I've read a number of posts here and the documentation and tried to understand things to the best of my ability (which may not be very good).
I've set up wireguard on my router (server) and on my Android (client) using "WG Tunnel" from F-Droid.
I would like to use the wireguard tunnel to connect to the internet through my router. Essentially making my wireguard connected phone part of my LAN.
I can connect via the tunnel to my router, but I can only see my LAN devices. I cannot connect to anything outside of my router.
All the documentation I've read and seen shows how to set up the connections, but once you're connected to the router and can see your LAN, the documentation ends with no further information on troubleshooting or how to use your connection to hairpin your connection.
Your Android client should have 0.0.0.0/0 in Allowed IPs
If so it looks like a firewall problem.
Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show
I traced it down to a DNS issue. The DNS on my router wasn't talking to my wireguard client. But I would still like to make sure this will do what I would like.
Thank you for your help.
root@gateway:~# ubus call system board
{
"kernel": "5.15.148",
"hostname": "gateway",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Turris Omnia",
"board_name": "cznic,turris-omnia",
"rootfs_type": "btrfs",
"release": {
"distribution": "TurrisOS",
"version": "7.0.0",
"revision": "r20300+124-3547565f24",
"target": "mvebu/cortexa9",
"description": "TurrisOS 7.0.0 3547565f245479dc1643ea66828fb55635d49051"
}
}
root@gateway:~# cat /etc/config/network
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option ula_prefix 'fdab:86dc:4b91::/48'
config interface 'lan'
option force_link '1'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan'
config interface 'wan'
option proto 'dhcp'
option peerdns '0'
option dns '127.0.0.1'
option hostname 'mydomain.com'
option ipv6 '1'
option device 'eth2'
config interface 'wan6'
option _orig_ifname '@wan'
option proto '6in4'
option mtu '1424'
option peeraddr '184.105.253.14'
option ip6addr '<ipv6>'
option tunnelid '540772'
option username 'user'
option password 'password'
option noserverunicast '1'
option auto '0'
list ip6prefix '<ipv6>'
config interface 'vpn_turris'
option enabled '1'
option proto 'none'
option auto '1'
option device 'tun_turris'
config interface 'IOT'
option _orig_ifname 'wlan0-1'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '192.168.13.1'
option netmask '255.255.255.0'
option device 'br-IOT'
config interface 'wireguardvpn'
option proto 'wireguard'
option private_key '<key>'
option listen_port '62054'
list addresses '172.16.36.1/24'
option peerdns '0'
option delegate '0'
config wireguard_wireguardvpn
option public_key '<key>'
option description 'openwrtclient'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '192.168.1.0/24'
list allowed_ips '172.16.36.0/24'
config wireguard_wireguardvpn
option public_key '<key>'
option description 'apubuild'
list allowed_ips '172.16.36.0/24'
list allowed_ips '192.168.202.0/24'
option disabled '1'
config device 'br_lan'
option name 'br-lan'
list ports 'lan0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option type 'bridge'
config device 'dev_wan'
option name 'eth2'
option macaddr '<mac_addr>'
config device 'br_IOT'
option name 'br-IOT'
list ports 'br-IOT'
option type 'bridge'
config wireguard_wireguardvpn
option public_key '<key>'
option description 'apu3'
option route_allowed_ips '1'
config wireguard_wireguardvpn
option description 'Phone'
option private_key '<key>'
option public_key '<key>'
option route_allowed_ips '1'
list allowed_ips '172.16.36.16'
root@gateway:~# cat /etc/config/firewall
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '22'
option dest_port '22'
option name 'ssh'
option dest_ip '192.168.10.12'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '25565'
option dest_ip '192.168.10.12'
option dest_port '25565'
option name 'minecraft'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '443'
