I have the following setup:
I configured Wireguard connation between Wireguard server and OpenWRT router as a client. Internal machines can use Internet only via the VPN connection. I created routing in wireguard server 192.168.2.0/24 via ip addr of client IP of wireguard
I need to connect from external laptop to test web server 192.168.2.111 via Laptop with VPN client as you can see on the diagram.
But for some reason I can only ping 192.168.2.1 when I'm connected. Any idea how I can configure this access?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
frollic:
cat /etc/config/firewall
Here is the output of the commands:
login as: root
BusyBox v1.36.1 (2025-02-03 23:09:37 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 24.10.0, r28427-6df0e3d02a
-----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.73",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "D-Link DIR-2660 A1",
"board_name": "dlink,dir-2660-a1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "ramips/mt7621",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc9:f61d:a72f::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '8.8.8.8'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'WG0'
option proto 'wireguard'
option private_key '6On9111111111TeAEC1111111KiuNCsUhi0c='
list addresses '10.111.111.111/24'
list dns '8.8.8.8'
list dns '8.8.4.4'
config wireguard_WG0
option description 'Imported peer configuration'
option public_key '4J1111111111111111111111Q111111111'
option preshared_key 'O3tyk111111111111111111111z61111111'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_host '154.111.11.111'
option endpoint_port '51820'
option route_allowed_ips '1'
option persistent_keepalive '25'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'WG0'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
root@OpenWrt:~#
Is the wireguard tunnel fully trusted? If so, remove WG0 from the wan firewall zone and instead put it in the lan firewall zone.
On the other side, you'll need to make sure that there is an appropriate route for 192.168.2.0/24 via the wireguard tunnel.
I made the change for remove WG0 from the wan firewall zone and instead put it in the lan firewall zone.
When I try to access 192.168.2.111 via web browser I get:
Firewall or antivirus software may have blocked the connection.
Try:
ERR_NETWORK_ACCESS_DENIED
you'll need to make sure that there is an appropriate route for 192.168.2.0/24 via the wireguard tunnel.
How I can configure this in OpenWRT
By the way I found one possible bug:
Let's see the config of the other device (the "wireguard server").
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
Please provide specifics so that it can be replicated.
I will provide the Wireguard server configs tomorrow when I have access.
This to put several keywords into this input field.
Disregard. I can't reproduce the issue.
psherman:
wireguard server
On wireguard server I use Ubuntu + Wireguard server. Here is the configuration:
root@436:~# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.8.10 (nf_tables) on Fri Jun 20 12:46:22 2025
*filter
:INPUT ACCEPT [8785:625532]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
COMMIT
# Completed on Fri Jun 20 12:46:22 2025
# Generated by iptables-save v1.8.10 (nf_tables) on Fri Jun 20 12:46:22 2025
*nat
:PREROUTING ACCEPT [13:832]
:INPUT ACCEPT [13:832]
:OUTPUT ACCEPT [6:420]
:POSTROUTING ACCEPT [6:420]
-A POSTROUTING -s 10.203.246.0/24 -o eth0 -m comment --comment wireguard-nat-rule -j MASQUERADE
-A POSTROUTING -s 10.203.246.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Jun 20 12:46:22 2025|
root@436:/etc# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet <PUBLIC_IP> netmask 255.255.255.128 broadcast <PUBLIC_IP>
inet6 fe80::be24:11ff:fead:8c3e prefixlen 64 scopeid 0x20<link>
ether bc:24:11:ad:8c:3e txqueuelen 1000 (Ethernet)
RX packets 10712293 bytes 2791732984 (2.7 GB)
RX errors 0 dropped 3709 overruns 0 frame 0
TX packets 2794195 bytes 2375371369 (2.3 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1515 bytes 169216 (169.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1515 bytes 169216 (169.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1420
inet 10.203.246.1 netmask 255.255.255.0 destination 10.203.246.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 235309 bytes 68735740 (68.7 MB)
RX errors 337 dropped 0 overruns 0 frame 337
TX packets 597502 bytes 662700168 (662.7 MB)
TX errors 52 dropped 1526 overruns 0 carrier 0 collisions 0
root@436:/etc# ip route
default via 154.43.62.1 dev eth0 proto static
10.203.246.0/24 dev wg0 proto kernel scope link src 10.203.246.1
<PUBLIC_IP> dev eth0 proto kernel scope link src <PUBLIC_IP>
192.168.2.0/24 dev wg0 scope link
192.168.100.0/24 dev wg0 scope link
root@436:/etc#
mk24
June 26, 2025, 2:32pm
10
The Description is reserved as an option which does not do anything other than be saved for human reference. I'm not sure what Luci does but since in the underlying files all option values are surrounded by single quotes, putting any single quote marks (e.g. don't) in the Description may break the configuration.
@psherman Based on the provided commands output can you recommend some solution, please?
In theory, there would be two ways to do this, although I haven't done this on a Ubuntu WG config. You theoretically only need one of these methods, but there could be some firewall related stuff that has to happen, too. The following would be on the Ubnutu side (again, just try one or the other)
Add 192.168.2.0/24 to the allowed_ips list in the peer that is 10.111.111.111 (or if this is a redacted address, add this to the peer that corresponds to the OpenWrt device.
Add a route of 192.168.2.0/24 via 10.111.111.111 to the main routing table of your ubnutu box. (again, if that is a made up address, modify accordingly).
Then reboot the system or restart the WG interface/service on the Ubuntu machine.
