Hello:
I have installed Wireguard from entware in a S905X3 TV-box as server (CE 19.4 inside).
Config (wg0.conf of the server) like this:
[Interface]
Address = 10.1.1.1
ListenPort = 51820
PrivateKey = BLABLABLA
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
And I have installed also Wireguard fron entware as client in other S905X3 TV-box (CE 19.4 inside).
Config (wg0.conf of the client) like this:
[Interface]
Address = 10.1.1.31
PrivateKey = BLABLABLA
ListenPort = 51820
[Peer]
PublicKey = BLABLABLA
Endpoint = blablabla.duckdns.org:51820
AllowedIPs = 10.1.1.0/24
By the way, wireguard from entware resolve domains with NO problem at all.
My “blablabla.duckdns.org” is “translated” to 80.90.100.110 or the correspondent IP. If the public IP of the server changes, rebooting the client it resolves the new IP for the domain.
OK.
wg-quick up wg0
in server, OK
wg-quick up wg0
in client, OK
Perfect! Connected! We are happy!
Another Wireguard (WG) clients in Windows, Android or Fire TV, also connected to the server. Great!
The “problem” is that when I use:
AllowedIPs = 10.1.1.0/24
the traffic ONLY goes to the WG server when there is in the WG subnet. I use the WG server (10.1.1.1) as a tvheadend server. All clients connected to the server, no problem at all.
But when I try to make ALL traffic from client to pass through server:
AllowedIPs = 0.0.0.0/0
in all the clients, in Android and Windows clients it works great, and ALL the traffic from clients goes to 10.1.1.1 and use the public IP of the server to exit to internet.
Before working I made:
echo “net.ipv4.ip_forward = 1” >/storage/.config/sysctl.d/ip_forward.conf
on the server. If not, it did not work.
The problem is that when I use:
AllowedIPs = 0.0.0.0/0
on CoreELEC clients…
CoreELEC:~ # wg-quick up wg0
/opt/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
Warning: `/storage/.opt/etc/wireguard/wg0.conf’ is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /proc/self/fd/63
[#] ip -4 address add 10.1.1.31 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n
iptables-restore v1.8.7 (legacy): iptables-restore: unable to initialize table ‘raw’
Error occurred at line: 1
Try `iptables-restore -h’ or ‘iptables-restore --help’ for more information.
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
I tried to change:
Endpoint = blablabla.duckdns.org:51820
for
Endpoint = 80.90.100.110:51820
80.90.100.110 is an example of public IP for the domain
and it’s not the problem.
So:
1) Android and Windows WG clients work OK
2) CE WG client works OK ONLY when:
AllowedIPs = 10.1.1.0/24
If
AllowedIPs = 0.0.0.0/0
NOT.
It seems that there is NO problem on the server side. What could be the problem on the client CE WG side?
Any ideas to pass all client CE traffic though CE WG server (like in Windows or Android)?
Thanks in advance and kind regards