Hi all,
I'm a recent convert to openwrt and my set up is as follows:
On my windows laptop with Wireguard client, I can connect to luci (192.168.1.1) and the internet, however I cannot connect to my printer's web server (nor ping its IP). When I tracert 192.168.1.66, it stops at 192.168.9.1 (the wireguard interface wg0).
I initially followed the Wireguard server instructions, and then have been following different bits of advice from forum threads which has got me to this point. Currently, I'm out of ideas and not sure what more to do.
I'd be grateful if someone could let me know what is the next step to solving this. I've done screenshots of various config, but let me know if there is something else you need.
Many thanks!
etc/config/firewall
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
We need to see the complete files (please follow the directions below, images are not as easy to work with).
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
Also please include the wg configuration from your windows laptop.
You don't appear to have any IPv6 stuff happening in your config, so remove the IPv6 from the WG interface as it is not useful.
For each of your WG remote peers ('clients'), give them a unique /32 address in the 192.168.9.0/24 network, and remote the 192.168.1.1/24 addresses.
and so on for the other peers.
On the remote peer (client side), make sure that the address of the interface matches that of the wg peer definition in the router's config. 1921.68.9.3/32 is fine as long as it is consistent with the peer's config in the router.
For the allowed IPs in the remote peer (laptop), you can just use 0.0.0.0/0 instead of breaking them up (should the same effect, but it is just cleaner). This is what you will do if you want all traffic to pass through the tunnel. If you're aiming to only force the traffic for the LAN (i.e. remote access/admin of that network), just set this to 192.168.1.0/24 and 192.168.9.0/24
Ok, many thanks. So I have removed the IPv6 from wg0 and updated addresses as suggested.
Changes in /etc/config/network
config interface 'wg0'
option proto 'wireguard'
option private_key '<REDACTED>'
option listen_port '51820'
list addresses '192.168.9.1/24'
config wireguard_wg0 'wgclient'
option description 'A21s'
option route_allowed_ips '1'
option public_key '<REDACTED>'
list allowed_ips '192.168.1.1/24'
list allowed_ips '192.168.9.2/32'
config wireguard_wg0
option description 'legion'
option route_allowed_ips '1'
option public_key '<REDACTED>'
list allowed_ips '192.168.1.1/24'
list allowed_ips '192.168.9.3/32'
However, I'm still seeing the same behaviour... I can access 192.168.1.1 and the internet, however, I can't access the printer web server or ping it. Doesn't get further than 192.168.9.1
Is it default behaviour that devices on the 192.168.9.0 network should be able to connect to 192.168.1.0, or is it something that I may have missed? Any other settings I can share that could help?
Try restarting the router, just in case something hasn't applied properly.
If that doesn't work, set your wg0 interface in another firewall zone -- create a vpn zone, for example, with input = accept, output = accept, forward = drop. Then allow forwarding from the vpn zone to the lan zone.
So, I've added the new firewall zone, and seeing the same behaviour, however, I'm not 100% sure if I need to change some of the other settings. I created it using luci and kept the defaults, just changing the accept, accept, drop and then adding the wan and lan to forward destination.
Is there anything else I should be changing?
config zone
option name 'wg'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'wg0'
option forward 'DROP'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'wg'
option dest 'wan'
Do you have another device on the LAN that you can try pinging and/or connecting to? It is possible that the printer is not accepting connections from outside the subnet that is uses for its connection. (while you're at it, it would be a good idea to make sure you can connect to the device from another host on the same network -- just a quick sanity check to make sure it is still functioning properly).
So I can ping one of the Tenda MW5Gs (mesh access point, in bridge mode). Also can ping the TV. So, it must be the printer. (As an aside, I had to get their IPs from the devices themselves, as they don't appear in the DNS / DHCP page in luci. Is that normal?)
I can ping the printer from within the same 192.168.1.x LAN yes.
I did have a look earlier if there was an option for accepting connections from outside the network, but nothing jumped out immediately. I'll look again. There's no other way around it presumably?
PS. Thank you so much for your help. It's so nice to go through it all with someone! I've got so much to learn.
Yes, sounds like the printer is the issue. How is it setup on the network -- does it use a static IP or a DHCP supplied address?
The DHCP leases are stored in RAM. When you rebooted the router earlier, that would have cleared the lease information. It will repopulate as the leases come up for renewal.
Can you show screenshots of the printer's network configuration as well as any security settings and/or any other config options that might be relevant.
Definitely looking promising as I've just spotted "Restricted server list" which appears to do what we need. I've added 192.168.9.0/24 but no luck so far. Will try a few more options and restart the printer physically just in case. There's quite a few options I don't understand yet, but have tracked down the manual.
Up to now I've set the static IP on the printer itself rather than DHCP. But I'm not sure why enable Auto IP is enabled. (Presumably it ignores that, as it takes the static I've set)
In the dropdown below the restricted sever list, what else is there in the list?
Can you find the location where you have set the IP manually (if different than this page) and provide screenshots? If it is on this page, uncheck auto IP and let's see what the network configuration options look like (screenshot).
We're in business! Great call!
You were bang on the money about the static IP page.
Weirdly, it was just an unassuming hyperlink "set static IP address". However, when I clicked it, I had IP, mask, and gateway inputs. And the gateway was wrong! It was set to my previous BT 192.168.1.254 router address.
