Always-on Wireguard blocking connection to Internet from LAN

Installing and Using OpenWrt
1

Hi All,

I am running OpenWRT on EX5601-T0. Everything seems to be working as I want it apart from WIreguard. I’d like it to be setup on my family’s phones so they can access Home Assistant and few other services as well as use it as VPN on public networks to add a security layer. The problem I have is that when Wireguard is on and they connect to LAN, they lose all access to internet, I can’t figure out why. For usability I just would like to leave it on at all times. The wireguard connects to my OpenWRT via static IP. The situation is such:

Wireguard ‘on’ on mobile date → Can access home and route to Internet

Wireguard ‘on’ on LAN –> Nothing works, no local services on my Raspberry Pi, no Internet

I have wan added to Wireguard zone, which I believe works OK considering I can still access internet going through the tunnel 1st when on mobile data. I assume the issue is that the public IP is somehow not accessible when connecting through LAN, but I’m sure there must be a solution for it. Any help / ideas would be highly appreciated.

2

Sounds like a misconfiguration. Let's get the config details:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
ifstatus wan | grep address

For the last command, only post the first two octets (in bold: aaa.bbb.ccc.ddd).

We also need to see the config from one of your remote peers (i.e. a phone).

3

It is a LOT of text of similar values to get through to redact, hope I haven’t missed anything :joy:

When on WiFi, I just can't get a handshake. Reading through the output I noticed that my Allowed IPs on Peer was only 10.5.1.2/32, so I also tried adding 192.168.101.5/24 and 192.168.101.0/24 to allow connection from my LAN, but it didn't help and actually adding it to there completely breaks my regular LAN (Obi-WLAN-Kenobi)

Here it goes

ubus call system board :

root@HeavensGate:~# ubus call system board
{
        "kernel": "6.6.104",
        "hostname": "HeavensGate",
        "system": "ARMv8 Processor rev 4",
        "model": "Zyxel EX5601-T0 ubootmod",
        "board_name": "zyxel,ex5601-t0-ubootmod",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.3",
                "revision": "r28872-daca7c049b",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.3 r28872-daca7c049b",
                "builddate": "1758316778"
        }
}

cat /etc/config/network

It's HeavensGate_wg that I'd like to have permanently on. I have some LAN devices that go through NordVPN_UK and NordVPN_ES based on PBR routing, so they can be ignored (although may have some questions about DNS leaks later :thinking: ), but are there to provide a full(er) picture of my setup.

root@HeavensGate:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'IPv6::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option bridge_empty '1'

config interface 'wan'
        option device 'eth1'
        option proto 'pppoe'
        option username 'vodafone.co.uk'
        option password 'vodafone_password'
        option ipv6 'auto'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan4'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '40'
        list ports 'lan4'

config interface 'Obi_WLAN_Kenobi'
        option proto 'static'
        option device 'br-lan.10'
        option ipaddr '192.168.101.1'
        option netmask '255.255.255.0'
        option type 'bridge'

config interface 'DeathStarIOT'
        option proto 'static'
        option device 'br-lan.20'
        option ipaddr '192.168.102.1'
        option netmask '255.255.255.0'
        option type 'bridge'

config interface 'LAN_Solo'
        option proto 'static'
        option device 'br-lan.30'
        option ipaddr '192.168.103.1'
        option netmask '255.255.255.0'

config interface 'backhaul'
        option proto 'none'
        option device 'br-lan'

config interface 'HeavensGate_wg'
        option proto 'wireguard'
        option private_key 'HeavensGate_wg_private_key'
        option listen_port '50280'
        list addresses '10.5.1.1/32'
        option defaultroute '0'

config wireguard_HeavensGate_wg
        option description 'My_phone'
        option public_key 'HeavensGate_wg_public_key'
        option route_allowed_ips '1'
        option endpoint_port '42383'
        option persistent_keepalive '25'
        list allowed_ips '10.5.1.2/32'

config interface 'NordVPN_UK'
        option proto 'wireguard'
        option private_key 'Nord_private_key'
        list dns '103.86.96.100'
        list dns '103.86.99.100'
        option defaultroute '0'
        list addresses '10.5.0.10/16'

config wireguard_NordVPN_UK
        option description 'uk1694'
        option public_key 'Nord_publik_key'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '152.89.207.12'
        option endpoint_port '51820'
        option persistent_keepalive '25'

config interface 'NordVPN_ES'
        option proto 'wireguard'
        option private_key 'Nord_private_key'
        option defaultroute '0'
        list addresses '10.5.0.10/16'

config wireguard_NordVPN_ES
        option description 'es238'
        option public_key 'Nord_publik_key'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '185.214.97.136'
        option endpoint_port '51820'
        option persistent_keepalive '25'

config wireguard_NordVPN_ES
        option disabled '1'
        option description 'es249'
        option public_key 'Nord_publik_key'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '185.250.39.5'
        option endpoint_port '51820'
        option persistent_keepalive '25'

cat /etc/config/firewall

root@HeavensGate:~# cat /etc/config/firewall


config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'


config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option enabled '0'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option src_ip '84.8.145.103'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config zone
        option name 'Obi_zone'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Obi_WLAN_Kenobi'

config zone
        option name 'IOT_zone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'DeathStarIOT'

config forwarding
        option src 'Obi_zone'
        option dest 'IOT_zone'


config rule
        option name 'Allow_DNS_from_VLANS'
        list proto 'udp'
        option src '*'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config zone
        option name 'LAN_Solo_zo'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'LAN_Solo'

config forwarding
        option src 'LAN_Solo_zo'
        option dest 'wan'

