
        option preshared_key '-----='
        option public_key '-----='
        option persistent_keepalive '25'
        option endpoint_host '-----.myfritz.net'
        option route_allowed_ips '1'
        list allowed_ips '10.10.10.0/24'
        list allowed_ips '192.168.178.0/24'
1 Like
31

Well, almost all fields on the FB side are read-only. It is possible to import a wg_config.conf file, but I have never tried it. Maybe I should.

.

Sorry, I do not understand where I should set it up as you suggested. I thought you meant to set it up in a different order, i.e. 1st FB, 2nd RUT, with those corresponding addresses, but where?

The settings that I have shown have nothing to do with ChatGPT, so I am lost. :thinking:

Didn’t you write before:

So I added the 10.10.10.1/24 to the RUT:

grafik
grafik963×587 24.9 KB

But I cannot add 10.10.10.2/32 to the Fritzbox.

Why is list addresses '10.10.10.0/24' under Home missing in your result?

32

Sorry I have to go now I’ll reply in detail later.
The idea is to have a .1 address for the server, .2 .3 and so on for different clients so using minimal Allowed IPs addresses the FB will be able to reach the RUTX => a /32 address here 10.10.10.2/32
For the RUTX (and other clients if present) the issue is different if you want to have an uniform network it must be able to reach all devices so the Allowed IPs field is set to 10.10.10.0/24. The 10.10.10.1/24 in your original config is redondant.

1 Like
33

Ok, I will see that I revert it to this on the RUT side:

config interface 'Home'
        option proto 'wireguard'
        option private_key '-----='
        list dns '1.1.1.1'
        option mtu '1280'
        option metric '3'
        option disabled '0'
        list addresses '10.10.10.2/24'

config wireguard_Home 'FB7590AX'
        option force_tunlink '0'
        option tunlink 'any'
        option endpoint_port '-----'
        option description 'Fritzbox 7590 AX ISDN'
        option preshared_key '-----='
        option public_key '-----='
        option persistent_keepalive '25'
        option endpoint_host '-----.myfritz.net'
        option route_allowed_ips '1'
        list allowed_ips '10.10.10.0/24'
        list allowed_ips '192.168.178.0/24'

PS:
Maybe I shall try to import a wg_config.conf file into the Fritzbox, but I do not know what its content must look like.

34

In case other Fritzbox users want to see the WireGuard kernel device, i.e. the relevant settings incl. Allowed IPs, this is how I found out:

Enter this URL into your browser:
https://<fritz.box.ip>/#/wizard/support

If you are not yet authenticated to your Fritzbox WebGUI, do it, and then click in the navigation menu on “Help and Info”, scroll all way down, and then click on “FRITZ!Box Support”:

grafik
grafik872×123 2.8 KB

.
Then click on “Save Support Information” (leave the default selection as shown) and wait for the output being generated:

grafik
grafik1481×332 20.8 KB

.
It might take a while, before you can download it, and it is large (about 5 MB in my case). You can open it with your favourite text editor.

Search for WireGuard kernel device.

Private key and preshared key are already (hidden) in the output, but I have also anonymized the public key, listening port, and endpoint:

WireGuard kernel device
----------
interface: wg0
  public key: -------------------------------------------=
  private key: (hidden)
  listening port: -----

peer: -------------------------------------------=
  preshared key: (hidden)
  allowed ips: 192.168.11.0/24
  latest handshake: 22 seconds ago

(just showing the relevant peer)

The interesting information (for me) is the allowed ips, because I was not sure how it is set up on the Fritzbox. Now I have the confirmation that Allowed IPs corresponds to the Remote network shown in the Fritzbox WebGUI for the peer. For experts maybe not surprising…

I still do not know what the ‘wg_config.conf’ file (or whatever it is named) needs to look like, when I want to import it to my Fritzbox, ideally with the current settings, but only with the corrected values as indicated by @flebourse in this thread.

