Help to configure wireguard vpn client on openwrt

hi all , im a newbie .
im in trouble with configuration of wireguard vpn client on my opewrt.
so let's show my conf.
i have a raspberry pi4 with a wireguard server on my home-net that have the ip address 192.168.1.8 in lan and in wg 10.6.0.1 .
I setting up 2 "client" , the first, my home imac , with lan ip 192.168.1.25 and wg at 10.6.0.2 , the second is another mac in office - net that have lan ip 192.168.8.100 and wg at 10.6.0.3 . at this point its all ok , so i can vnc from home mac to office mac and reverse trough vpn address.
at this point i want add to my office-net , my openwrt device to wireguard , i setting up the peer the endpoint and all , and it seems to work , if i put the vpn address of openwrt from my mac home ( 10.6.0.5 ) it show the openwrt config page , and if i plug office-mac trough openwrt lan , i can vnc to 10.6.0.2 at my home-mac , but not reverse .
so i need help to how can access from my home-mac at openwrt-lan-plugged devices.
My office net is a lte wireless modem witouth lan ports , and my openwrt is connected to internet trough wifi . I post my /etc/config/network conf file and /etc/config/firewall if someone needs for help me . Thanks in advance , and sorry for my very bad english :frowning: !!!

config interface 'loopback'                                                     
        option ifname 'lo'                                                      
        option proto 'static'                                                   
        option ipaddr '127.0.0.1'                                               
        option netmask '255.0.0.0'                                              
                                                                                
config globals 'globals'                                                        
        option ula_prefix 'fd7a:181b:f061::/48'                                 
                                                                                
config interface 'lan'                                                          
        option type 'bridge'                                                    
        option ifname 'eth0.1'                                                  
        option proto 'static'                                                   
        option netmask '255.255.255.0'                                          
        option ip6assign '60'                                                   
        option ipaddr '192.168.1.100'                                           
                                                                                
config switch                                                                   
        option name 'switch0'                                                   
        option reset '1'                                                        
        option enable_vlan '1'                                                  
                                                                                
config switch_vlan                                                              
        option device 'switch0'                                                 
        option vlan '1'                                                         
        option ports '0 1 2 3 8t'                                               
                                                                                
config interface 'wwan'                                                         
        option proto 'dhcp'                                                     
                                                                                
config interface 'wg'                                                           
        option proto 'wireguard'                                                
        list addresses '10.6.0.5/24'                                            
        list addresses '10.6.0.6/24'                                            
        option private_key '***************'       
                                                                                
config wireguard_wg                                                             
        option public_key '********************'        
        option persistent_keepalive '25'                                        
        option endpoint_port '51820'                                            
        option endpoint_host 'myhost'                              
        list allowed_ips '0.0.0.0/0'                                            
        option preshared_key '***************************'     
        option route_allowed_ips '1'                                            
                
config defaults                                 
        option syn_flood '1'                    
        option input 'ACCEPT'                   
        option output 'ACCEPT'                  
        option forward 'REJECT'                 
                                                
config zone                                     
        option name 'lan'                       
        option input 'ACCEPT'                   
        option output 'ACCEPT'                  
        option forward 'ACCEPT'                 
        option network 'lan'                    
                                                
config zone                                     
        option name 'wan'                       
        option input 'REJECT'                   
        option output 'ACCEPT'                  
        option forward 'REJECT'                 
        option masq '1'                         
        option mtu_fix '1'                      
        option network 'wan wan6 wwan wg'       
                                                
config forwarding                               
        option src 'lan'                        
        option dest 'wan'                       
                                                
config rule                                     
        option name 'Allow-DHCP-Renew'          
        option src 'wan'                        
        option proto 'udp'                      
        option dest_port '68'                   
        option target 'ACCEPT'                  
        option family 'ipv4'                    
                                                
