Can't access Transmission web server over Wireguard

Installing and Using OpenWrt
1

I have wireguard installed and working on my router, connection works and traffic is being properly tunneled. I can access LAN devices via SSH using the 192.168.0.1/24 subnet, however, I cannot access my transmission web server at 192.168.0.232:9091 while connected to wireguard from a remote location. The web server works just fine using this same address for devices connected to LAN. Any help would be appreciated, thanks! Also, any comments on improving network security would be great, too.

Router info:

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "Linksys WHW03 V2 (Velop)",
        "board_name": "linksys,whw03v2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

Network:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd40:783a:898d::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '1.1.1.1'
        list dns '8.8.8.8'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '8.8.8.8'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config wireguard_wg0
        option description 'Chase Pixel6'
        option public_key '7X2Ecg4pWyAhrSamlRl930Pwd7CY1/a8IX93LQBJn1c='
        option route_allowed_ips '1'
        list allowed_ips '192.168.9.10/32'

config interface 'wg0'
        option proto 'wireguard'
        option listen_port '51820'
        option private_key 'MARBXVg/Y9OBORv0haaWjbfSMulLI3TrrFjpKXxzwFs='
        list addresses '192.168.9.1/24'
        list addresses 'fdf1:7610:d152:3a9c::1/64'

config wireguard_wg0 'wgclient'
        option public_key 'CxhArkGhzAol/octP9wqcJQ+aTG4QkghtFpqIOTynx0='
        option preshared_key 's6XappBkiBO2x/H+SIEElOnL5CCzN2VGGZADaa3hxRU='
        list allowed_ips '192.168.9.0/24'
        list allowed_ips 'fdf1:7610:d152:3a9c::1/64'

config wireguard_wg0
        option description 'personal-laptop'
        option public_key '0462iOiXnx9FDQ4ekuWvlImGguCOQ4DOUPHHGe7hggc='
        list allowed_ips '192.168.9.11/32'
        option route_allowed_ips '1'

Firewall:

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        list network 'wg0'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'wireguard'
        option src 'wan'
        option src_dport '51820'

config zone
        option name 'wireguard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg0'

config forwarding
        option src 'lan'
        option dest 'wireguard'

config forwarding
        option src 'wireguard'
        option dest 'lan'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'plex'
        option src 'wan'
        option src_dport '2244'
        option dest_port '2244'

DHCP:

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '1.1.1.1'
        list server '8.8.8.8'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

Edited to remove wireless config dump

2

Is the Transmission web server configured to accept connections from remote hosts?

3

It should be, the same transmission docker container with no config changes running on the same machine worked with remote clients on a previous non-OpenWRT router. The previous router had port 9091 open to WAN for the web server, so using <WAN-IP>:9091 I could connect from anywhere. To eliminate that security risk I want to only use it over LAN using Wireguard to tunnel to the router from anywhere and connect with <LAN-IP>:9091 as if it were a LAN device. UFW on the server had ports 80, 443, 445, 137, 138 and 139 open, but UFW is now disabled as I am using the current router for my firewall. Regardless, LAN connections should still work fine, and they currently do without any additional traffic rules on the current router, but not for a remote connection from Wireguard. Whats interesting is if I open port 9091 to WAN on the current router as I had on the old one, and add traffic rules for the above UFW ports, I still cannot connect to the transmission web server using my WAN IP like I could previously. So, I am convinced the issue lies somewhere in my config for OpenWRT. Here is some information about the docker containers running transmission and gluetun which tunnels the transmission client through a consumer VPN service:

CONTAINER ID   IMAGE                              COMMAND                 CREATED       STATUS                PORTS                                                                                                                                                                             NAMES
72b7d990da5a   lscr.io/linuxserver/transmission   "/init"                 8 weeks ago   Up 5 days                                                                                                                                                                                               transmission
69ce9dd53e0b   qmcgaw/gluetun                     "/gluetun-entrypoint"   8 weeks ago   Up 5 days (healthy)   8000/tcp, 8388/tcp, 0.0.0.0:9091->9091/tcp, :::9091->9091/tcp, 8888/tcp, 8388/udp, 0.0.0.0:51413->51413/tcp, :::51413->51413/tcp, 0.0.0.0:51413->51413/udp, :::51413->51413/udp   vpn_torrent_client_gluetun_1
4

