Cannot access local server over internet when wireguard connected

Hi,
I have a webserver running my local machine (192.168.0.8) and I can access the web application using port 443. I forwarded the 443 port on openwrt to access the service from internet.

I also installed and configured wireguard vpn on my Openwrt router according to this guideline.

The problem is, when I activate the wiregurad interface on my router to access internet, I can visit all websites except the web Applicaiton running on my local machine (192.168.0.8) where I opened 443 port.

My network config is below

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd0f:ece9:42da::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.1'

config interface 'wan'
        option proto 'dhcp'
        option device 'wan'
        option macaddr '00:00:00:00:00:00'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option device 'wan'
        option auto '0'

config device
        option name 'eth0'
        option mtu '1500'
        option macaddr '00:00:00:00:00:00'

config device
        option name 'wan'
        option macaddr '00:00:00:00:00:00'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'private-key-xyz'
        list addresses '10.22.209.4/24'
        list addresses 'fd11:5ee:bad:c0de::4/64'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config wireguard_wg0
        option description 'Imported peer configuration'
        option public_key 'public-keyxyz'
        option preshared_key 'presharedkey-xyz'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'
        option endpoint_host 'public-ip-wg'
        option endpoint_port '51820'
        option route_allowed_ips '1'

My firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HTTPS'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.0.8'
        option dest_port '443'

config redirect				#I also configured wireguard on my local server for accessing remotely
        option dest 'lan'
        option target 'DNAT'
        option name 'VPN'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '192.168.0.128'
        option dest_port '51820'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg0'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'vpn'

I will appreciate your suggestion.

What is the remote peer configuration?

Is this acting as the 'server' or the 'client'? From the looks of it, it appears to be functioning as the 'client' (in that it initiates the connection to the remote peer) but I just want to be sure.

Can you also post the remote peer's config, please.

Yes. this is acting as a client.

below is the peer configuration

[Interface]
PrivateKey = my-private-key
Address = 10.22.209.4/24,fd11:5ee:bad:c0de::4/64
DNS = 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = my-public-key
PresharedKey = my-preshared-key
Endpoint = xxx.xxx.xxx.xxx:51820
AllowedIPs = 0.0.0.0/0, ::0/0

I'm a bit confused here... both sides appear to be operating as the 'client' in this set of configs.

Typically the endpoint is only specified for the one operating as the 'client', but that is shown in both sides. This also impacts how the IPs are structured -- just focusing on the IPv4 side: both sides appear to have the same interface IP (10.22.209.4/24), and the same allowed IPs (0.0.0.0/0).

Are you actually getting a proper handshake? What is the output of wg show?


Usually, the 'server' will have a structure more like this:

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'private-key-xyz'
        list addresses '10.22.209.1/24'
        option listen_port '51820'

config wireguard_wg0
        option description 'Imported peer configuration'
        option public_key 'public-keyxyz'
        option preshared_key 'presharedkey-xyz'
        list allowed_ips '10.22.209.2/32'
        option route_allowed_ips '1'

and the 'client' side would look like this:

[Interface]
PrivateKey = my-private-key
Address = 10.22.209.2/32
DNS = 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = public-key
PresharedKey = preshared-key
Endpoint = xxx.xxx.xxx.xxx:51820
AllowedIPs = 0.0.0.0/0
1 Like

Ah

Apology. I misunderstood the server side configuration and actually provided the client side configuration.

At the server side, I installed pivpn on a remote vps.

I am not sure how to get the configuration out from the server.
Could you please tell if you know.

Pivpn automatically configures the server side settings.

Ok. So you have 2 ‘client’ peers and 1 ‘server’ peer with the vps, correct?

Your two ‘clients’ appear to be using the same ip. This will not work. Each ‘client’ peer must have its own ip and keys.

Sorry if I make you confused.

I have only one peer which is
10.22.209.4/24

I configured that peer on my openwrt router to act that as wireguard client so that all my local devices are connected through the remote vpn server.

I think it is related with firewall. Because my local machine where the webserver is hosted has ip 192.168.0.8 and I opened port 443.

But when I connect to wireguard my router gets 10.22.209.4 ip which is different netmask.

Maybe something is happening here. I am not expert in openwrt firewall so cannot understand what is the problem actually.

I'm still very confused about your configuration -- I see that you have a Wireguard 'server' at 192.168.0.128 -- is that involved in anything here?

Can you draw a diagram of your connections (where are you trying to connect from -- is it the VPS itself, or is some other peer that is connected to the VPS)? If you have some additional remote peer, does it have allowed IPs of 0.0.0.0/0?

Does your VPS have a static route installed so that it knows how to reach 192.168.0.0/24?

You can try adding this:

config forwarding
        option src 'vpn'
        option dest 'lan'

You may need to disable masquerading on the vpn firewall zone. This will break everything if the VPS doesn't have a static route for the 192.168.0.0/24 network.

Kindly see if it helps

also tried this

config forwarding
        option src 'vpn'
        option dest 'lan'

but does not work.

Ok. I misunderstood the issue.

If I now understand it correctly, the problem is that when wireguard is activated, the web server becomes inaccessible from the standard public ip.

The solution to this issue is policy based routing.

2 Likes

Thank you.
I will try this.

thank you for saving me

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.