4G router wireguard client connected but no internet

Hi, I am using tp-link MR6400 4G LTE router, recently installed Openwrt 21.02.3 r16554-1d4dea6d4f

facing following problems (probably interlinked)

  1. Client (TP-link MR6400 4G router) connects to wireguard server, but the internet doesn't work post connection

  2. Can't access any client subnet from wireguard server, only client router IP remains accessible

  3. Connection drops frequently, to keep it open i have to use ping from server to client

output of /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'Broadband'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-Wireguard2'
        option src 'wan'
        option dest '*'
        option target 'ACCEPT'

output of /etc/config/network

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc7:50ae:8372::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '3 6t'

config interface 'Broadband'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option apn 'www'
        option auth 'chap'
        option dhcp '0'
        option autoconnect '1'
        option pdptype 'ipv4v6'
        option default_profile '1'
        option dualstack_profile '2'

config interface 'vpn'
        option proto 'wireguard'
        option private_key '<removed for security reasons> '
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option listen_port '51820'
        list addresses '192.168.1.0/24'
        list addresses '192.168.0.0/24'
        list addresses '192.168.9.3/32'
        list addresses 'fdf1:e8a1:8d3f:9::3/128'

config wireguard_vpn 'wgserver'
        option endpoint_host '<removed for security reasons> '
        option endpoint_port '51820'
        option persistent_keepalive '25'
        option description 'homerouter'
        option route_allowed_ips '1'
        option public_key '<removed for security reasons> '
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'

Request everyone to help me solve this problem, after reading entire google i gave-up on my quest and raised this issue :slight_smile:

Try putting the vpn network into the wan zone (or put it in a new zone with masquerading enabled)

Also remove the following from the vpn interface definition. DNS doesn’t do anything in this case, and you shouldn’t specify a listen port on the”client” peer.

These probably should not be here, either, since it seems that 192.168.9.3/32 is the address of this peer on the tunnel.

Appreciate your quick response, i lost connection to client for now, will make this these changes as soon as the connection start working.

Might sound weird but client ( 4G router) sitting at another site.

Ok, all changes applied, unfortunately the connection lost again post applying changes, will post updated outputs asap.

Applied all Changes, Internet is working now, from Client Server subnet is accessible, but Server can't access client subnet or router
below is latest output of /etc/config/network;

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd24:b3d8:e5ec::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option apn 'www'
        option auth 'chap'
        option pdptype 'ipv4v6'
        option default_profile '1'
        option dualstack_profile '2'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '3 6t'

config interface 'vpn'
        option proto 'wireguard'
        option private_key '<private key>'
        option listen_port '51820'
        list addresses 'fdf1:e8a1:8d3f:9::3/128'
        list addresses '192.168.9.3/32'

config wireguard_vpn
        option description 'homeserver'
        option public_key <public key>
        option route_allowed_ips '1'
        option endpoint_host <endpoint>
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'

   Output of /etc/config/firewallconfig defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vpn'
        option mtu_fix '1'
        option masq '1'

config rule
        option name 'Allow-wireguard'
        list proto 'udp'
        option src 'wan'
        option target 'ACCEPT'
        option dest_port '51820'

You have the vpn network located in two zones: lan and vpn.

The vpn network should only be in a single zone.

It appears that this peer is the one that initiates the connection to the other, so you should remove the listen port from the interface definitoin:

Now, can you be more specific about the goal here in terms of the 'server' reaching the 'client' -- give examples of the ping/connection tests you've run and what you expect to happen (from hostA IP > Host B IP, etc.).

1 Like

Putting the VPN tunnel in the wan zone is best for when using a commercial VPN service where the only VPN traffic will be outgoing Internet usage. By default, the wan zone blocks incoming connections.

If you own or control the VPN server and want two-way connections, set up a separate VPN zone or place the VPN in the LAN zone. The VPN server configuration will need a route to your LAN. In Wireguard this is done by adding the LAN subnet to allowed_ips in the client section of the server configuration.