Also transmission config:

root@69ce9dd53e0b:/# cat config/settings.json
{
    "alt-speed-down": 50,
    "alt-speed-enabled": false,
    "alt-speed-time-begin": 540,
    "alt-speed-time-day": 127,
    "alt-speed-time-enabled": false,
    "alt-speed-time-end": 1020,
    "alt-speed-up": 50,
    "announce-ip": "",
    "announce-ip-enabled": false,
    "anti-brute-force-enabled": false,
    "anti-brute-force-threshold": 100,
    "bind-address-ipv4": "0.0.0.0",
    "bind-address-ipv6": "::",
    "blocklist-enabled": false,
    "blocklist-url": "http://www.example.com/blocklist",
    "cache-size-mb": 4,
    "default-trackers": "",
    "dht-enabled": true,
    "download-dir": "/downloads/complete",
    "download-queue-enabled": true,
    "download-queue-size": 5,
    "encryption": 1,
    "idle-seeding-limit": 30,
    "idle-seeding-limit-enabled": false,
    "incomplete-dir": "/downloads/incomplete",
    "incomplete-dir-enabled": true,
    "lpd-enabled": false,
    "message-level": 2,
    "peer-congestion-algorithm": "",
    "peer-id-ttl-hours": 6,
    "peer-limit-global": 200,
    "peer-limit-per-torrent": 50,
    "peer-port": 51413,
    "peer-port-random-high": 65535,
    "peer-port-random-low": 49152,
    "peer-port-random-on-start": false,
    "peer-socket-tos": "le",
    "pex-enabled": true,
    "port-forwarding-enabled": true,
    "preallocation": 1,
    "prefetch-enabled": true,
    "queue-stalled-enabled": true,
    "queue-stalled-minutes": 30,
    "ratio-limit": 2,
    "ratio-limit-enabled": false,
    "rename-partial-files": true,
    "rpc-authentication-required": true,
    "rpc-bind-address": "0.0.0.0",
    "rpc-enabled": true,
    "rpc-host-whitelist": "",
    "rpc-host-whitelist-enabled": false,
    "rpc-password": "{d1fd4f670a187c5be06f4a0fee1aa66e7faddf52hXTi0FZ3",
    "rpc-port": 9091,
    "rpc-socket-mode": "0750",
    "rpc-url": "/transmission/",
    "rpc-username": "chase",
    "rpc-whitelist": "",
    "rpc-whitelist-enabled": false,
    "scrape-paused-torrents-enabled": true,
    "script-torrent-added-enabled": false,
    "script-torrent-added-filename": "",
    "script-torrent-done-enabled": false,
    "script-torrent-done-filename": "",
    "script-torrent-done-seeding-enabled": false,
    "script-torrent-done-seeding-filename": "",
    "seed-queue-enabled": false,
    "seed-queue-size": 10,
    "speed-limit-down": 100,
    "speed-limit-down-enabled": false,
    "speed-limit-up": 100,
    "speed-limit-up-enabled": false,
    "start-added-torrents": true,
    "tcp-enabled": true,
    "torrent-added-verify-mode": "fast",
    "trash-original-torrent-files": false,
    "umask": "002",
    "upload-slots-per-torrent": 14,
    "utp-enabled": false,
    "watch-dir": "/watch",
    "watch-dir-enabled": true
}
5

network wg0 is listed in both the lan and the wireguard firewall zones. That will probably prevent the firewall from forwarding properly. A network can only be in one zone.

Run tcpdump on the server to see if any http requests come in to port 9091.

1 Like
6

Removed wg0 from lan firewall zone, config is now:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'wireguard'
        option src 'wan'
        option src_dport '51820'

config zone
        option name 'wireguard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg0'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'wan'
        option src_dport '32400'
        option dest_port '32400'

config forwarding
        option src 'lan'
        option dest 'wireguard'

config forwarding
        option src 'wireguard'
        option dest 'lan'

tcpdump indicates packet transfer from remote wireguard client (192.168.0.130) for both port transmission port 9091 and plex (which is now also mysteriously not accessible outside lan so I must have broken something) port 32400:

