Access LAN of OpenWrt router from external VPS via WireGuard

Hi!

I have the following network configuration:
image

I want to have an access to OpenWrt RPi4 LAN from my WG network: 10.0.10.0/24, especially from WG Server that is on 10.0.10.1. I have tried a lot of things, configurations and still I don't have this access.

Handshake between OpenWrt Router and WG Server works. I see exchanged bytes on both sides when type wg show
I have set separate zone for wg, set zone forwarding, LAN masquerading, still no success.

From OpenWrt router I can't ping 10.0.10.1 or 10.0.10.4 but I can 192.168.1.130.
From WG server I can ping 10.0.10.4 but I can't 10.0.10.3 or 192.168.1.130

I have tried with Windows 11 PC with routing enabled that connected to the LTE Router, I have installed WireGuard and I was able to connect from WG Server with other devices in its LAN, so WG Server works properly.

What am I missing? This configuration is not a rocket science but it still does not work... Thanks for helping me :slight_smile:

Here is my OpenWrt router config.
cat /etc/config/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd64:f678:5434::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth1'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '***'
        list addresses '10.0.10.3/32'

config wireguard_wg0
        option public_key '***'
        list allowed_ips '10.0.10.0/24'
        option endpoint_host '51.xxx.xxx.xxx'
        option endpoint_port '51820'
        option persistent_keepalive '23'

cat /etc/config/firewall:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option log '1'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'wg'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg0'

config forwarding
        option src 'lan'
        option dest 'wg'

config forwarding
        option src 'wg'
        option dest 'lan'

OpenWrt Router ip route:

default via 192.168.0.1 dev eth1  src 192.168.0.135 
51.xxx.xxx.xxx via 192.168.0.1 dev eth1 
192.168.0.0/24 dev eth1 scope link  src 192.168.0.135 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1

WG Server ip rooute

default via 51.xxx.xxx.xxx dev ens3 proto dhcp src 51.xxx.xxx.xxx metric 100 
10.0.10.0/24 dev wg0 proto kernel scope link src 10.0.10.1 
51.xxx.xxx.xxx dev ens3 proto dhcp scope link src 51.xxx.xxx.xxx metric 100 
192.168.1.0/24 dev wg0 scope link 
213.xxx.xxx.xxx via 51.xxx.xxx.xxx dev ens3 proto dhcp src 51.xxx.xxx.xxx metric 100

For starters allow wg0 to wan:

But as you are basically wanting a site-to-site setup it is easier to add the wg0 network to the LAN zone

Note that your local lan clients will also have a firewall which could block requests from other subnets (e.g. from 10.0.10.0/24)

I have tried with this forwarding too:

config forwarding
        option src 'lan'
        option dest 'wg'

config forwarding
        option src 'wg'
        option dest 'lan'

config forwarding
        option src 'wg'
        option dest 'wan'

Still no access.

Also add option route_allowed_ips '1' to the WG peer

Reboot after changing

1 Like

You are amazing. It solved my problem completely :slight_smile: Thank you!

1 Like

The problem started here:

which should be list addresses '10.0.10.3/24' instead.
This will automatically install a /24 route to all the tunnel device IPs via the tunnel. If your use of the tunnel is endpoint to endpoint(s) in that /24 space, route_allowed_ips does not need to be set (though it does not hurt to do it).

At the VPS, allowed_ips must be the /32 for each particular peer-- with multiple peers allowed_ips cannot overlap. Fortunately the OP did set the VPS tunnel IP with a /24, so it does work. At an endpoint which has only one peer, allowed_ips can be more general.

If there are LANs on the other side of the tunnel that need to be reachable, then they do need to be added to the routing table with route_allowed_ips or with configuration outside of Wireguard.

1 Like

You are absolutely right I always advocate to use a /24 list address.

But in general I think that route_allowed IPs should be enabled by default, many clients (windows, android) cannot even disable it.