config rule                                     
        option name 'Allow-Ping'                
        option src 'wan'                        
        option proto 'icmp'                     
        option icmp_type 'echo-request'         
        option family 'ipv4'                    
        option target 'ACCEPT'
config rule                                     
        option name 'Allow-IGMP'                
        option src 'wan'                        
        option proto 'igmp'                     
        option family 'ipv4'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-DHCPv6'              
        option src 'wan'                        
        option proto 'udp'                      
        option src_ip 'fc00::/6'                
        option dest_ip 'fc00::/6'               
        option dest_port '546'                  
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-MLD'                 
        option src 'wan'                        
        option proto 'icmp'                     
        option src_ip 'fe80::/10'               
        list icmp_type '130/0'                  
        list icmp_type '131/0'                  
        list icmp_type '132/0'                  
        list icmp_type '143/0'                  
        option family 'ipv6'                    
        option target 'ACCEPT'
config rule                                     
        option name 'Allow-ICMPv6-Input'        
        option src 'wan'                        
        option proto 'icmp'                     
        list icmp_type 'echo-request'           
        list icmp_type 'echo-reply'             
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        list icmp_type 'router-solicitation'    
        list icmp_type 'neighbour-solicitation' 
        list icmp_type 'router-advertisement'   
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-ICMPv6-Forward'      
        option src 'wan'                        
        option dest '*'                         
        option proto 'icmp'                     
        list icmp_type 'echo-request'           
        list icmp_type 'echo-reply'             
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'          
        list icmp_type 'bad-header'             
        list icmp_type 'unknown-header-type'    
        option limit '1000/sec'                 
        option family 'ipv6'                    
        option target 'ACCEPT'                  
                                                
config rule                                     
        option name 'Allow-IPSec-ESP'           
        option src 'wan'                        
        option dest 'lan'                       
        option proto 'esp'                      
        option target 'ACCEPT' 
config rule                                     
        option name 'Allow-ISAKMP'              
        option src 'wan'                        
        option dest 'lan'                       
        option dest_port '500'                  
        option proto 'udp'                      
        option target 'ACCEPT'                  
                                                
config include                                  
        option path '/etc/firewall.user'        
                                                
config zone                                     
        option input 'ACCEPT'                   
        option forward 'REJECT'                 
        option name 'wgard'                     
        option output 'ACCEPT'                  
                                                
config rule                                     
        option name 'wg'                        
        option target 'ACCEPT'                  
        option src 'wan'             
1 Like
  • Add OpenWrt LAN subnet to the allowed IPs in the VPN server config.
  • Enable masquerading in the OpenWrt firewall LAN zone.
1 Like
  • Add OpenWrt LAN subnet to the allowed IPs in the VPN server config.
    how i can do?
  • Enable masquerading in the OpenWrt firewall LAN zone.
    this is done

Edit the VPN server config adding 192.168.1.0/24 to the allowed IPs for the OpenWrt peer.

1 Like

sorry but dont understand , you mean in the raspberry ?

It depends on whether you have other VPN peers providing the server role.

1 Like

i just try to add it at wg0.conf in my raspberry at /etc/wireguard/wg0.conf , i will update you

now i can vnc to 10.6.0.2 and 192.168.1.25 from openwrt-lan-clients , but no reverse .
i try both 10.6.0.x and 192.168.1.136 (lan ip of home office ) , but nothin

on raspberry i have installed wireguard server with pivpn and the wg0.conf file contains it

[Interface]
PrivateKey = xxxxxxxxxxxxx
Address = 10.6.0.1/24
MTU = 1420
ListenPort = 51820
### begin mac-lab ###
[Peer]
PublicKey = xxxxxxx
PresharedKey = xxxxxxxxxx
AllowedIPs = 10.6.0.2/32,192.168.1.0/32,192.168.2.0/32

### end mac-lab ###
### begin mac-casa ###
[Peer]
PublicKey = xxxxxxxxxxxx
PresharedKey = xxxxxxxxxxx
AllowedIPs = 10.6.0.3/32,192.168.1.0/32,192.168.2.0/32
### end mac-casa ###
### begin ipad-mini ###
[Peer]
PublicKey = xxxxxxxxxx
PresharedKey = xxxxxxxxxxx
AllowedIPs = 10.6.0.4/32
### end ipad-mini ###
### begin openwrt ###
[Peer]
PublicKey = xxxxxxxx
PresharedKey = xxxxxxxx
AllowedIPs = 10.6.0.5/32,192.168.1.0/32,192.168.2.0/32
### end openwrt ###

It should be like this:

Note that subnets must not overlap.

1 Like

yes , i see , until i had openwrt lan in 192.168.1.1 , same of home router, now i put openwrt in 192.168.2.x, however 4 min and i try that
really thanks

nope , it dont work :frowning:

it woooooork

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.