Create Route for VPN for connected LAN devices

Ahoy friends.
I had trouble while trying to connect my home network and my remote network using Wireguard.
Now it works, and i'm able to ping to each interface (from 10.0.0.2 to 10.0.0.1 and vise versa).
Using the console from my OpenWRT device, i have created a route to my home network.

Attention: Home network 192.168.2.0, remote network 192.168.1.0
So i logged into my OpenWRT device, and performed this command. ip route add 192.168.2.0/24 via 10.0.0.1
Then i was able to ping the devices inside of my home network.
Unfortunately it does not work for my connected LAN devices on my OpenWRT devices.
Currently i got the wg0 device, the eth0 LAN device, and the wwan0 device.
My OpenWRT device is connected to another WiFI, and having a bridge br0 between wwan0 and eth0. So how can i establish the route ip route add 192.168.2.0/24 via 10.0.0.1 for my devices connected to eth0?
I hope someone understands what i mean, quite complicated config.
Inside of the SSH console everything works fine.

I'm also not able to ping any devices, from my eth0 connected notebook.
Doesn't matter if i try to ping my local OpenWRT router, or my home network 192.168.2.0, i always receive the following message.

ping: socket: Operation not permitted

If both routers can ping each other, but client devices cannot, you might be missing a return route on the far end device.

The error about cannot ping is strange. Is that a work laptop? Do you have some antivirus/something blocking that?

A diagram may help too https://www.draw.io/

It looks like that

No device on the right network can use ping.
On the left side ping works.

1 Like

Post here the configurations from both devices:
uci export network; uci export firewall; ip -4 addr; ip -4 ru; ip -4 ro ls tab all

Alright, first command:


package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1b:c1e2:8857::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '4 0 1 2 8t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '3 8t'

config interface 'wg0'
	option proto 'wireguard'
	option private_key ''
	option listen_port '5555'
	list addresses '10.0.0.2/24'

config wireguard_wg0
	option public_key ''
	option description 'Unix-Supremacy'
	option persistent_keepalive '30'
	option endpoint_host 'unix-supremacy.org'
	option endpoint_port '5555'
	list allowed_ips '10.0.0.1/32'
	list allowed_ips '192.168.2.0/24'

config interface 'wwan'
	option proto 'dhcp'

config interface 'br0'
	option proto 'relay'
	list network 'lan'
	list network 'wwan'

config route
	option target '192.168.2.0/24'
	option gateway '10.0.0.1'
	option netmask '255.255.255.0'
	option interface 'lan'
	option onlink '1'

Firewall

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'br0 br0 wg0 lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest_port '5555'
	option src 'wan'
	option name 'WireGuard'
	option src_dport '5555'
	option target 'DNAT'
	option dest_ip '192.168.1.1'
	option dest 'lan'
	list proto 'udp'

config zone
	option name 'Wireguard'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option network 'Wireguard wwan'

config forwarding
	option dest 'lan'
	option src 'Wireguard'

config forwarding
	option dest 'wan'
	option src 'Wireguard'

config forwarding
	option dest 'Wireguard'
	option src 'lan'

config forwarding
	option dest 'Wireguard'
	option src 'wan'

ip -4 addr


1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.43.133/24 brd 192.168.43.255 scope global wlan0
       valid_lft forever preferred_lft forever
13: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.0.0.2/24 brd 10.0.0.255 scope global wg0
       valid_lft forever preferred_lft forever

ip -4 ru


0:	from all lookup local
2:	from all iif lo lookup 1
2:	from all iif wlan0 lookup 16800
2:	from all iif br-lan lookup 16801
32766:	from all lookup main
32767:	from all lookup default

ip -4 ro ls tab all

192.168.1.179 dev br-lan table 16800 scope link 
192.168.43.1 dev wlan0 table 16801 scope link 
default via 192.168.43.1 dev wlan0 proto static src 192.168.43.133 
10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.2 
78.35.90.26 via 192.168.43.1 dev wlan0 proto static 
85.197.43.22 via 192.168.43.1 dev wlan0 proto static 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.2.0/24 via 10.0.0.1 dev wg0 
192.168.43.0/24 dev wlan0 proto kernel scope link src 192.168.43.133 
broadcast 10.0.0.0 dev wg0 table local proto kernel scope link src 10.0.0.2 
local 10.0.0.2 dev wg0 table local proto kernel scope host src 10.0.0.2 
broadcast 10.0.0.255 dev wg0 table local proto kernel scope link src 10.0.0.2 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
broadcast 192.168.43.0 dev wlan0 table local proto kernel scope link src 192.168.43.133 
local 192.168.43.133 dev wlan0 table local proto kernel scope host src 192.168.43.133 
broadcast 192.168.43.255 dev wlan0 table local proto kernel scope link src 192.168.43.133

I can only send stuff from the OpenWRT device, because the target network is already running fine, and it's a debian system.
Unfortunately in my OpenWRT 192.168.1.0 subnet i can't even ping my own ip obtained by the OpenWRT DHCP Lol.

Much of your config looks like a routed VPN, but you think it should run bridged.

Make bridges by combining "physical" interfaces in the network lan option ifname not in the firewall.

1 Like

Yeah it's meaner to be a routed config.

Then the two lan networks must be different, such as 192.168.1.X and 192.168.2.X.

Yeah that's the case. My remote OpenWRT network uses 192.168.1.0 the other one 192.168.2.0 and I want to establish a route via 10.0.0.2 to 192.168.2.0
Maybe I'll try traceroute. Looks like the firewall is filtering something

It will not work with the relay you have there.
If you keep the relay you'll have to move the WG interface on the other router that wwan is connected.
Also you may want to cover the keys and the public host IP from your previous post with the configs.

Is there another way to route the traffic to the destination without having the bridge?
Fact is i can connect the wwan0 radio only to another remote network to establish an internet connection.
Unfortunately there is nothing i can change on the remote network.
So the relay is the cause why i can't ping anything?
Another way to route the traffic from my lan devices through the wg interface?

Problem solved.
I had to bind the 192.168.2.0/24 via 10.0.0.1 route to "wg0".
Traceroute helped me a lot, finally its looking like that now.
Thanks for your help!

traceroute 192.168.2.150
traceroute to 192.168.2.150 (192.168.2.150), 30 hops max, 60 byte packets
 1  OpenWrt.lan (192.168.1.1)  0.346 ms  0.430 ms  0.484 ms
 2  10.0.0.1 (10.0.0.1)  357.685 ms  358.520 ms  359.277 ms
 3  192.168.2.150 (192.168.2.150)  359.294 ms  368.537 ms  368.539 ms
1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.