I am trying to access a VLAN on the Wireguard VPN server from the Wireguard client. I can access the VPN Server lan IPs and the VLAN gateway, but I am unable to access the VLAN IPs. Anyone have any ideals? Thanks in advance.
Probably a minor configuration issue. Let's take a look:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
And we also need to see the remote peer's configuration.
Remote Client Info
root@JLB-VPN-CLIENT:~# ubus call system board
{
"kernel": "5.4.211",
"hostname": "JLB-VPN-CLIENT",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT3000",
"board_name": "glinet,mt3000-snand",
"release": {
"distribution": "OpenWrt",
"version": "21.02-SNAPSHOT",
"revision": "r15812+908-46b6ee7ffc",
"target": "mediatek/mt7981",
"description": "OpenWrt 21.02-SNAPSHOT r15812+908-46b6ee7ffc"
}
}
root@JLB-VPN-CLIENT:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda1:4c51:523d::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
option macaddr '(hidden)'
config device
option name 'eth1'
option macaddr '(hidden)'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option isolate '0'
option ipaddr '172.16.30.1'
config device
option name 'eth0'
option macaddr '(hidden)'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option force_link '0'
option ipv6 '0'
option classlessroute '0'
option metric '10'
config interface 'wan6'
option proto 'dhcpv6'
option device '@wan'
option disabled '1'
config interface 'guest'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option ip6assign '60'
option multicast_querier '1'
option igmp_snooping '0'
option isolate '0'
option bridge_empty '1'
option disabled '1'
config rule 'policy_relay_lo_rt_lan'
option lookup '16800'
option in 'loopback'
option priority '1'
config interface 'tethering6'
option device '@tethering'
option proto 'dhcpv6'
option disabled '1'
config interface 'wwan6'
option device '@wwan'
option proto 'dhcpv6'
option disabled '1'
config interface 'wwan'
option proto 'dhcp'
option classlessroute '0'
option metric '20'
config rule 'policy_direct_rt'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule 'policy_default_rt_vpn'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule6 'policy_direct_rt6'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule6 'policy_default_rt_vpn6'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule 'policy_default_rt_vpn_ts'
option lookup 'main'
option priority '1099'
option mark '0x80000/0xc0000'
option invert '0'
config interface 'tethering'
option proto 'dhcp'
option metric '30'
option ifname 'eth2'
config interface 'modem_1_1_6'
option ifname '@modem_1_1'
option proto 'dhcpv6'
option disabled '1'
config interface 'wgclient'
option proto 'wgclient'
option config 'peer_2001'
option disabled '0'
root@JLB-VPN-CLIENT:~#
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
list network 'tethering'
option input 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
option enabled '0'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option network 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config forwarding
option src 'guest'
option dest 'wan'
option enabled '0'
config rule
option name 'Allow-DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule
option name 'Allow-DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config rule 'process_mark'
option name 'process_mark'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 65533'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_mark_dns'
option name 'process_mark_dns'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 453'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_mark_stubby'
option name 'process_mark_stubby'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 410'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_explict_vpn'
option name 'process_explict_vpn'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 20000'
option target 'MARK'
option set_xmark '0x20000/0x20000'
config rule 'wan_in_conn_mark'
option name 'wan_in_conn_mark'
option src 'wan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x8000/0xc000'
option enabled '1'
config rule 'lan_in_conn_mark_restore'
option name 'lan_in_conn_mark_restore'
option src 'lan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'
option enabled '1'
config rule 'out_conn_mark_restore'
option name 'out_conn_mark_restore'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'
option enabled '1'
config include 'swap_wan_in_conn_mark'
option type 'script'
option reload '1'
option path '/etc/firewall.swap_wan_in_conn_mark.sh'
option enabled '1'
config include 'vpn_client_deal_leak'
option type 'script'
option reload '1'
option path '/etc/firewall.vpn_client_deal_leak.sh'
option enabled '1'
config include 'glblock'
option type 'script'
