I have been searching for an answer and trying many different configuration options. If I had hair I would have ripped it all out. I am trying to access local network devices through my wg VPN when I am on the road. I have a network printer, plex server, and a file server on my LAN. I want to be able to connect to it through my VPN tunnnel.
My dynamic DNS is configured. I am following script 2a from the forum (https://openwrt.org/docs/guide-user/services/vpn/wireguard/automated). My configs are being generated and successfully imported into my devices (phone and laptop). My devices can connect when I am off the LAN and on the road. They can browse the internet (ip is correct, same as router) but for the life of me I cannot figure out how to access my local network devices.
Below are my config files. It would be great to have a second set of eyes have a look.
wg show
interface: wg_lan
public key: xxxxxxx
private key: (hidden)
listening port: 51820
peer: xxxxxxxxxxxxx
preshared key: (hidden)
endpoint: xxxxxxxx:39669
allowed ips: 10.0.5.3/32
latest handshake: 2 minutes, 8 seconds ago
transfer: 681.54 KiB received, 7.19 MiB sent
persistent keepalive: every 25 seconds
peer: xxxxxxxxxxx
preshared key: (hidden)
endpoint: xxxxxxxxx:64756
allowed ips: 10.0.5.2/32
transfer: 148 B received, 762.06 KiB sent
persistent keepalive: every 25 seconds
peer: xxxxxxxxxxxxx
preshared key: (hidden)
allowed ips: 10.0.5.4/32
persistent keepalive: every 25 seconds
peer: xxxxxxxxxxxx
preshared key: (hidden)
allowed ips: 10.0.5.5/32
persistent keepalive: every 25 seconds
root@OpenWrt:~#
cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wg_lan'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule 'wg'
option name 'Allow-WireGuard-lan'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf5:8ea9:ee4d::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr '62:38:e0:b5:d7:60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wg_lan'
option proto 'wireguard'
option private_key 'xxxxxxxxxxxxx'
option listen_port '51820'
list addresses '10.0.5.1/24'
option mtu '1420'
config wireguard_wg_lan
option public_key 'xxxxxxxxxxxxx'
option preshared_key 'xxxxxxxxxxxxx'
option description '1_lan_laptop'
list allowed_ips '10.0.5.2/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_wg_lan
option public_key 'xxxxxxxxxxxxx'
option preshared_key 'xxxxxxxxxxxxx'
option description '2_lan_phone'
list allowed_ips '10.0.5.3/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_wg_lan
option public_key 'xxxxxxxxxxxxx'
option preshared_key 'xxxxxxxxxxxxx'
option description '3_lan_guest1'
list allowed_ips '10.0.5.4/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_wg_lan
option public_key 'xxxxxxxxxxxxx'
option preshared_key 'xxxxxxxxxxxxx'
option description '4_lan_guest2'
list allowed_ips '10.0.5.5/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config file
[Interface]
PrivateKey = xxxxxxxxxxxxx
Address = 10.0.5.2/32
DNS = 10.0.5.1
[Peer]
PublicKey = xxxxxxxxxxxxx
PresharedKey = xxxxxxxxxxxxx
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = xxxxxxxxxxxxx:51820
PersistentKeepalive = 25