config rule
        option src 'wan'
        option name 'Allow_woreguard'
        list proto 'udp'
        option dest_port '50280'
        option target 'ACCEPT'

config zone
        option name 'HeavensWall'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'HeavensGate_wg'
        option masq '1'

config forwarding
        option src 'HeavensWall'
        option dest 'Obi_zone'

config forwarding
        option src 'HeavensWall'
        option dest 'wan'

config forwarding
        option src 'Obi_zone'
        option dest 'wan'

config zone
        option name 'NordVPN'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'NordVPN_ES'
        list network 'NordVPN_UK'

config forwarding
        option src 'Obi_zone'
        option dest 'NordVPN'

wg show

root@HeavensGate:~# wg show
interface: HeavensGate_wg
  public key: public_key
  private key: (hidden)
  listening port: 50280

peer: My_phone_peer
  endpoint: 192.168.101.5:42383
  allowed ips: 10.5.1.2/32
  latest handshake: 8 hours, 56 minutes, 29 seconds ago
  transfer: 40.61 MiB received, 144.61 MiB sent
  persistent keepalive: every 25 seconds



interface: NordVPN_ES
  public key: public_key
  private key: (hidden)
  listening port: 40476

peer: server1_ES_ID
  endpoint: 185.214.97.136:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 27 seconds ago
  transfer: 152.43 KiB received, 720.12 KiB sent
  persistent keepalive: every 25 seconds

interface: NordVPN_UK
  public key: public_key
  private key: (hidden)
  listening port: 50177

peer: server1_UK_ID
  endpoint: 152.89.207.12:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 2 minutes, 4 seconds ago
  transfer: 147.52 KiB received, 545.31 KiB sent
  persistent keepalive: every 25 seconds

ifstatus wan | grep address

root@HeavensGate:~# ifstatus wan | grep address
                "addresses",
        "ipv4-address": [
                        "address": "51.9.x.x",
                        "ptpaddress": "84.65.x.x"
        "ipv6-address": [
                        "address": "fe80::6820:x:x:x",
                "ipv4-address": [
                "ipv6-address": [

Mobile config - usind Wireguard App

Interface:
Name: HeavensGateVPN
Public key: public_key
Addresses: 10.5.1.2/32
DNS servers: 192.168.101.1
Listen port: 42383
Applications: 1 excluded (Android Auto)

Peer:
Public key: public_key
Allowed IPs: 0.0.0.0/0
Endpoint: 51.9.x.x:50280
Persistent keepalive: every 25 seconds
4

You've got a few issues that need to be addressed, but aren't necessarily at the core of your issue.

Starting with the network config:

In the above section, you have both VLAN 20 and VLAN 40 assigned as untagged to port lan4. This is not valid -- only one VLAN may be untagged on a port. In addition, I recommend explicitly specifying that with :u* on the port.

It looks like VLAN40 is not used, so you can just delete that bridge-vlan.

Next, remove the bridge line from both of these network interfaces:

Remove the defaultroute line below, and more importantly, change the address. The NordVPN address conflicts with the subnet you've chosen for your inbound VPN, so you need to change it to somethting else and it should be /24. So, how about 10.20.1.1/24):

Remove the endpoint port, and update the address to 10.20.1.2/32 (to match the new subnet from above):

Remove masquerading from this zone:

On the remote peer, update the address to 10.20.1.2/24 and remove the listen port:

Now, that these things should be resolved, the final thing you need to do is configure Policy Based Routing to allow the WG 'server' to route the tunnel out the standard wan, while the rest of the networks use the NordVPN tunnel.

1 Like
5

psherman, you're a star!

Thanks for reviewing my config. It does work now. Just for my own learning, can pinpoint what and why was causing it to drop down when on LAN? Or is it just the case of getting the config correct and then it just has to work ... no questions asked?

Going away on business tomorrow, but will try getting it done next week. Tried to find some answers, but couldn't so I think I'll open a new thread. The issue is that when I enable a rule to send a device through VPN, I get DNS leaks. I can put in a DNS policy that sorts out the leak for the particular device, but then I don't get the local DNS records resolved as the request goes directly to Nord's DNS. So ideally I'd like the router to handle the DNS for both, but then send the PBR based devices to Nord's DNS and general traffic to my ISPs DNS. I did some reading and as I understood can't be done with dnsmasq and would need to get unbound up and running. But I belive it deserves it's own thread.

6

I mentioned the fact that you had two VLANs that were untagged on port lan4. That would theoretically not have mattered given that VLAN 40 seemed to be unused, but still could have caused some issues.

The bridge line I referenced doesn't belong in the network interface stanza (there is a bug that will cause it to show up after certain operations in LuCI)... the bridge line will actually break the network interface in certain situations.

A big issue was the overlap of your NordVPN and inbound VPN subnets. Every subnet on a router must be unique and non-overlapping -- if not, it will break routing because of the ambiguity.

I mean, yes.... lol. I don't know which of the specific problems I pointed out was the actual root cause that broke your config.... it might have been one thing, might have been several, might have been the actual combination. I just know that they were problems and that when everything is properly defined and configured, it will work.

If you're really curious, you could undo the changes one at a time and find out what breaks the system. That experiment could be done by only changing a single variable from the working config (and reverting it for the next variable), or a progressive one where you build up the different variables in combination. But, that would be purely academic and I wouldn't really recommend it unless you have the time and interest in really digging into each of those specific callouts.

1 Like
7

Yeah, the bottom line is, all needs to be good. I probably won't revert the changes 1 by 1.

Thanks again psherman :slightly_smiling_face:

1 Like
8

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.