option path '/usr/bin/gl_block.sh'
option reload '1'
config include 'vpn_server_policy'
option type 'script'
option path '/etc/firewall.vpn_server_policy.sh'
option reload '1'
option enabled '1'
config redirect 'dns_vpn'
option name 'dns for vpn'
option src 'lan'
option src_dport '53'
option dest 'lan'
option dest_port '1653'
option mark '!0x8000/0xc000'
list proto 'tcp'
list proto 'udp'
option enabled '1'
config redirect 'dns_vpn_guest'
option name 'dns for vpn guest'
option src 'guest'
option src_dport '53'
option dest 'guest'
option dest_port '1653'
option mark '!0x8000/0xc000'
list proto 'tcp'
list proto 'udp'
option enabled '1'
config zone 'wgclient'
option name 'wgclient'
option forward 'DROP'
option output 'ACCEPT'
option mtu_fix '1'
option network 'wgclient'
option input 'DROP'
option masq '1'
option masq6 '1'
option enabled '1'
config forwarding 'wgclient2wan'
option src 'wgclient'
option dest 'wan'
option enabled '1'
config forwarding 'lan2wgclient'
option src 'lan'
option dest 'wgclient'
option enabled '1'
config forwarding 'guest2wgclient'
option src 'guest'
option dest 'wgclient'
option enabled '1'
root@JLB-VPN-CLIENT:~# wg show
interface: wgclient
public key: (hidden)=
private key: (hidden)
listening port: 37672
fwmark: 0x8000
peer: (hidden)=
endpoint: (hidden):51820
allowed ips: 0.0.0.0/0, ::/0, 10.20.40.0/24
latest handshake: 1 minute, 54 seconds ago
transfer: 21.28 MiB received, 3.20 MiB sent
persistent keepalive: every 25 seconds
Server Info
root@JLB-VPN-SERVER:~# ubus call system board
{
"kernel": "5.4.211",
"hostname": "JLB-VPN-SERVER",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT3000",
"board_name": "glinet,mt3000-snand",
"release": {
"distribution": "OpenWrt",
"version": "21.02-SNAPSHOT",
"revision": "r15812+908-46b6ee7ffc",
"target": "mediatek/mt7981",
"description": "OpenWrt 21.02-SNAPSHOT r15812+908-46b6ee7ffc"
}
}
root@JLB-VPN-SERVER:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd91:d50f:b9d7::/48'
config device
option name 'eth1'
option macaddr '(hidden)'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option isolate '0'
option ipaddr '172.16.20.1'
option device 'HmVlan-ID.10'
config device
option name 'eth0'
option macaddr '(hidden)'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option force_link '0'
option ipv6 '0'
option classlessroute '0'
option metric '10'
config interface 'wan6'
option proto 'dhcpv6'
option device '@wan'
option disabled '1'
config rule 'policy_relay_lo_rt_lan'
option lookup '16800'
option in 'loopback'
option priority '1'
config interface 'tethering6'
option device '@tethering'
option proto 'dhcpv6'
option disabled '1'
config interface 'wwan6'
option device '@wwan'
option proto 'dhcpv6'
option disabled '1'
config interface 'wwan'
option proto 'dhcp'
option classlessroute '0'
option metric '20'
config rule 'policy_direct_rt'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule 'policy_default_rt_vpn'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule6 'policy_direct_rt6'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule6 'policy_default_rt_vpn6'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule 'policy_default_rt_vpn_ts'
option lookup 'main'
option priority '1099'
option mark '0x80000/0xc0000'
option invert '0'
config device
option type 'bridge'
option name 'HmVlan-ID'
list ports 'eth1'
config bridge-vlan
option device 'HmVlan-ID'
option vlan '10'
list ports 'eth1:t'
config bridge-vlan
option device 'HmVlan-ID'
option vlan '40'
list ports 'eth1:t'
config interface '40_IOT'
option device 'HmVlan-ID.40'
option proto 'static'
option ipaddr '10.20.40.1'
option netmask '255.255.255.0'
config interface 'wgserver'
option proto 'wgserver'
option config 'main_server'
option disabled '0'
config interface 'wg_s2s'
option device 'wg1'
option proto 'none'
root@JLB-VPN-SERVER:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'ACCEPT'
list network 'wan'
list network 'wan6'
list network 'wwan'
config forwarding
option src 'lan'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config forwarding
option src 'guest'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule
option name 'Allow-DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config rule 'process_mark'
option name 'process_mark'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 65533'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_mark_dns'
option name 'process_mark_dns'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 453'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_mark_stubby'
option name 'process_mark_stubby'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 410'
option target 'MARK'
option set_xmark '0x8000/0xc000'
config rule 'process_explict_vpn'
option name 'process_explict_vpn'