option dest_ip '192.168.10.12'
option dest_port '443'
option name 'https'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '80'
option dest_ip '192.168.10.12'
option dest_port '80'
option name 'http'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '5060'
option dest_port '5060'
option name 'raspbx'
option dest_ip '192.168.10.83'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '5061'
option dest_ip '192.168.10.83'
option dest_port '5061'
option name 'raspbx-tls'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '25'
option dest_ip '192.168.10.12'
option dest_port '25'
option name 'smtp'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '993'
option dest_ip '192.168.10.12'
option dest_port '993'
option name 'imaps'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '465'
option dest_ip '192.168.10.12'
option dest_port '465'
option name 'ssmtp legacy'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '10000-20000'
option dest_port '10000-20000'
option name 'SIPVoice'
option dest_ip '192.168.10.83'
option enabled '0'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '27015'
option dest_ip '192.168.10.50'
option dest_port '27015'
option name 'synergy'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '64738'
option dest_ip '192.168.10.12'
option dest_port '64738'
option name 'Mumble'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wireguardvpn'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option sentinel_dynfw '1'
option sentinel_minipot '1'
option sentinel_fwlogs '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option src 'wan'
option name 'NUISANCE'
option ipset 'nuisance'
option dest 'lan'
list src_ip '46.148.40.0/24'
list src_ip '223.10.0.0/16'
list src_ip '194.169.175.10'
option target 'DROP'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPv6-ssh'
option src 'wan'
option proto 'tcp'
option dest 'lan'
option dest_ip '<ipv6>'
option dest_port '22'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPv6-web'
option src 'wan'
option proto 'tcp'
option dest 'lan'
option dest_ip '<ipv6>'
option dest_port '80 443'
option family 'ipv6'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option target 'ACCEPT'
option name 'Allow-ISAKMP'
list proto 'tcp'
list proto 'udp'
list src_ip '208.54.0.0/16'
option src_port '500'
option enabled '0'
config include
option path '/etc/firewall.user'
config include
option path '/usr/share/firewall/turris'
option reload '1'
config include
option path '/etc/firewall.d/with_reload/firewall.include.sh'
option reload '1'
config include
option path '/etc/firewall.d/without_reload/firewall.include.sh'
option reload '0'
config zone 'vpn_turris'
option enabled '1'
option name 'vpn_turris'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
list network 'vpn_turris'
list network 'wireguardvpn'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option name 'Allow-IPSec-ESP'
list src_ip '208.54.0.0/16'
option enabled '0'
config rule
option dest_port '5061'
option src 'wan'
option name 'Encrypted SIP'
option dest 'lan'
option target 'ACCEPT'
list src_ip '208.54.0.0/16'
option enabled '0'
config rule 'vpn_turris_rule'
option name 'vpn_turris_rule'
option target 'ACCEPT'
option proto 'udp'
option src 'wan'
option dest_port '1194'
config forwarding 'vpn_turris_forward_lan_in'
option enabled '1'
option src 'vpn_turris'
option dest 'lan'
config forwarding 'vpn_turris_forward_lan_out'
option enabled '1'
option src 'lan'
option dest 'vpn_turris'
config forwarding 'vpn_turris_forward_wan_out'
option enabled '0'
option src 'vpn_turris'
option dest 'wan'
config rule 'turris_wan_6in4_rule'
option family 'ipv4'
option proto '41'
option target 'ACCEPT'
option src 'wan'
option src_ip '184.105.253.14'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '587'
option dest_ip '192.168.10.12'
option dest_port '587'
option name 'ssmtp2'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '110'
option dest_ip '192.168.10.12'
option dest_port '110'
option name 'pop3'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '995'