22:54:23.231170 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [P.], seq 1017277330:1017278361, ack 2831843526, win 8206, length 1031
22:54:23.232032 IP user-fileserver.9091 > 192.168.0.130.56719: Flags [P.], seq 1:474, ack 1031, win 9787, length 473
22:54:23.272778 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [.], ack 474, win 8212, length 0
22:54:28.246134 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [P.], seq 1031:2062, ack 474, win 8212, length 1031
22:54:28.246742 IP user-fileserver.9091 > 192.168.0.130.56719: Flags [P.], seq 474:947, ack 2062, win 9803, length 473
22:54:28.299198 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [.], ack 947, win 8210, length 0
22:54:33.251730 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [P.], seq 2062:3093, ack 947, win 8210, length 1031
22:54:33.252492 IP user-fileserver.9091 > 192.168.0.130.56719: Flags [P.], seq 947:1420, ack 3093, win 9820, length 473
22:54:33.305397 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [.], ack 1420, win 8208, length 0
22:54:38.261827 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [P.], seq 3093:4124, ack 1420, win 8208, length 1031
22:54:38.262653 IP user-fileserver.9091 > 192.168.0.130.56719: Flags [P.], seq 1420:1893, ack 4124, win 9836, length 473
22:54:38.315345 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [.], ack 1893, win 8206, length 0
22:54:43.266764 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [P.], seq 4124:5155, ack 1893, win 8206, length 1031
22:54:43.267569 IP user-fileserver.9091 > 192.168.0.130.56719: Flags [P.], seq 1893:2366, ack 5155, win 9852, length 473
22:54:43.312249 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [.], ack 2366, win 8212, length 0
22:54:48.756323 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [P.], seq 5155:6186, ack 2366, win 8212, length 1031
22:54:48.757151 IP user-fileserver.9091 > 192.168.0.130.56719: Flags [P.], seq 2366:2839, ack 6186, win 9857, length 473
22:54:48.811759 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [.], ack 2839, win 8210, length 0
22:54:53.763020 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [P.], seq 6186:7217, ack 2839, win 8210, length 1031
22:54:53.763812 IP user-fileserver.9091 > 192.168.0.130.56719: Flags [P.], seq 2839:3312, ack 7217, win 9857, length 473
22:54:53.807441 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [.], ack 3312, win 8208, length 0
22:54:58.764053 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [P.], seq 7217:8248, ack 3312, win 8208, length 1031
22:54:58.764867 IP user-fileserver.9091 > 192.168.0.130.56719: Flags [P.], seq 3312:3785, ack 8248, win 9857, length 473
22:54:58.812807 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [.], ack 3785, win 8206, length 0
22:55:03.779759 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [P.], seq 8248:9279, ack 3785, win 8206, length 1031
22:55:03.780512 IP user-fileserver.9091 > 192.168.0.130.56719: Flags [P.], seq 3785:4258, ack 9279, win 9857, length 473
22:55:03.822035 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [.], ack 4258, win 8212, length 0
22:55:08.792829 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [P.], seq 9279:10310, ack 4258, win 8212, length 1031
22:55:08.793614 IP user-fileserver.9091 > 192.168.0.130.56719: Flags [P.], seq 4258:4731, ack 10310, win 9857, length 473
22:55:08.846783 IP 192.168.0.130.56719 > user-fileserver.9091: Flags [.], ack 4731, win 8210, length 0
22:54:23.276282 IP user-fileserver.32400 > 192.168.0.130.56574: Flags [P.], seq 1121985911:1121985936, ack 1724818406, win 501, length 25
22:54:23.276993 IP 192.168.0.130.56574 > user-fileserver.32400: Flags [P.], seq 1:30, ack 25, win 8211, length 29
22:54:23.277036 IP user-fileserver.32400 > 192.168.0.130.56574: Flags [.], ack 30, win 501, length 0
22:54:31.267387 IP6 user-fileserver.32400 > 2601:8c0:902:1910:341c:ae10:b958:69cb.56562: Flags [P.], seq 1278411863:1278411888, ack 4069156410, win 501, length 25
22:54:31.268049 IP6 2601:8c0:902:1910:341c:ae10:b958:69cb.56562 > user-fileserver.32400: Flags [P.], seq 1:30, ack 25, win 8231, length 29
22:54:31.268126 IP6 user-fileserver.32400 > 2601:8c0:902:1910:341c:ae10:b958:69cb.56562: Flags [.], ack 30, win 501, length 0