option dest '*'
option proto 'all'
option extra '-m owner --gid-owner 20000'
option target 'MARK'
option set_xmark '0x20000/0x20000'
config rule 'wan_in_conn_mark'
option name 'wan_in_conn_mark'
option src 'wan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x8000/0xc000'
option enabled '0'
config rule 'lan_in_conn_mark_restore'
option name 'lan_in_conn_mark_restore'
option src 'lan'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'
option enabled '0'
config rule 'out_conn_mark_restore'
option name 'out_conn_mark_restore'
option dest '*'
option set_xmark '0x8000/0xc000'
option target 'MARK'
option extra '-m connmark --mark 0x8000/0xc000 -j CONNMARK --restore-mark --nfmask 0xc000 --ctmask 0xc000'
option enabled '0'
config include 'swap_wan_in_conn_mark'
option type 'script'
option reload '1'
option path '/etc/firewall.swap_wan_in_conn_mark.sh'
option enabled '0'
config include 'vpn_client_deal_leak'
option type 'script'
option reload '1'
option path '/etc/firewall.vpn_client_deal_leak.sh'
option enabled '1'
config include 'glblock'
option type 'script'
option path '/usr/bin/gl_block.sh'
option reload '1'
config include 'vpn_server_policy'
option type 'script'
option path '/etc/firewall.vpn_server_policy.sh'
option reload '1'
option enabled '1'
config zone 'wg_s2s'
option name 'wg_s2s'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'wg_s2s'
config forwarding
option src 'lan'
option dest '40_IOT_Zn'
config forwarding
option src '40_IOT_Zn'
option dest 'wan'
config forwarding 'wgserver2wgclient'
option src 'wgserver'
option dest 'wgclient'
option enabled '0'
config forwarding 'wgserver2ovpnclient'
option src 'wgserver'
option dest 'ovpnclient'
option enabled '0'
config rule 'wgserver_allow'
option name 'wgserver_allow'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option family 'ipv4'
option dest_port '51820'
option enabled '1'
config zone 'wgserver'
option name 'wgserver'
option output 'ACCEPT'
option mtu_fix '1'
option masq '1'
option masq6 '1'
option input 'ACCEPT'
option forward 'REJECT'
option enabled '1'
list network 'wgserver'
config zone
option name '40_IOT_Zn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network '40_IOT'
config forwarding 'wgserver2wan'
option src 'wgserver'
option dest 'wan'
option enabled '1'
config forwarding 'lan2wgserver'
option src 'lan'
option dest 'wgserver'
option enabled '1'
config rule 'wgserver_allow_dns'
option name 'wgserver_allow_dns'
option src 'wgserver'
option target 'ACCEPT'
option dest_port '53'
option enabled '1'
config rule 's2s_rule_udp'
option name 'Allow S2S UDP'
option dest_port '51830'
option proto 'udp'
option src 'wan'
option target 'ACCEPT'
config forwarding 'wgserver2lan'
option src 'wgserver'
option dest 'lan'
option enabled '1'
config forwarding 's2s_lan'
option dest 'lan'
option src 'wg_s2s'
config forwarding 's2s_wan'
option dest 'wan'
option src 'wg_s2s'
config forwarding 'lan_s2s'
option dest 'wg_s2s'
option src 'lan'
config forwarding 'wan_s2s'
option dest 'wg_s2s'
option src 'wan'
root@JLB-VPN-SERVER:~# wg show
interface: wgserver
public key: (hidden) =
private key: (hidden)
listening port: 51820
fwmark: 0x8000
peer: (hidden)=
endpoint: (hidden):31860
allowed ips: 10.2.27.2/32
latest handshake: 2 minutes, 27 seconds ago
transfer: 356 B received, 300 B sent
persistent keepalive: every 25 seconds
interface: wg1
public key: (hidden)=
private key: (hidden)
listening port: 51830
peer: (hidden)=
allowed ips: 172.16.30.0/24, 172.30.55.2/32
root@JLB-VPN-SERVER:~# ```The mt-3000 is well supported by official openwrt, but what you are currently using is the gl-inet vendor firmware. For that firmware, you need to reach out to gl-inet’s support channels. But if you install official openwrt, we can help you here.
It appears you are using firmware that is not from the official OpenWrt project.
When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.
You may find that the best options are:
- Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
- Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
- Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).
If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.
1 Like
OK......new to OpenWrt. Moving to forward with OpenWrt rel. Thanks!!!!
So by chance do the official version have the GUI?
Yes, openwrt has a nice gui. It is not the same as the gl-inet one, though.
1 Like
Hmmmm.....haven't determined how to get to the GUI.
Just visit 192.168.1.1 with your browser
1 Like
Hi psherman, both devices have been updated to 23.05.5. I am still seeing the same issue. From the CLIENT I can successfull VPN to the SERVER. I can ping the VLAN 40 GW on the SERVER but not any devices i.e. 10.20.40.35 given the allowed IPs is 10.20.40.0/24.
