Connecting to LAN through wireguard

lesnewell · May 5, 2022, 6:39pm

Hi all, I know this has been asked before but after looking though every post I can find on the subject I still can't get this to work. I'd be really grateful for any help. I've been fighting this for two days now.

Basically what I want:
external client->wireguard->OpenWRT->wifi LAN->device on wifi lan
For testing purposes I'm running wireguard over a wired LAN but in the future it will be running over 4G.

I have Wireguard configured and I can ping every IP on the router (i.e every IP shown in the interfaces page).
However what I can't do is ping anything on either connected LAN. For example the router sits on the wired lan at 192.168.2.97 and I can ping it over the VPN. However I can't ping 192.168.2.2, which is a device on the LAN. The pings just time out. I can ping 192.168.2.2 from OpenWrt's network diagnostics page. The same goes for the wifi lan. OpenWRT is a wifi client with the address 192.168.101.117 and I can ping that. However I can't ping 192.168.101.1, which is a device on the wifi network. Again I can ping 192.168.101.1 directly from OpenWRT diagnostics.

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd1b:57a3:e859::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'a'
        option tone 'av'
        option ds_snr_offset '0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config device
        option name 'eth0.1'
        option macaddr 'xxxx'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.97'
        option gateway '192.168.2.1'

config device
        option name 'dsl0'
        option macaddr 'xxxx'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'

config interface 'test'
        option proto 'dhcp'
        option device 'br-lan'

config interface 'giffgaff'
        option proto 'ncm'
        option pdptype 'IP'
        option apn 'giffgaff.com'
        option username 'gg'
        option password 'p'
        option ipv6 'auto'
        option device '/dev/ttyUSB0'

config interface 'wwan'
        option proto 'dhcp'
        option defaultroute '0'
        option peerdns '0'

config interface 'debug'
        option proto 'static'
        option device 'br-lan'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

config interface 'wireguard'
        option proto 'wireguard'
        option private_key 'xxxx'
        option listen_port '1194'
        list addresses '10.0.0.1/24'
        option peerdns '0'

config wireguard_wireguard
        option description 'test'
        option public_key 'xxxx'
        option route_allowed_ips '1'
        list allowed_ips '10.0.0.2/32'

config device
        option name 'wireguard'
        option acceptlocal '1'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'test'
        list network 'wwan'
        list network 'wireguard'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'giffgaff'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

Client Wireguard config

[Interface]
PrivateKey = xxxx
ListenPort = 1194
Address = 10.0.0.2/32

[Peer]
PublicKey = xxxx
AllowedIPs = 10.0.0.1/32, 192.168.101.1/24, 192.168.3.1/24, 192.168.2.97/32, 192.168.2.2/32
Endpoint = 192.168.2.97:1194

Yes, I know there are more AllowedIPs than I need. I can trim them back if/when I get this working.

psherman · May 6, 2022, 5:52am

It appears that this OpenWrt device is not your main router -- you must have another router upstream of this and it seems you have a LAN-LAN connection between the two.

The problem is that traffic can actually reach your LAN devices, but they will not be able to send responses because they will send it to your main router, and your main router doesn't know what to do with it.

With the topology you have in your network, you've got two methods by which you can fix this issue:

if you main router exposes settings for static routes, you can add a route to the WG network -- this route gets added to your main router.

10.0.0.0/24 via 192.168.2.97

move your WireGuard network to its own firewall zone (call it vpn), turn on masquerading for the vpn zone, and allow forwarding from wg > lan. Don't forget to remove the wireguard network from the lan zone.

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'test'
        list network 'wwan'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'wireguard'

config forwarding
        option src 'vpn'
        option dest 'lan'

lesnewell · May 6, 2022, 10:42am

Thanks for your reply.

Yes, that's correct. This is just for testing the tunnel. In the final application the wired LAN will be disconnected and the 4G WAN (GiffGaff) will be used for the Wireguard tunnel.

I made the changes you suggested and have the same result. I'm pretty sure I tried this before.

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'test'
        list network 'wwan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'giffgaff'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'wireguard'
        option masq '1'
        option forward 'ACCEPT'

config forwarding
        option src 'vpn'
        option dest 'lan'

lesnewell · May 6, 2022, 12:03pm

I found the problem. It was a Wireguard configuration issue

config interface 'wireguard'
        option proto 'wireguard'
        option private_key 'xxxx'
        option listen_port '1194'
        list addresses '10.0.0.1/24'
        list addresses '192.168.2.2/32'
        list addresses '192.168.101.1/32'
        option peerdns '0'

lesnewell · May 6, 2022, 12:16pm

Scrap that. Ping works but it's actually just talking to the OpenWRT instance, not 192.168.101.1. For instance if I enter 192.168.101.1 in my browser I get the LuCI login instead of the server at 192.168.101.1. I'm confused.

Here's the result of tcpdump -i any port 80

12:29:38.969346 IP 10.0.0.2.57645 > 192.168.101.1.80: Flags [.], ack 17165, win 6145, length 0
12:29:38.969628 IP 192.168.101.1.80 > 10.0.0.2.57645: Flags [P.], seq 17165:17229, ack 2700, win 4010, length 64: HTTP
12:29:39.010892 IP 10.0.0.2.57645 > 192.168.101.1.80: Flags [.], ack 17229, win 6144, length 0
12:29:39.142405 IP 192.168.101.1.80 > 10.0.0.2.57645: Flags [P.], seq 17229:17235, ack 2700, win 4010, length 6: HTTP
12:29:39.143501 IP 192.168.101.1.80 > 10.0.0.2.57645: Flags [P.], seq 17235:19995, ack 2700, win 4010, length 2760: HTTP
12:29:39.143841 IP 192.168.101.1.80 > 10.0.0.2.57645: Flags [.], seq 19995:21375, ack 2700, win 4010, length 1380: HTTP
12:29:39.145797 IP 10.0.0.2.57645 > 192.168.101.1.80: Flags [.], ack 18615, win 6145, length 0

That all looks pretty much as I'd expect.

lesnewell · May 6, 2022, 2:40pm

OK, this time I think I have it working. Using 'tcpdump -e -i any icmp' I could see my pings were being routed out the first interface (a test interface) and disappearing into the void. I put Wireguard on one zone (vpn) and the wireless LAN on another (wwan)

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wireguard'
        option masq '1'

config zone
        option name 'wwan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'wwan'
        option forward 'ACCEPT'
        option masq '1'

config forwarding
        option src 'wwan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'wwan'

This works but is there a better way to do it?