I try to correctly recap:

.
Result for Fritzbox: (wg_config.conf or whatever named file to be imported to the Fritzbox)

[Interface]
PublicKey = <fritzbox_public_key>
Address = 10.10.10.2/32
DNS = 10.10.10.2

[Peer]
PublicKey = <rutx11_public_key>
PresharedKey = <preshared_key>
Endpoint = ----------------.myfritz.net:-----
AllowedIPs = 192.168.11.0/24

I am sorry, but this is really all confusing to me. When I scan the QR code on the RUTX side (WG peer FB7590AX, then I see in a drop-down menu for Peer allowed IPs: 0.0.0.0/0 and 192.168.11.0/24 (ignoring IPv6). The exported file contains:

[Interface]
PrivateKey = -----=
Address = 10.10.10.2/32
DNS = 10.10.10.2

[Peer]
PublicKey = 
AllowedIPs = 0.0.0.0/0,::/0
PersistentKeepalive = 25
PresharedKey = -----=

This does not seem to be correct to be imported into the Fritzbox. :worried:

.

.
Result for RUTX:

config interface 'Home'
        option proto 'wireguard'
        option private_key '-----='
        list dns '1.1.1.1'
        option mtu '1280'
        option metric '3'
        option disabled '0'
        list addresses '10.10.10.2/24'

config wireguard_Home 'FB7590AX'
        option force_tunlink '0'
        option tunlink 'any'
        option endpoint_port '-----'
        option description 'Fritzbox 7590 AX ISDN'
        option preshared_key '-----='
        option public_key '-----='
        option persistent_keepalive '25'
        option endpoint_host '-----.myfritz.net'
        option route_allowed_ips '1'
        list allowed_ips '10.10.10.0/24'
        list allowed_ips '192.168.178.0/24'

Sorry that I am so slow in understanding (if at all). :face_with_open_eyes_and_hand_over_mouth:

35

Change it to:

[Interface]
PrivateKey = <FB private key>
ListenPort = 51820
Address = 10.10.10.1/24
MTU = 1280

[Peer]
PublicKey = <rutx11_public_key>
PresharedKey = <preshared_key>
AllowedIPs = 192.168.11.0/24, 10.10.10.2/32
PersistentKeepalive = 0

This will constitute a valid wg_config.conf file.

Don’t scan the QR code there it isn’t relevant the RUTX is the initiator.

This looks correct.

1 Like
36

Thank you so much @flebourse :heart:

I started all over again, i.e. removed all VPN connections from my Fritzbox, as AVM says that if you want to use a router-router WG network, you must not have any other WG (or even VPN in general?) connections set up before. Of course, you may add further WG connections on the Fritzbox later, e.g. for single devices.

Then I scanned the QC code on the RUTX11 peer settings tab to get some basis for a wg_config.conf file with fresh keys (private, public, preshared). Before importing it into the Fritzbox, I edited the file as @flebourse kindly indicated:

[Interface]
PrivateKey = <FB private key>
ListenPort = 51820
Address = 10.10.10.1/24
MTU = 1280

[Peer]
PublicKey = <rutx11_public_key>
PresharedKey = <preshared_key>
AllowedIPs = 192.168.11.0/24, 10.10.10.2/32
PersistentKeepalive = 0

After import, I got a working WG connection between my Fritzbox 7590 AX and my RUTX11:

grafik
grafik1258×212 13.5 KB

.
And here is what it looks like on the RUTX11’s side:

grafik
grafik1298×803 29 KB

.
I set DNS servers to 127.0.0.1, because I will run AdGuard on the RUT and can add in the AdGuard settings further failover DNS servers, e.g. 9.9.9.9 (Quad9), 1.1.1.1 (Cloudflare), 8.8.8.8 (Google). For cases when AdGuard crashes, I might even better add these instead directly below the 127.0.0.1 as failover:

grafik
grafik702×340 9.63 KB

.

grafik
grafik897×523 21.2 KB

.

grafik
grafik683×415 13.4 KB

.
I will run some tests now to see whether all devices can see each other across the tunnel etc.

What still confuses me a lot are these keys and how they need to be exchanged between the 2 routers. :upside_down_face:

If somebody sees a glitch, please let me know! :wink:

37

A description of the wireguard protocol can be found here, and the technical whitepaper gives the full details.

1 Like
38

This topic was automatically closed after 60 days. New replies are no longer allowed.