option dest_ip '192.168.10.12'
option dest_port '995'
option name 'spop3'
config rule
option name 'Block Google DNS'
option family 'ipv4'
option target 'REJECT'
option proto 'tcp udp'
option src 'lan'
option dest 'wan'
list src_ip '192.168.10.61'
option src_port '53'
config rule
option name 'Block Google DNS - 2'
option family 'ipv4'
option target 'REJECT'
option proto 'tcp udp'
option src 'lan'
option dest 'wan'
list dest_ip '8.8.4.4'
list src_ip '192.168.10.61'
option enabled '0'
config zone
option name 'IOT'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'IOT'
config rule
option target 'ACCEPT'
option src 'IOT'
option dest 'lan'
option name 'IOT-DNS'
option dest_port '53'
option dest_ip '192.168.10.1'
config rule
option target 'ACCEPT'
option src 'IOT'
option dest 'lan'
option name 'IOT-DHCP'
option dest_ip '192.168.10.1'
option dest_port '67-68'
config rule
option target 'ACCEPT'
option src 'IOT'
option dest 'lan'
option name 'IOT-NTP'
option dest_ip '192.168.10.1'
option dest_port '123'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '2222'
option dest_ip '192.168.10.50'
option dest_port '2222'
option name 'remote assistance'
config zone 'turris_vpn_client'
option name 'tr_vpn_cl'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
config forwarding 'turris_vpn_client_forward'
option src 'lan'
option dest 'tr_vpn_cl'
config forwarding
option dest 'IOT'
option src 'lan'
config forwarding
option dest 'lan'
option src 'IOT'
config rule
option src 'wan'
option name 'Handset Authentication'
option dest 'lan'
option target 'ACCEPT'
option src_port '443'
list src_ip '66.94.0.0/19'
option enabled '0'
config rule
option src 'wan'
option name 'Visual Voicemail'
option dest 'lan'
option target 'ACCEPT'
option src_port '993'
list src_ip '66.94.0.0/19'
option enabled '0'
config rule
option src_port '4500'
option src 'wan'
option name 'IPSEC - NAT traversal'
list src_ip '208.54.0.0/16'
option dest 'lan'
option target 'ACCEPT'
option enabled '0'
config rule
option dest_port '62054'
option name 'Wireguard'
option target 'ACCEPT'
list proto 'udp'
option src 'wan'
config rule
option src 'lan'
option name 'Guest AP'
list src_ip '192.168.10.251'
option dest 'lan'
option target 'REJECT'
config redirect
option src 'wan'
option name 'matrix'
option src_dport '8448'
option target 'DNAT'
option dest 'lan'
option dest_port '8008'
option dest_ip '192.168.10.12'
config include
option path '/etc/firewall.fail2ban'
option enabled '1'
option reload '1'
config ipset
option name 'nuisance'
option storage 'hash'
option match 'src_net'
option enabled '1'
option loadfile '/etc/kresd/nuisance.txt'
config include 'bcp38'
option type 'script'
option path '/usr/lib/bcp38/run.sh'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'sentinel_firewall'
option type 'script'
option path '/usr/libexec/sentinel/firewall.sh'
option family 'any'
option reload '1'
root@gateway:~# ip route show
default via 64.233.242.97 dev eth2 proto static src 64.233.242.107
10.255.111.0/24 via 10.255.111.2 dev tun_turris
10.255.111.2 dev tun_turris proto kernel scope link src 10.255.111.1
<publicnet> dev eth2 proto kernel scope link src <publicip>
172.16.36.0/24 dev wireguardvpn proto static scope link
192.168.1.0/24 dev wireguardvpn proto static scope link
192.168.10.0/24 dev br-lan proto kernel scope link src 192.168.10.1
192.168.13.0/24 dev br-IOT proto kernel scope link src 192.168.13.1
root@gateway:~# wg show
interface: wireguardvpn
public key: <key>
private key: (hidden)
listening port: 62054
peer: <key>
endpoint: 172.58.122.7:21455
allowed ips: 172.16.36.0/24
latest handshake: 2 minutes, 16 seconds ago
transfer: 103.45 KiB received, 100.41 KiB sent
peer: <key>
allowed ips: (none)
peer: <key>
allowed ips: 192.168.1.0/24
persistent keepalive: every 25 seconds
Unfortunately this does not look like a genuine OpenWRT build but an off shoot.
So cannot help with that because we simply do not know enough about those builds, You have to ask at the Turris forum.