Hi all, I know this has been asked before but after looking though every post I can find on the subject I still can't get this to work. I'd be really grateful for any help. I've been fighting this for two days now.
Basically what I want:
external client->wireguard->OpenWRT->wifi LAN->device on wifi lan
For testing purposes I'm running wireguard over a wired LAN but in the future it will be running over 4G.
I have Wireguard configured and I can ping every IP on the router (i.e every IP shown in the interfaces page).
However what I can't do is ping anything on either connected LAN. For example the router sits on the wired lan at 192.168.2.97 and I can ping it over the VPN. However I can't ping 192.168.2.2, which is a device on the LAN. The pings just time out. I can ping 192.168.2.2 from OpenWrt's network diagnostics page. The same goes for the wifi lan. OpenWRT is a wifi client with the address 192.168.101.117 and I can ping that. However I can't ping 192.168.101.1, which is a device on the wifi network. Again I can ping 192.168.101.1 directly from OpenWRT diagnostics.
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd1b:57a3:e859::/48'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
config dsl 'dsl'
option annex 'a'
option tone 'av'
option ds_snr_offset '0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config device
option name 'eth0.1'
option macaddr 'xxxx'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.97'
option gateway '192.168.2.1'
config device
option name 'dsl0'
option macaddr 'xxxx'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 6t'
config interface 'test'
option proto 'dhcp'
option device 'br-lan'
config interface 'giffgaff'
option proto 'ncm'
option pdptype 'IP'
option apn 'giffgaff.com'
option username 'gg'
option password 'p'
option ipv6 'auto'
option device '/dev/ttyUSB0'
config interface 'wwan'
option proto 'dhcp'
option defaultroute '0'
option peerdns '0'
config interface 'debug'
option proto 'static'
option device 'br-lan'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
config interface 'wireguard'
option proto 'wireguard'
option private_key 'xxxx'
option listen_port '1194'
list addresses '10.0.0.1/24'
option peerdns '0'
config wireguard_wireguard
option description 'test'
option public_key 'xxxx'
option route_allowed_ips '1'
list allowed_ips '10.0.0.2/32'
config device
option name 'wireguard'
option acceptlocal '1'
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'test'
list network 'wwan'
list network 'wireguard'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'giffgaff'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
Client Wireguard config
[Interface]
PrivateKey = xxxx
ListenPort = 1194
Address = 10.0.0.2/32
[Peer]
PublicKey = xxxx
AllowedIPs = 10.0.0.1/32, 192.168.101.1/24, 192.168.3.1/24, 192.168.2.97/32, 192.168.2.2/32
Endpoint = 192.168.2.97:1194
Yes, I know there are more AllowedIPs than I need. I can trim them back if/when I get this working.