Guest network can't connect with Wireguard

Hello,

I managed to set up a Wireguard connection with LuCI to my VPN provider (Proton) thanks to this tutorial.

The problem I encounter is that my VLAN 50 does not access internet. I suspect it has something to do with the gateway, but I don't understand how to configure it to make it work.

In the same time, I also want to host a few services on my raspberry and make them accessible from the internet. I already did that in the past, but I wasn't using OpenWRT at that time, only the ISP box.
I managed to install ddns, and set it up to get an IP but I can't connect to it. Since my raspberry is behind my VPN, I think it has something to do with that. From here, I don't know what I should do between :

  1. Isolate it completely in an other VLAN without VPN to give access (like VLAN 50)
  2. Create a new interface with a moderate NAT configuration on Wireguard and create a new VLAN specific for it
  3. Or if it should just work like that but I didn't managed to open what should be in the firewall correctly

Here is my configuration, do not hesitate if I missed something. Also, I'm a beginner and willing to learn so do not hesitate to tell me if there is things I can improve. Beware, I might have disabled a few configurations (like DDNS).
Thank you for taking the time to help me.

  • ubus call system board
{
        "kernel": "6.6.73",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "ASUS RT-AX53U",
        "board_name": "asus,rt-ax53u",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "ramips/mt7621",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}
  • /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd6:9a10:ebdc::/48'
        option packet_steering '1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '10.2.0.1'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option dns_metric '0'
        option norelease '1'
        option peerdns '0'
        list dns '10.2.0.1'

config device
        option type 'bridge'
        option name 'VLANS'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config bridge-vlan
        option device 'VLANS'
        option vlan '10'
        list ports 'lan1'

config bridge-vlan
        option device 'VLANS'
        option vlan '20'
        list ports 'lan2'

config bridge-vlan
        option device 'VLANS'
        option vlan '30'
        list ports 'lan3'

config bridge-vlan
        option device 'VLANS'
        option vlan '50'

config interface 'VLAN20'
        option proto 'static'
        option device 'VLANS.20'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'

config device
        option name 'VLANS.20'
        option type '8021q'
        option ifname 'VLANS'
        option vid '20'

config device
        option name 'VLANS.10'
        option type '8021q'
        option ifname 'VLANS'
        option vid '10'

config interface 'VLAN10'
        option proto 'static'
        option device 'VLANS.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config interface 'VLAN30'
        option proto 'static'
        option device 'br-VLAN30'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'

config interface 'VLAN50'
        option proto 'static'
        option device 'VLANS.50'
        option ipaddr '192.168.50.1'
        option netmask '255.255.255.0'

config device
        option name 'VLANS.50'
        option type '8021q'
        option ifname 'VLANS'
        option vid '50'

config device
        option name 'br-VLAN30'
        option type 'bridge'

config interface 'Proton_WG'
        option proto 'wireguard'
        option private_key 'redacted'
        list addresses 'redacted'
        list dns '10.2.0.1'

config wireguard_Proton_WG
        option description 'Imported peer configuration'
        option public_key 'redacted'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'redacted'
        option endpoint_port 'redacted'
        option route_allowed_ips '1'
  • /etc/config/wireless
config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '5'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'redacted'
        option encryption 'sae-mixed'
        option key 'redacted'
        option network 'VLAN20'
        option macfilter 'allow'
        list maclist 'redacted'
        list maclist 'redacted'
        option disabled '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option channel '56'
        option band '5g'
        option htmode 'HE80'
        option country 'FR'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'redacted'
        option encryption 'sae'
        option network 'VLAN20'
        option key 'redacted'
        list maclist 'redacted'
        list maclist 'redacted'
        list maclist 'redacted'
        option macfilter 'allow'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'redacted'
        option encryption 'sae'
        option key 'redacted'
        option network 'VLAN50'
        option disabled '1'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'redacted'
        option encryption 'sae'
        option network 'VLAN30'
        option key 'redacted'
        option disabled '1'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'redacted'
        option encryption 'sae-mixed'
        option hidden '1'
        option key 'redacted'
        option network 'VLAN30'
        option macfilter 'allow'
        list maclist 'redacted'
  • /etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'VLAN20'
        option interface 'VLAN20'
        option start '100'
        option limit '50'
        option leasetime '12h'

config dhcp 'VLAN10'
        option interface 'VLAN10'
        option start '35'
        option limit '1'
        option leasetime '12h'

config dhcp 'VLAN30'
        option interface 'VLAN30'
        option start '100'
        option limit '50'
        option leasetime '6h'

config dhcp 'VLAN50'
        option interface 'VLAN50'
        option start '100'
        option limit '50'
        option leasetime '12h'
  • /etc/config/firewall
config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'VLAN_admin'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'VLAN10'
        option mtu_fix '1'

config zone
        option name 'VLAN_common'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'VLAN20'
        option mtu_fix '1'

config zone
        option name 'VLAN_iot'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'VLAN30'

config zone
        option name 'VLAN_guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'VLAN50'
        option mtu_fix '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Guest DNS'
        option src 'VLAN_guest'
        option target 'ACCEPT'
        option dest_port '53'

config rule
        option name 'Guest DHCP'
        list proto 'udp'
        option src 'VLAN_guest'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'IoT DNS'
        option src 'VLAN_iot'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'IoT DHCP'
        list proto 'udp'
        option src 'VLAN_iot'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'NTP for Valetudo'
        option src 'VLAN_iot'
        list src_ip 'redacted'
        option target 'ACCEPT'
        list proto 'all'

