Access internal hosts from Wireguard VPN

I have the following setup:

I configured Wireguard connation between Wireguard server and OpenWRT router as a client. Internal machines can use Internet only via the VPN connection. I created routing in wireguard server 192.168.2.0/24 via ip addr of client IP of wireguard

I need to connect from external laptop to test web server 192.168.2.111 via Laptop with VPN client as you can see on the diagram.

But for some reason I can only ping 192.168.2.1 when I'm connected. Any idea how I can configure this access?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

Here is the output of the commands:

login as: root


BusyBox v1.36.1 (2025-02-03 23:09:37 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 24.10.0, r28427-6df0e3d02a
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.73",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "D-Link DIR-2660 A1",
        "board_name": "dlink,dir-2660-a1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "ramips/mt7621",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc9:f61d:a72f::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '8.8.8.8'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'WG0'
        option proto 'wireguard'
        option private_key '6On9111111111TeAEC1111111KiuNCsUhi0c='
        list addresses '10.111.111.111/24'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config wireguard_WG0
        option description 'Imported peer configuration'
        option public_key '4J1111111111111111111111Q111111111'
        option preshared_key 'O3tyk111111111111111111111z61111111'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'
        option endpoint_host '154.111.11.111'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'WG0'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

root@OpenWrt:~#

Is the wireguard tunnel fully trusted? If so, remove WG0 from the wan firewall zone and instead put it in the lan firewall zone.

On the other side, you'll need to make sure that there is an appropriate route for 192.168.2.0/24 via the wireguard tunnel.

I made the change for remove WG0 from the wan firewall zone and instead put it in the lan firewall zone.

When I try to access 192.168.2.111 via web browser I get:

Your Internet access is blocked

Firewall or antivirus software may have blocked the connection.

Try:

ERR_NETWORK_ACCESS_DENIED

you'll need to make sure that there is an appropriate route for 192.168.2.0/24 via the wireguard tunnel.

How I can configure this in OpenWRT

By the way I found one possible bug:
When I put several keywords into peer form -> description field the client is not connecting to the remote Wireguard host for some reason.

Let's see the config of the other device (the "wireguard server").

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

Please provide specifics so that it can be replicated.

I will provide the Wireguard server configs tomorrow when I have access.

This to put several keywords into this input field.

Disregard. I can't reproduce the issue.

On wireguard server I use Ubuntu + Wireguard server. Here is the configuration:

 root@436:~# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.8.10 (nf_tables) on Fri Jun 20 12:46:22 2025
*filter
:INPUT ACCEPT [8785:625532]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
COMMIT
# Completed on Fri Jun 20 12:46:22 2025
# Generated by iptables-save v1.8.10 (nf_tables) on Fri Jun 20 12:46:22 2025
*nat
:PREROUTING ACCEPT [13:832]
:INPUT ACCEPT [13:832]
:OUTPUT ACCEPT [6:420]
:POSTROUTING ACCEPT [6:420]
-A POSTROUTING -s 10.203.246.0/24 -o eth0 -m comment --comment wireguard-nat-rule -j MASQUERADE
-A POSTROUTING -s 10.203.246.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Jun 20 12:46:22 2025|


root@436:/etc# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet <PUBLIC_IP>  netmask 255.255.255.128  broadcast <PUBLIC_IP>
        inet6 fe80::be24:11ff:fead:8c3e  prefixlen 64  scopeid 0x20<link>
        ether bc:24:11:ad:8c:3e  txqueuelen 1000  (Ethernet)
        RX packets 10712293  bytes 2791732984 (2.7 GB)
        RX errors 0  dropped 3709  overruns 0  frame 0
        TX packets 2794195  bytes 2375371369 (2.3 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1515  bytes 169216 (169.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1515  bytes 169216 (169.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 10.203.246.1  netmask 255.255.255.0  destination 10.203.246.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 235309  bytes 68735740 (68.7 MB)
        RX errors 337  dropped 0  overruns 0  frame 337
        TX packets 597502  bytes 662700168 (662.7 MB)
        TX errors 52  dropped 1526 overruns 0  carrier 0  collisions 0

root@436:/etc# ip route
default via 154.43.62.1 dev eth0 proto static
10.203.246.0/24 dev wg0 proto kernel scope link src 10.203.246.1
<PUBLIC_IP> dev eth0 proto kernel scope link src <PUBLIC_IP>
192.168.2.0/24 dev wg0 scope link
192.168.100.0/24 dev wg0 scope link
root@436:/etc#

The Description is reserved as an option which does not do anything other than be saved for human reference. I'm not sure what Luci does but since in the underlying files all option values are surrounded by single quotes, putting any single quote marks (e.g. don't) in the Description may break the configuration.

@psherman Based on the provided commands output can you recommend some solution, please?

In theory, there would be two ways to do this, although I haven't done this on a Ubuntu WG config. You theoretically only need one of these methods, but there could be some firewall related stuff that has to happen, too. The following would be on the Ubnutu side (again, just try one or the other)

  1. Add 192.168.2.0/24 to the allowed_ips list in the peer that is 10.111.111.111 (or if this is a redacted address, add this to the peer that corresponds to the OpenWrt device.
  2. Add a route of 192.168.2.0/24 via 10.111.111.111 to the main routing table of your ubnutu box. (again, if that is a made up address, modify accordingly).

Then reboot the system or restart the WG interface/service on the Ubuntu machine.