I have configured a wireguard server on my openwrt router using "/root/auto_wg_username-id.sh", from this page. The ip address of my openwrt router when accessed from the lan and not the vpn client, is 192.168.1.1. The vpn client dns address is 10.0.5.1. The Wireguard vpn client connects successfully, and when I type in 192.168.1.1 to access luci interface, it works, and I can access luci just fine. However, I also have an ssh server running on my lan located at 192.168.1.2. I can ssh into this server when connected directly to my lan, however, I cannot ssh to this server when connected via the Wireguard VPN as a client. I suspect this has something to do with the vpn client not sharing the same dns as the LAN. But I am not for certain. What I want to do, is (securely) force my wireguard vpn client to use the same dns as my lan, or at least be able to access other systems on my lan via ssh, when connecting as a wireguard client. I cannot seem to figure out how to do this and could use some help and advice.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
What OS(s) do the host(s) use on your 192.168.1.0/24 network (that you are having trouble reaching)? If they are Windows based systems, you probably need to adjust the firewall on those hosts -- by default, Windows will block any connection attempts initiated from a different subnet.
My host os's on the Lan (192.168.1.0/24) are ubuntu server 20.04. I can ssh into it easily if I connect directly to my router, of which the ubuntu server is also connected to. I'm ssh'ing from Mac OS.
Also, on a side note (which I didn't document in my ORIGINAL POST), I DID change my routers LAN address from 192.168.1.1 to a different address and subnet like 192.168.2.1. I'm not sure if I have to change something in the firewall as well after changing the router's LAN ip address. Could that be an issue?
do you have any host-level firewall rules that could restrict inter-VLAN connections?
You could try the following options (either/or, not both)
Option 1: Change the networks in your lan zone to be defined as "list network" lines.
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
list network 'lan'
list network 'wg_lan'
-- or --
Option 2:
remove wg_lan from the lan zone and then create a new zone for it and allow forwarding
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
list network 'lan'
config zone 'wg'
option name 'wg'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wg_lan'
config forwarding
option src 'wg'
option dest 'lan'
I don't have any host level firewall rules that could restrict interVLAN connections. At least I don't think I do. All of my firewall rules are untouched from defaults aside from anything the wireguard auto-installation script installed. On my lan network all peers are open as well.
I tried both of the above listed options to no avail.
Here is my wg config for my mac peer:
I also tried changing the DNS to 192.168.2.1 on this configuration. 192.168.2.1 is the dns and ip address of my router. I successfully connected, but did not see other local hosts on the lan.
By host level firewall rules, I mean the windows firewall (or whatever os you are running). Windows will block connections from a different subnet unless you change the firewall settings on the pc itself.
It looks like you're not actually getting a handshake.
EDIT: to elaborate.. if you're getting a valid handshake, you will see something like this:
interface: wireguard
public key: <REDACTED>
private key: (hidden)
listening port: 8444
peer: <REDACTED>
preshared key: (hidden)
endpoint: <REDACTED>
allowed ips: 10.0.21.2/32
latest handshake: 12 seconds ago
transfer: 10.88 KiB received, 34.80 MiB sent
persistent keepalive: every 25 seconds
Wireguard can appear to be connected even if there is no handshake. But if there is no handshake, it isn't actually able to transfer any data. And that would account for the fact that you cannot reach your devices on the LAN from the remote WG peer.
Some things to check:
Do you have a public IPv4 address (if in doubt, post the first two octets, in bold, of your WAN IP as seen on your OpenWrt device: aaa.bbb.ccc.ddd)
Does the address from above match what you see when you google "what's my IP"
Are your keys exchanged properly.
3a) Try removing the preshared key to reduce the number of variables (you can add it in later).
3b) The interfaces each need their own private key (not to be exchanged).
3c) The public keys must be exchanged between the to peers that will directly connect to each other.
If your keys might be messed up, you can try to fix them, but sometimes it's easier to simply generate new keys.
Oh wow. Sorry. I didn't realize you wanted me to post this while connected via wiregard. Please not that I just also learned, I am able to ssh into my openwrt router when using wireguard, but not my other lan devices (my ubuntu server). I am still able to ssh into my ubuntu server when connected directly to my router. Pinging my local ubuntu server fails when connected to wireguard as well, but not when directly plugged into my local openwrt router.
Here is the command output when I am connected via wireguard.
EDIT:
It just occured to me that I probably should have mentioned this in my initial post.
I am running my router behind a router. The first router is my ISP's router. The second router is my openwrt router. The first router is using port forwarding to forward it's wireguard port to the openwrt router. I didn't think this was relevant since I am successfully connecting to openwrt with wireguard. Just to check things, when I go to https://www.dnsleaktest.com/ and do a dnsleaktest, it shows dns addresses from my ISP router, and correctly shows that my dns is not leaking. I just figured this is extra information that might somehow be relevant beyond my knowledge.
Lastly, the only thing I can think of is that somehow my vpn dns requests are not querying or properly being forwarded to the local openwrt dns. Somehow, I can't get it out of my head that this is a local dns issue. I figured the wireguard script would have this working right out of the box, but I guess my local server is not seeing my vpn client on the same network as my local connection to the router. If this is true, then the solution would have to somehow be a way to get my vpn client to link itself to the local routers lan, not 192.168.9.1.
I'm at a loss, so just shooting out ideas. Your help is much appreciated!
This could be very relevant. Is anything else connected to your isp router? Or is everything behind the openwrt router? What is the subnet of your isp router? How is the OpenVPN router connected to the isp router (isp router lan > openwrt wan or lan > lan)?
So the isp router is actually on 192.168.1.1, not the openwrt router. The openwrt router is on 192.168.2.1. I obfuscated the original addresses because I didn't think it mattered. Nothing else is connected to my ISP router. Everything is behind the wrt router. The openvpn router is connected to the isp router like so... WAN>ISP ROUTER> ISP LAN> Openwrt LAN> Lan Devices. However, I still don't think having a dual router setup is relavent if port forwarding is working. I tested this theory by pluggging in a pepwave surf soho router, and turning on its OpenVPN server. When testing, I made sure the soho device was in the exact same setup as the wrt router, in other words, it was connected from the ISP routers LAN to its wan, and then all local devices connected to the soho lan. After testing this, openvpn works perfectly on the soho with access to all of my lan devices. To double check things, I flashed another wrt router with openwrt and installed openvpn with the setup script listed in the openwrt openvpn setup section. Once again, I cannot access my local devices on the openvpn openwrt router using openvpn, even though it is usinig the same IP as my soho was. So essentially, I am having the same issue on both my wrt routers using wireguard, and the other using openvpn. Neither seem to be able to connect to the local devices when being tunneled. However, my soho can under the same configuration.
Ok,,, so let’s see the latest configuration. Don’t obfuscate the internal addresses (it’s not necessary). Redact keys, public ips, and passwords, etc.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