2 Likes

I have one static public IP at home with fixed broadband connection, this connection is configured on TP-link Archer C7 V5 (Openwrt version 22.03.0) acting as Wireguard server

Another router TP-Link TL-MR6400 v5 (OpenWrt 21.02.3) running on my farmhouse about 30 miles away from home in middle of nowhere (reason i choose SIM router) ... this act as wireguard client

I tried getting static Public IP for farmhouse SIM router to connect directly like my home router, but unfortunately there are no options,

Goal is to access local network at farmhouse to manage CCTV Camera's & IoT products

what works -

  1. Connection works between 2 routers using wireguard works,
  2. Internet works in both locations
  3. Wireguard client can ping / connect to device connected to server

doesn't work

  1. Wireguard server (Home), can't ping or access any devices/IP at Wireguard Client (farmhouse)

Sharing updated client configuration based on suggestion received from @psherman & @mk24 ,

**root@farmhouse:~# cat /etc/config/network**

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd24:b3d8:e5ec::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option apn 'www'
        option auth 'chap'
        option pdptype 'ipv4v6'
        option default_profile '1'
        option dualstack_profile '2'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '3 6t'

config interface 'vpn'
        option proto 'wireguard'
        list addresses '192.168.9.3/24'
        list addresses 'fdf1:e8a1:8d3f:9::3/64'
        option private_key '<>'

config wireguard_vpn 'wgserver'
        option endpoint_host '<>'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option description 'homeserver'
        option public_key '<>'
        option preshared_key '<>'

**root@farmhouse:~# cat /etc/config/firewall**

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'vpn'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

Let me know in case any additional outputs required to assess the problem
BR, MS

In your case, you should move the wireguard network into the lan firewall zone.

Then, on your other router, set a static route for 192.168.1.0/24 via 192.168.9.3.

Note that your farmhouse network is using 192.168.1.0/24, so your main location must be using something different for its lan. If they are both using the same subnet, be sure to change one of them to a different subnet.

2 Likes

Also it sounds like this use case should not redirect all Internet use at the farmhouse through home, since that will double the ping time from the farmhouse to Internet sites and load down the home 4G connection.

So you'd change allowed_ips at the farmhouse to be just the home LAN and the home's IP on the tunnel. Meanwhile of course at home the allowed_ips would be the farmhouse's IP on the tunnel and the farmhouse LAN. As @psherman said, all the LANs and the tunnel must be all of different subnet ranges for example

  • farmhouse LAN 192.168.1.0/24
  • home LAN 192.168.2.0/24
  • tunnel 192.168.9.0/24

With this scheme I would make the home tunnel 192.168.9.2 and the farmhouse 192.168.9.1 to make it easier to remember the association with the sites' respective LANs. But this is not necessary for it to work.

2 Likes

question added against your advise;

In your case, you should move the wireguard network into the lan firewall zone. - is this change for farmhouse router ?

Then, on your other router, set a static route for 192.168.1.0/24 via 192.168.9.3. - is this for Home router ? on home router my IPs is 192.168.0.1

Ok, i have made the changes,
situation now

what works -

  1. Connection works between 2 routers using wireguard works,
  2. Internet works in both locations
  3. Wireguard client can only ping / connect to 192.168.9.1 (home server tunnel IP)

doesn't work

  1. Wireguard server (Home) can't ping or access any devices/IP at Wireguard Client (farmhouse)
  2. Wireguard client cannot connect server subnet

this time sharing both Server & client configurations for better perceptive;

Client (farmhouse) cat /etc/config/network

root@farmhouse:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda8:8838:553c::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option apn 'www'
        option auth 'chap'
        option pdptype 'ipv4v6'
        option default_profile '1'
        option dualstack_profile '2'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '3 6t'

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'privatekey'
        list addresses '192.168.9.3/24'
        list addresses 'fdf1:e8a1:8d3f:9::3/64'

config wireguard_vpn 'wgserver'
        option public_key 'publickey'
        option preshared_key 'presharedkey'
        option endpoint_host 'endpoint'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '192.168.0.1/24'
        list allowed_ips '192.168.9.0/24'

Client (farmhouse) cat /etc/config/firewall

root@farmhouse:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

home (server) cat /etc/config/network

root@home:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda8:d312:a0d8::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'

config device
        option name 'eth0.2'
        option macaddr '60:32:b1:b7:43:fc'

config interface 'wan'
        option device 'eth0.2'
        option proto 'pppoe'
        option username 'userid'
        option password 'userpass'
        option ipv6 'auto'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option reqaddress 'try'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'vpn'
        option proto 'wireguard'
        option listen_port '51820'
        list addresses '192.168.9.1/24'
        list addresses 'fdf1:e8a1:8d3f:9::1/64'
        option private_key 'privatekey'

config wireguard_vpn 'wgclient'
        option description 'FarmHouseRouter'
        option route_allowed_ips '1'
        option public_key 'publickey'
        option private_key 'privatekey'
        option preshared_key 'presharedkey'
        list allowed_ips '192.168.9.3/32'
        list allowed_ips 'fdf1:e8a1:8d3f:9::3/128'
        list allowed_ips '192.168.1.0/24'

config wireguard_vpn
        option description 'Mohit’s Iphone'
        option public_key 'publickey'
        list allowed_ips '192.168.9.2/32'
        list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'

config route
        option interface 'vpn'
        option target '192.168.1.0/24'
        option gateway '192.168.9.3'
        option type 'local'

home (server) cat /etc/config/firewall

root@home:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

Try moving the interface and type from the route...