22:54:33.277107 IP user-fileserver.32400 > 192.168.0.130.56574: Flags [P.], seq 25:50, ack 30, win 501, length 25
22:54:33.277656 IP 192.168.0.130.56574 > user-fileserver.32400: Flags [P.], seq 30:59, ack 50, win 8211, length 29
22:54:33.277705 IP user-fileserver.32400 > 192.168.0.130.56574: Flags [.], ack 59, win 501, length 0
22:54:41.268051 IP6 user-fileserver.32400 > 2601:8c0:902:1910:341c:ae10:b958:69cb.56562: Flags [P.], seq 25:50, ack 30, win 501, length 25
22:54:41.269240 IP6 2601:8c0:902:1910:341c:ae10:b958:69cb.56562 > user-fileserver.32400: Flags [P.], seq 30:59, ack 50, win 8231, length 29
22:54:41.269318 IP6 user-fileserver.32400 > 2601:8c0:902:1910:341c:ae10:b958:69cb.56562: Flags [.], ack 59, win 501, length 0
22:54:43.277728 IP user-fileserver.32400 > 192.168.0.130.56574: Flags [P.], seq 50:75, ack 59, win 501, length 25
22:54:43.278007 IP 192.168.0.130.56574 > user-fileserver.32400: Flags [P.], seq 59:88, ack 75, win 8211, length 29
22:54:43.278060 IP user-fileserver.32400 > 192.168.0.130.56574: Flags [.], ack 88, win 501, length 0
22:54:51.268607 IP6 user-fileserver.32400 > 2601:8c0:902:1910:341c:ae10:b958:69cb.56562: Flags [P.], seq 50:75, ack 59, win 501, length 25
22:54:51.269405 IP6 2601:8c0:902:1910:341c:ae10:b958:69cb.56562 > user-fileserver.32400: Flags [P.], seq 59:88, ack 75, win 8231, length 29
22:54:51.269485 IP6 user-fileserver.32400 > 2601:8c0:902:1910:341c:ae10:b958:69cb.56562: Flags [.], ack 88, win 501, length 0
22:54:53.278401 IP user-fileserver.32400 > 192.168.0.130.56574: Flags [P.], seq 75:100, ack 88, win 501, length 25
22:54:53.279012 IP 192.168.0.130.56574 > user-fileserver.32400: Flags [P.], seq 88:117, ack 100, win 8211, length 29
22:54:53.279127 IP user-fileserver.32400 > 192.168.0.130.56574: Flags [.], ack 117, win 501, length 0
22:55:01.269568 IP6 user-fileserver.32400 > 2601:8c0:902:1910:341c:ae10:b958:69cb.56562: Flags [P.], seq 75:100, ack 88, win 501, length 25
22:55:01.270185 IP6 2601:8c0:902:1910:341c:ae10:b958:69cb.56562 > user-fileserver.32400: Flags [P.], seq 88:117, ack 100, win 8231, length 29
22:55:01.270262 IP6 user-fileserver.32400 > 2601:8c0:902:1910:341c:ae10:b958:69cb.56562: Flags [.], ack 117, win 501, length 0
22:55:03.279425 IP user-fileserver.32400 > 192.168.0.130.56574: Flags [P.], seq 100:125, ack 117, win 501, length 25
22:55:03.280735 IP 192.168.0.130.56574 > user-fileserver.32400: Flags [P.], seq 117:146, ack 125, win 8211, length 29
22:55:03.280847 IP user-fileserver.32400 > 192.168.0.130.56574: Flags [.], ack 146, win 501, length 0
22:55:11.270546 IP6 user-fileserver.32400 > 2601:8c0:902:1910:341c:ae10:b958:69cb.56562: Flags [P.], seq 100:125, ack 117, win 501, length 25
22:55:11.271330 IP6 2601:8c0:902:1910:341c:ae10:b958:69cb.56562 > user-fileserver.32400: Flags [P.], seq 117:146, ack 125, win 8231, length 29
22:55:11.271412 IP6 user-fileserver.32400 > 2601:8

Still no luck, connection times out when trying to access either from wireguard client

7

The only other thing I see, but probably not related, is that this client has allowed_ips overlap with others

1 Like
8

Yes, overlapping allowed_ips break wireguard. Each road warrior client (phone laptop etc) holds a single /32 192.168.9.X IP assigned uniquely, and will originate all connections from it.

Do not masquerade the wireguard interface. That prevents incoming connections (vpn -> lan) from working.

The incoming connections from the road warrior phone should arrive at the server carrying a source IP of the phone's tunnel IP 192.168.9.10.

The phone must NOT be connected to the house wifi while doing this. It should be tunneling from the Internet over its independent cellular ISP connection.

1 Like
9

I decided to start with a clean slate and re-flash the router with a fresh image, and after following the wireguard setup instructions again it now works as expected. All of your observations were correct, a few notes about what was different previously:

  • Overlapping assigned IPs for the wireguard devices are now solved

  • No longer port forwarding for Wireguard port 51820, should only be handled by firewall rules

  • Not assigning wg0 to LAN firewall zone

Thanks!

1 Like
10

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.