config zone
        option name 'Proton_WG'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'Proton_WG'

config rule
        option name 'Allow Raspberry HTTPS'
        option src 'Proton_WG'
        option dest 'VLAN_common'
        list dest_ip 'redacted'
        option dest_port '443'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow Raspberry HTTP'
        option src 'Proton_WG'
        option dest 'VLAN_common'
        list dest_ip 'redacted'
        option dest_port '80'
        option target 'ACCEPT'
        option enabled '0'

config forwarding
        option src 'VLAN_admin'
        option dest 'Proton_WG'

config forwarding
        option src 'VLAN_common'
        option dest 'Proton_WG'

config forwarding
        option src 'VLAN_guest'
        option dest 'wan'

  • /proc/net/vlan/config
VLAN Dev name    | VLAN ID
Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD
VLANS.10       | 10  | VLANS
VLANS.20       | 20  | VLANS
VLANS.50       | 50  | VLANS
  • /etc/config/ddns
config ddns 'global'
        option ddns_dateformat '%F %R'
        option ddns_loglines '250'
        option ddns_rundir '/var/run/ddns'
        option ddns_logdir '/var/log/ddns'

config service 'ddns'
        option service_name 'changeip.com'
        option use_ipv6 '0'
        option enabled '0'
        option lookup_host 'redacted'
        option domain 'redacted'
        option username 'redacted'
        option password 'redacted'
        option ip_source 'web'
        option interface 'Proton_WG'
        option use_syslog '2'
        option ip_url 'http://checkip.dyndns.com'

I have my doubts about the vlan setup but apart from that your VLAN_guest zone has no forwarding to the Proton_WG zone so will not have internet

If you want to have incoming connections to your Raspberry from the wan then return traffic must also exit via the wan and not via the vpn.
For that you need Policy Based Routing (PBR)

1 Like

I can explain if needed :

  • VLAN 10 is for administration purpose, as in my main computer
  • VLAN 20 is for my common things (phone, consoles, almost everything)
  • VLAN 30 is for my IoT, as I don't want this to be mixed up with the rest and it doesn't need an internet connexion
  • VLAN 50 is for guest when needed

I thought about merging VLAN 10 and 20 together but I prefer it separated.

Also I'm sorry I wasn't clear about VLAN 50 in my initial post: altough I did make it work while forwarding it to the Wireguard zone, there's no connexion when forwarding to the WAN zone. And I don't understand why, since there's no kill switch on the connexion so it should work I think

I'll look into PBR more, thank you !

I would imagine that @egc's comment about the VLAN setup was not about the intent, but rather the execution. There are a number of things that don't look right.

Oh ! I'll admit that I'm not sure what could have been done better. Could you please give me some pointers?

Your bridge-vlans should explicitly specify the port status -- in this case, it appears you are using each port individually and untagged.

Add the untagged + PVID with :u* to the ports like this:

        list ports 'lan1:u*'

Repeat for the other VLANs.

Remove the 802.1q stanzas:

Delete this:

Edit VLAN 30 to use device VLANS.30:

Thanks @psherman , I hoped you or one of the other vlan experts would chime in and can advise about the settings

Thank you for the advice. I changed my settings, but ended up with no internet access and a router not accessible. I had to use failsafe mode to restore the backup file. This is not the first time it happened to me, I had it at the beginning when I tried to setup tag/untag on ports.

This is the file after modification, I also removed WAN6 since I was not using ipv6.

I don't know what else I can show you :

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd6:9a10:ebdc::/48'
        option packet_steering '1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '10.2.0.1'

config device
        option type 'bridge'
        option name 'VLANS'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config bridge-vlan
        option device 'VLANS'
        option vlan '10'
        list ports 'lan1:u*'

config bridge-vlan
        option device 'VLANS'
        option vlan '20'
        list ports 'lan2:u*'

config bridge-vlan
        option device 'VLANS'
        option vlan '30'
        list ports 'lan3:u*'

config bridge-vlan
        option device 'VLANS'
        option vlan '50'

config device
        option name 'VLANS.10'
        option ifname 'VLANS'
        option vid '10'

config device
        option name 'VLANS.20'
        option ifname 'VLANS'
        option vid '20'

config device
        option name 'VLANS.30'
        option ifname 'VLANS'
        option vid '30'

config device
        option name 'VLANS.50'
        option ifname 'VLANS'
        option vid '50'

config interface 'VLAN10'
        option proto 'static'
        option device 'VLANS.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config interface 'VLAN20'
        option proto 'static'
        option device 'VLANS.20'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'

config interface 'VLAN30'
        option proto 'static'
        option device 'VLANS.30'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'

config interface 'VLAN50'
        option proto 'static'
        option device 'VLANS.50'
        option ipaddr '192.168.50.1'
        option netmask '255.255.255.0'

config interface 'Proton_WG'
        option proto 'wireguard'
        option private_key 'redacted'
        list addresses 'redacted'
        list dns '10.2.0.1'

config wireguard_Proton_WG
        option description 'Imported peer configuration'
        option public_key 'redacted'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'redacted'
        option endpoint_port 'redacted'
        option route_allowed_ips '1'