1 Like

Have removed it, unfortunately, still same situation :frowning:

Have removed the lines, still same status :frowning:

This is the 'client' side > Peer > allowed IPs, and it should be 192.168.0.0/24

Try that and see if that fixes things.

1 Like

Thanks a ton @psherman @mk24, my end goals are achieved, both routers now connected through wireguard, all subnets are accessible (bi-directional), and internet is working :slightly_smiling_face:

please like you keeping this community alive and healthy.

@psherman @mk24

something happened (i didn't do anything), but wireguard server can't access the client router anymore,

what works -

  1. Connection between 2 routers using wireguard works,
  2. Internet works in both locations
  3. Wireguard client can access all Tunnel IP (192.168.9.1) and Lan (192.168.0.1/24) allocated in server
  4. Server can only access Tunnel IP in client (192.168.9.3)

doesn't work

  1. Server can't access Lan in client (192.168.1.1/24)
  2. another Peer2/client2 (Iphone) which also connected to server (Home), can't access Peer 1 (farmhouse) lan

Client (farmhouse) cat /etc/config/network

root@farmhouse:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda8:8838:553c::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option apn 'www'
        option auth 'chap'
        option pdptype 'ipv4v6'
        option default_profile '1'
        option dualstack_profile '2'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '3 6t'

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'privatekey'
        list addresses '192.168.9.3/24'
        list addresses 'fdf1:e8a1:8d3f:9::3/64'

config wireguard_vpn 'wgserver'
        option public_key 'publickey'
        option preshared_key 'presharedkey'
        option endpoint_host 'endpoint'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '192.168.9.1/32'
        list allowed_ips 'fdf1:e8a1:8d3f:9::1/128'
        list allowed_ips '192.168.0.0/24'

config route
        option interface 'vpn'
        option target '192.168.1.0'
        option netmask '255.255.255.0'
        option gateway '192.168.9.3'

Client (farmhouse) cat /etc/config/firewall

root@farmhouse:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn'
        option masq '1'
        option mtu_fix '1'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule
        option name 'Allow-WireGuard'
        list proto 'udp'
        option src 'wan'
        option target 'ACCEPT'

home (server) cat /etc/config/network

root@home:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda8:d312:a0d8::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'

config device
        option name 'eth0.2'
        option macaddr '60:32:b1:b7:43:fc'

config interface 'wan'
        option device 'eth0.2'
        option proto 'pppoe'
        option username 'userid'
        option password 'userpass'
        option ipv6 'auto'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option reqaddress 'try'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'vpn'
        option proto 'wireguard'
        option listen_port '51820'
        option private_key 'privatekey'
        list addresses '192.168.9.1/24'
        list addresses 'fdf1:e8a1:8d3f:9::1/64'

config wireguard_vpn 'wgclient'
        option description 'FarmHouseRouter'
        option route_allowed_ips '1'
        option public_key 'publickey'
        option private_key 'privatekey'
        option preshared_key 'presharedkey'
        list allowed_ips '192.168.9.3/32'
        list allowed_ips 'fdf1:e8a1:8d3f:9::3/128'
        list allowed_ips '192.168.1.0/24'

config wireguard_vpn
        option description 'Mohit’s Iphone'
        option public_key 'public key'
        list allowed_ips '192.168.9.2/32'
        list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'
        list allowed_ips '192.168.1.0/24'
        option route_allowed_ips '1'

config route
        option target '192.168.1.0/24'
        option gateway '192.168.9.3'

home (server) cat /etc/config/firewall

root@home:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

please help.

This route doesn't belong on the farmhosue router since the farmhouse network is directly connected (192.168.1.0/24)

I think your issue is that you have masquerading enabled here. This should not be enabled for LAN.

Put the VPN in a separate zone and then allow lan > vpn and vpn > lan forwarding.

The following rule is not necessary, remove it.