Access to Router ports throw VPN from another VPN on VPS

Installing and Using OpenWrt Network and Wireless Configuration
1

Please see images. Its my network map on first image, and firewall settings of OpenWRT router in the second screenshot.

Short description: Any 10.7.0.xx and 10.8.0.xx clients can access any 10.8.0.xx and 10.7.0.xx clients

Clients on 10.7.0.xx can access the router (10.7.0.51).

For 10.8.0.xx clients, the router does not respond to requests.
Question - how to make the router (10.7.0.51) respond to clients 10.8.0.xx?

Long description: Mobile phones with OpenVPN client app have acces to mobile phones with WireGuard client app. Thets why, i think - VPS have correct configs.
But OpenVPN clients not have acces to Wireguard client on the OpenWRT router.
IP 10.7.0.51 response only to 10.7.0.xx requests. But not response to requests from 10.8.0.xx clients.

Диаграмма без названия.drawio (1)
Диаграмма без названия.drawio (1)1253×861 90.8 KB

image
image980×759 34 KB

2

You probably need to add some routes. You might need to push a route to the OpenVPN clients for 10.7.0.0/24 via the tunnel. Make sure that you are allowing forwarding between the networks on the VPS. Then add a route on the OpenWrt router for 10.8.0.0/24 via 10.7.0.1.

Or... you could just move everything to Wireguard :slight_smile:

3

10.7.0.0/24 clients have full acces to 10.8.0.0/24 clients
10.8.0.0/24 clients have full acess to 10.7.0.0/24 clients
Thats why all clients (escape router) and VPS have correct configs.

Only router not response to 10.8.0.0/24 clients. But router response to 10.7.0.0/24 clients

4

Does the OpenWrt router have a route back to 10.8.0.0/24? If not, it may not know where to respond to those requests.

5

Most likely it doesn't.

On the previous router, with exactly the same version of OpenWRT, I managed to solve this problem when I was in the Wireguard access list (I have an extension installed - so that traffic is routed through the WAN by default, and certain IPs are routed through the VPN). But now it doesn't help. I disabled the extension.
Added to peers wireguard:

image
image855×225 6.2 KB

Added to wireguard zone settings

image
image884×586 28.2 KB

Reboot router, but its not help me

How to setup route back ?

6

Let’s see your complete config.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

Can you elaborate on this? Did you uninstall it? Disable it by a config option? Or something else?

7

I disabled It.

A very strange thing is happening with wireguard. If I specify peers 128.0.0.0/1 and 0.0.0.0/1. Then wireguard starts working as the default gateway. I unchecked the "default gateway" wireguard interface settings and gave it a metric number higher than the WAN metric number. But with these peers settings, wireguard continues to work as the default gateway. At the same time, I have the access to the router I need from clients 10.8.0.0/24, but I do not need wireguard as the default gateway

Now I will fix the settings after some experiments and do what you suggested

8 
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.1'
        option metric '10'
        option delegate '0'

config interface 'wan'
        option device 'eth0.2'
        option proto 'pppoe'
        option username 'wan'
        option password 'pass'
        option ipv6 '0'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        list dns '1.1.1.1'
        option delegate '0'
        option metric '10'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'

config interface 'VPS'
        option proto 'wireguard'
        option private_key 'keyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
        list addresses '10.7.0.51/24'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option delegate '0'
        option metric '51'
        option defaultroute '0'
        option nohostroute '1'

config wireguard_VPS
        option description 'router.conf'
        option public_key 'keyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
        option preshared_key 'keyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'
        option persistent_keepalive '25'
        option endpoint_host '181.156.99.54'
        option endpoint_port '25111'
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'

config route
        option target '10.8.0.0/24'
        option gateway '10.7.0.1'
        option interface 'VPS'

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option output 'ACCEPT'
        option family 'ipv4'
        list network 'lan'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        option family 'ipv4'
        option input 'DROP'
        option forward 'DROP'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option src 'wan'

config rule
        option name 'Allow-IGMP'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'wan'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option family 'ipv4'

config zone
        option output 'ACCEPT'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option family 'ipv4'
        list network 'VPS'
        option masq '1'
        option name 'wireguard'

config forwarding
        option src 'lan'
        option dest 'wireguard'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'RDP'
        option dest_ip '192.168.1.122'
        list proto 'tcp'
        list proto 'udp'
        option src_dport '3389'
        option dest_port '3389'
        option src 'wireguard'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'NAS'
        option dest_ip '192.168.1.115'
        list proto 'tcp'
        list proto 'udp'
        option src_dport '445'
        option dest_port '445'
        option src 'wireguard'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'RDP NAS'
        option src_dport '3390'
        option dest_ip '192.168.1.115'
        option dest_port '3389'
        option src 'wireguard'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'qbittorent'
        option src_dport '8080'
        option dest_ip '192.168.1.115'
        option dest_port '8080'
        option src 'wireguard'

config forwarding
        option dest 'lan'
        option src 'wireguard'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'home_assistant'
        option src_dport '8123'
        option dest_ip '192.168.1.110'
        option dest_port '8123'
        option src 'wireguard'

config forwarding
        option src 'lan'
        option dest 'wan'