VPN CLIENT Info
root@JLB-VPN-CLIENT:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "JLB-VPN-CLIENT",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT3000",
"board_name": "glinet,gl-mt3000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "mediatek/filogic",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@JLB-VPN-CLIENT:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd00:2861:f03c::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '172.16.30.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config interface 'Wg_VPN'
option proto 'wireguard'
option private_key '(hidden)'
list addresses '10.2.27.2/32'
list dns '172.16.20.1'
config wireguard_Wg_VPN
option public_key '(hidden)'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
list allowed_ips '10.20.40.0/24'
option route_allowed_ips '1'
option endpoint_host 'jlbgt.ddns.net'
config interface 'Tethering_4G'
option proto 'dhcp'
option device 'eth2'
option force_link '1'
root@JLB-VPN-CLIENT:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'Tethering_4G'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'Wire_Wall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'Wg_VPN'
config forwarding
option src 'lan'
option dest 'Wire_Wall'
root@JLB-VPN-CLIENT:~# wg show
interface: Wg_VPN
public key: (hidden)
private key: (hidden)
listening port: 45759
peer: (hidden)
endpoint: (hidden):51820
allowed ips: 0.0.0.0/0, ::/0, 10.20.40.0/24
latest handshake: 1 minute, 30 seconds ago
transfer: 7.14 MiB received, 2.17 MiB sent
VPN SERVER Info
root@JLB-VPN-SERVER:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "JLB-VPN-SERVER",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT3000",
"board_name": "glinet,gl-mt3000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "mediatek/filogic",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@JLB-VPN-SERVER:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdbb:bb92:c561::/48'
config device
option name 'br-lan'
option type 'bridge'
config interface 'lan'
option device 'JLB_Vlan.10'
option proto 'static'
option ipaddr '172.16.20.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config device
option type 'bridge'
option name 'JLB_Vlan'
list ports 'eth1'
config bridge-vlan
option device 'JLB_Vlan'
option vlan '10'
list ports 'eth1:t'
config bridge-vlan
option device 'JLB_Vlan'
option vlan '20'
list ports 'eth1:t'
config bridge-vlan
option device 'JLB_Vlan'
option vlan '40'
list ports 'eth1:t'
config interface '40_IOT'
option proto 'static'
option device 'JLB_Vlan.40'
option ipaddr '10.20.40.1'
option netmask '255.255.255.0'
config interface 'JLB_VPN_SVR'
option proto 'wireguard'
option private_key '(HIDDEN)'
option listen_port '51820'
list addresses '10.2.27.1/24'
list dns '8.8.8.8'
config device
option name 'JLB_VPN_SVR'
config wireguard_JLB_VPN_SVR
option description 'John Peer'
option public_key '(HIDDEN)'
option private_key '(HIDDEN)'
list allowed_ips '10.2.27.2/32'
list allowed_ips '10.20.40.0/24'
root@JLB-VPN-SERVER:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'JLB_VPN_SVR'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name '40_IOT_Zn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network '40_IOT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Home VPN'
option src 'wan'
option src_dport '51820'
option dest_ip '10.2.27.1'
option dest_port '51820'
list proto 'tcp'
list proto 'udp'
config zone
option name 'WG_Zn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'JLB_VPN_SVR'
list network 'lan'
config forwarding
option src 'WG_Zn'
option dest 'wan'
config forwarding
option src 'wan'
option dest 'WG_Zn'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'RDP'
option family 'ipv4'
list proto 'tcp'
option src 'wan'
option src_dport '3389'
option dest_ip '172.16.20.1'
option dest_port '3389'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SSH'
option src 'wan'
option src_dport '22'
option dest_ip '172.16.20.1'
option dest_port '22'
root@JLB-VPN-SERVER:~# wg show
interface: JLB_VPN_SVR
public key: (HIDDEN)
private key: (hidden)
listening port: 51820
peer: (HIDDEN)
endpoint: 107.127.31.114:3433
allowed ips: 10.2.27.2/32, 10.20.40.0/24
latest handshake: 36 seconds ago
transfer: 29.82 MiB received, 272.61 MiB sent
You have the option to do this in 2 different ways:
- client side masquerading on the tunnel (current configuration)
- symmetric routing.
I recommend that we get things working with option 1. Option 2 is not required but can be useful if you want to avoid the effective double NAT and/or need to be able to reach the remote (client) side from the server side.
Anyway, getting started -- on the client side, change the address to 10.2.27.2/24 (/24 instead of /32). You can also remove the DNS from here as it will not do what you want.
You can remove the allowed IPs of 10.20.40.0/24 from this next section. It's not necessary because 0.0.0.0/0 covers that. Additionally, you should have the endpoint port defined -- I don't see it there (unless you redacted it):
On the server side...
Remove the DNS from here:
Remove the 2nd line of allowed IPs (10.20.40.0/24) as you do not want it here:
In addition, the above should have option route_allowed_ips '1'.
Remove this port forward/redirect and replace it with a simple traffic rule:
Networks can only be included in a single firewall zone. You have two zones defined that contain both the lan and the JLB_VPN_SVR. Delete this:
And delete all of the corresponding forwards:
This port forward looks odd -- should it be pointing to the router itself or a host behind the router?
It is usually considered a bad idea to expose your router's ssh service to the internet. Remove this unless you have a good reason to use it (you probably won't need it because you have your WG VPN). Further, if you really do need it, delete the redirect and set it up as a traffic rule.
Once the changes have been made, restart both devices and test again.
1 Like
Awesome! And I appreciate you help!! Moving to implement and test and will provide and update.