I have configured a wireguard server on my openwrt router using "/root/auto_wg_username-id.sh", from this page. The ip address of my openwrt router when accessed from the lan and not the vpn client, is 192.168.1.1. The vpn client dns address is 10.0.5.1. The Wireguard vpn client connects successfully, and when I type in 192.168.1.1 to access luci interface, it works, and I can access luci just fine. However, I also have an ssh server running on my lan located at 192.168.1.2. I can ssh into this server when connected directly to my lan, however, I cannot ssh to this server when connected via the Wireguard VPN as a client. I suspect this has something to do with the vpn client not sharing the same dns as the LAN. But I am not for certain. What I want to do, is (securely) force my wireguard vpn client to use the same dns as my lan, or at least be able to access other systems on my lan via ssh, when connecting as a wireguard client. I cannot seem to figure out how to do this and could use some help and advice.
What OS(s) do the host(s) use on your 192.168.1.0/24 network (that you are having trouble reaching)? If they are Windows based systems, you probably need to adjust the firewall on those hosts -- by default, Windows will block any connection attempts initiated from a different subnet.
My host os's on the Lan (192.168.1.0/24) are ubuntu server 20.04. I can ssh into it easily if I connect directly to my router, of which the ubuntu server is also connected to. I'm ssh'ing from Mac OS.
Also, on a side note (which I didn't document in my ORIGINAL POST), I DID change my routers LAN address from 192.168.1.1 to a different address and subnet like 192.168.2.1. I'm not sure if I have to change something in the firewall as well after changing the router's LAN ip address. Could that be an issue?
I don't have any host level firewall rules that could restrict interVLAN connections. At least I don't think I do. All of my firewall rules are untouched from defaults aside from anything the wireguard auto-installation script installed. On my lan network all peers are open as well.
I tried both of the above listed options to no avail.
Here is my wg config for my mac peer:
By host level firewall rules, I mean the windows firewall (or whatever os you are running). Windows will block connections from a different subnet unless you change the firewall settings on the pc itself.
It looks like you're not actually getting a handshake.
EDIT: to elaborate.. if you're getting a valid handshake, you will see something like this:
public key: <REDACTED>
private key: (hidden)
listening port: 8444
preshared key: (hidden)
allowed ips: 10.0.21.2/32
latest handshake: 12 seconds ago
transfer: 10.88 KiB received, 34.80 MiB sent
persistent keepalive: every 25 seconds
Wireguard can appear to be connected even if there is no handshake. But if there is no handshake, it isn't actually able to transfer any data. And that would account for the fact that you cannot reach your devices on the LAN from the remote WG peer.
Some things to check:
Do you have a public IPv4 address (if in doubt, post the first two octets, in bold, of your WAN IP as seen on your OpenWrt device: aaa.bbb.ccc.ddd)
Does the address from above match what you see when you google "what's my IP"
Are your keys exchanged properly.
3a) Try removing the preshared key to reduce the number of variables (you can add it in later).
3b) The interfaces each need their own private key (not to be exchanged).
3c) The public keys must be exchanged between the to peers that will directly connect to each other.
If your keys might be messed up, you can try to fix them, but sometimes it's easier to simply generate new keys.