Accessing LAN devices through WireGuard Tunnel

I'm using a VPS as a WireGuard server with the following script: https://github.com/Nyr/wireguard-install

My OpenWrt router is acting as a WireGuard client with IP: 10.7.0.2. I also have a phone connected via 4G through the WireGuard app IP: 10.7.0.3. I can ping my phone from any device on my LAN using that IP but not the other way round. My LAN devices use 192.168.1.x and if I try to ping any device on the LAN from the phone or from the server I get no response back.

I went through a lot of similar posts looking for the answer and have made some modifications to the server.

I added 192.168.1.0/24 to the allowed ip's list on the server config. That automatically created the following ip route on the server: 192.168.1.0/24 dev wg0 scope link

I tried changing the static route to 192.168.1.0/24 via 10.7.0.2 as recommended on another post but it made no difference.

I also have net.ipv4.ip_forward = 1 set on the server.

Server Config:

# Do not alter the commented lines
# They are used by wireguard-install
# ENDPOINT [Redacted]

[Interface]
Address = 10.7.0.1/24, fddd:2c4:2c4:2c4::1/64
PrivateKey = [Redacted]
ListenPort = 51820

# BEGIN_PEER openwrt
[Peer]
PublicKey = [Redacted]
PresharedKey = [Redacted]
AllowedIPs = 10.7.0.2/32, fddd:2c4:2c4:2c4::2/128, 192.168.1.0/24
# END_PEER openwrt
# BEGIN_PEER android
[Peer]
PublicKey = [Redacted]
PresharedKey = [Redacted]
AllowedIPs = 10.7.0.3/32, fddd:2c4:2c4:2c4::3/128
# END_PEER android

OpenWrt Client Config:

[Interface]
Address = 10.7.0.2/24, fddd:2c4:2c4:2c4::2/64
DNS = [Redacted]

[Peer]
PublicKey = [Redacted]
PresharedKey = [Redacted]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = [Redacted]:51820
PersistentKeepalive = 25

Phone Config:

[Interface]
Address = 10.7.0.3/24, fddd:2c4:2c4:2c4::3/64
DNS = [Redacted]
PrivateKey = [Redacted]

[Peer]
PublicKey = [Redacted]
PresharedKey = [Redacted]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = [Redacted]:51820
PersistentKeepalive = 25

OpenWrt Network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4e:5e2d:ba03::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 4 3 2'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1t'
        option vid '911'

config interface 'WAN'
        option device 'eth0.911'
        option proto 'pppoe'
        option username '[Redacted]'
        option password '[Redacted]'
        option ipv6 'auto'

config interface 'vpn'
        option proto 'wireguard'
        option private_key '[Redacted]'
        list addresses '10.7.0.2/24'
        list addresses 'fddd:2c4:2c4:2c4::2/64'
        option peerdns '0'
        list dns '[Redacted]'

config wireguard_vpn
        option description 'openwrt.conf'
        option public_key '[Redacted]'
        option preshared_key '[Redacted]'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option persistent_keepalive '25'
        option endpoint_host '[Redacted]'
        option endpoint_port '51820'

OpenWrt Firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'WAN'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'
        list network 'vpn'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'lan'

The likely cause is the masquerading. You need to turn this off (or bypass it) in order to allow the inbound traffic to reach devices behind the router.

Can you reach the router itself from your phone?

Thanks for responding.

On the phone I get a ping back from the router on 10.7.0.2. But not for 192.168.1.1.

I have disabled masquerading but the issue persists.

Is this set on the VPS?

I think it reset when I rebooted the server. I have set it now and it's causing some strange behaviour.

So after I changed it I rebooted the WireGuard service and was getting something back when pinging 192.168.1.1.

PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
From 10.7.0.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required

But after about a minute it stopped responding.

let's see the status of wg show

Ok looks like the reason it stopped responding is because it resets the route back to 192.168.1.0/24 dev wg0 scope link when the service is restarted.

I'm looking for a way to make the route persistent.

wg show on server:

interface: wg0
  public key: [Redacted]
  private key: (hidden)
  listening port: 51820

peer: [Redacted]
  preshared key: (hidden)
  endpoint: [Redacted]
  allowed ips: 10.7.0.2/32, fddd:2c4:2c4:2c4::2/128, 192.168.1.0/24
  latest handshake: 47 seconds ago
  transfer: 872 B received, 41.55 KiB sent

peer: [Redacted]
  preshared key: (hidden)
  endpoint: [Redacted]
  allowed ips: 10.7.0.3/32, fddd:2c4:2c4:2c4::3/128
  latest handshake: 51 seconds ago
  transfer: 74.46 KiB received, 40.87 KiB sent

So the handshakes are working properly. It is most likely just a routes issue.