A lot of questions are from users setting up a WG client to a VPN provider and not having default routes via the WG interface because they fail to enable Route Allowed IPs.

I know I can make a pull request and actually I have made a patch but not sure if this will break things and not sure if it will work as intended

wg-luci-enable-route-allowed-ips-3.patch

diff --git a/protocols/luci-proto-wireguard/htdocs/luci-static/resources/protocol/wireguard.js b/protocols/luci-proto-wireguard/htdocs/luci-static/resources/protocol/wireguard.js
old mode 100644
new mode 100755
index d05acfb..5cfd5b7
--- a/protocols/luci-proto-wireguard/htdocs/luci-static/resources/protocol/wireguard.js
+++ b/protocols/luci-proto-wireguard/htdocs/luci-static/resources/protocol/wireguard.js
@@ -375,6 +375,7 @@ return network.registerProtocol('wireguard', {
uci.set('network', sid, 'preshared_key', pconf.peer_presharedkey);
uci.set('network', sid, 'allowed_ips', pconf.peer_allowedips);
uci.set('network', sid, 'persistent_keepalive', pconf.peer_persistentkeepalive);

  •   				uci.set('network', sid, 'route_allowed_ips', '1');
    
      				if (pconf.peer_endpoint) {
      					uci.set('network', sid, 'endpoint_host', pconf.peer_endpoint[0]);
    

@@ -408,6 +409,7 @@ return network.registerProtocol('wireguard', {
uci.set('network', sid, 'preshared_key', pconf.peer_presharedkey);
uci.set('network', sid, 'allowed_ips', pconf.peer_allowedips);
uci.set('network', sid, 'persistent_keepalive', pconf.peer_persistentkeepalive);

  •   					uci.set('network', sid, 'route_allowed_ips', '1');
      					break;
      				}
      			}
    

@@ -507,6 +509,19 @@ return network.registerProtocol('wireguard', {
return E('em', _('No peers defined yet.'));
};

  •   ss.handleAdd = function(ev, name) {
    
  •   	var config_name = this.uciconfig || this.map.config,
    
  •   		section_id = this.map.data.add(config_name, this.sectiontype, name),
    
  •   		mapNode = this.getPreviousModalMap(),
    
  •   		prevMap = mapNode ? dom.findClassInstance(mapNode) : this.map;
    
  •   	prevMap.addedSection = section_id;
    
  •   	this.map.data.set(config_name, section_id, 'route_allowed_ips', '1');
    
  •   	return this.renderMoreOptionsModal(section_id);
    
  •   };
    
  •   o = ss.option(form.Flag, 'disabled', _('Peer disabled'), _('Enable / Disable peer. Restart wireguard interface to apply changes.'));
      o.modalonly = true;
      o.optional = true;
    

@@ -650,7 +665,7 @@ return network.registerProtocol('wireguard', {
return E('span', { 'style': 'display:inline-flex;flex-wrap:wrap;gap:.125em' }, list);
};

  •   o = ss.option(form.Flag, 'route_allowed_ips', _('Route Allowed IPs'), _('Optional. Create routes for Allowed IPs for this peer.'));
    
  •   o = ss.option(form.Flag, 'route_allowed_ips', _('Route Allowed IPs'), _('Create routes for Allowed IPs for this peer.'));
      o.modalonly = true;
    
      o = ss.option(form.Value, 'endpoint_host', _('Endpoint Host'), _('Optional. Host of peer. Names are resolved prior to bringing up the interface.'));
    

But I am going off topic and glad that this is solved :slight_smile:

That one checkbox had frustrated my Wireguard efforts for a long time. Why is this error so common? Lots of users with Wireguard issues that can be traced directly to that one setting being overlooked. That one line or the one checkbox in Luci.

1 Like

You are right, I have set wg0 interface address to /24 subnet and disable route_allowed_ips - it also works And I think it is a better solution. In this case you explicitly say that this interface will cover the entire subnet.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.