It would appear so.

My custom routes are being overwritten when the wireguard service is rebooted and I need to reboot the service otherwise the custom routes don't take effect.

So it works for a minute or so then gets blocked again.

If you can set metrics on the routes, wg may not delete them.

Tried a lower metric but it still gets wiped.

So far the only way to get it to stick on a reboot was to remove the allowed ip of 192.168.1.0/24 in the server config and add the route using post up and post down like so:

[Interface]
Address = 10.7.0.1/24, fddd:2c4:2c4:2c4::1/64
PrivateKey = [Redacted]
ListenPort = 51820
PostUp = ip route add 192.168.1.0/24 via 10.7.0.2
PostDown = ip route del 192.168.1.0/24 via 10.7.0.2

# BEGIN_PEER openwrt
[Peer]
PublicKey = [Redacted]
PresharedKey = [Redacted]
AllowedIPs = 10.7.0.2/32, fddd:2c4:2c4:2c4::2/128
# END_PEER openwrt

Now when I ping a device behind the router from the server or phone I get:

PING 192.168.1.114 (192.168.1.114) 56(84) bytes of data.
From 10.7.0.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.7.0.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
From 10.7.0.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required

I've also tried accessing services hosted on the computer but still cannot establish a connection.

Do I need to setup a similar static route on the router?

Let's see the openwrt network and firewall configs (latest).

Network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4e:5e2d:ba03::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 4 3 2'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1t'
        option vid '911'

config interface 'WAN'
        option device 'eth0.911'
        option proto 'pppoe'
        option username '[Redacted]'
        option password '[Redacted]'
        option ipv6 'auto'

config interface 'vpn'
        option proto 'wireguard'
        option private_key '[Redacted]'
        list addresses '10.7.0.2/24'
        list addresses 'fddd:2c4:2c4:2c4::2/64'
        option peerdns '0'
        list dns '[Redacted]'

config wireguard_vpn
        option description 'openwrt.conf'
        option public_key '[Redacted]'
        option preshared_key '[Redacted]'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option persistent_keepalive '25'
        option endpoint_host '[Redacted]'
        option endpoint_port '51820'

Firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'WAN'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vpn'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'lan'

turn off masquerading on the lan zone. The only zone that needs masq is the wan.

Issue persists.

Seems to be more of a server issue as I've completely disabled the WireGuard interface on the router and I'm still getting the same response when I try to ping the router via 192.168.1.1.

PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
From 10.7.0.1 icmp_seq=1 Destination Host Unreachable

So it's like the server just doesn't know what to do with the request.

I also tried changing the server config back to what I had originally, encase the issue was masq on the LAN interface but no change there either.

There's also an option in the peer settings for OpenWrt called "Route Allowed IP's" If I enable that checkbox with the current config on the server of 192.168.1.0/24 via 10.7.0.2 I get no internet connection. So I currently have that checkbox unchecked so I can connect directly via WAN for internet but still access VPN clients.

Well it seems as if I've hit a dead end.

I have one last thing to try though. I found this post that matches my issue: https://gist.github.com/insdavm/b1034635ab23b8839bf957aa406b5e39

It suggests adding the following iptable rules

# iptables -A FORWARD -i wg0-client -j ACCEPT
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

I'm not familiar with iptables or nftables that I believe 22.03 uses.

Since I'm using OpenWrt and not a Ubuntu server as in their example I'm not sure how to translate these iptable rules to OpenWrt's firewall settings.

Can anyone help me with the correct config for OpenWrt firewall?

If you don't have "route allowed IPs" enabled, you must manually set the routes you want, otherwise the interface doesn't do anything at all.

Is the wiregaurd interface actually handshaking on the OpenWrt side:

wg show

With route allowed ip's enabled in peer setting:

I get a handshake but I have no internet connection and cannot ping any VPN IP 10.7.0.1 or 10.7.0.3. Unless of course I enable masq on the VPN zone in which case I regain internet and can ping 10.7.0.1 and 10.7.0.3. I can even SSH into the server via 10.7.0.1 which I cannot do with masq disabled.

Ok... so that indicates that the problem is the route on the VPS side. Everything on OpenWrt is correct, as far as I can tell.

OpenVPN works providing I add a push route 192.168.1.0 255.255.255.0 on the routers client config and

iroute 192.168.1.0 255.255.255.0

on the server config.

I wanted to switch to WireGuard as bandwidth is poor on OpenVPN with my router.

I didn't need to add any static routes or iptable rules with the OpenVPN setup. I'm just looking for some equivalent setup for WireGuard that will get me to the same point.