How do I access my LAN through my openwrt wireguard VPN?

BrianO · December 22, 2022, 4:32pm

I have been searching for an answer and trying many different configuration options. If I had hair I would have ripped it all out. I am trying to access local network devices through my wg VPN when I am on the road. I have a network printer, plex server, and a file server on my LAN. I want to be able to connect to it through my VPN tunnnel.

My dynamic DNS is configured. I am following script 2a from the forum (https://openwrt.org/docs/guide-user/services/vpn/wireguard/automated). My configs are being generated and successfully imported into my devices (phone and laptop). My devices can connect when I am off the LAN and on the road. They can browse the internet (ip is correct, same as router) but for the life of me I cannot figure out how to access my local network devices.

Below are my config files. It would be great to have a second set of eyes have a look.

wg show

interface: wg_lan
  public key: xxxxxxx
  private key: (hidden)
  listening port: 51820

peer: xxxxxxxxxxxxx
  preshared key: (hidden)
  endpoint: xxxxxxxx:39669
  allowed ips: 10.0.5.3/32
  latest handshake: 2 minutes, 8 seconds ago
  transfer: 681.54 KiB received, 7.19 MiB sent
  persistent keepalive: every 25 seconds

peer: xxxxxxxxxxx
  preshared key: (hidden)
  endpoint: xxxxxxxxx:64756
  allowed ips: 10.0.5.2/32
  transfer: 148 B received, 762.06 KiB sent
  persistent keepalive: every 25 seconds

peer: xxxxxxxxxxxxx
  preshared key: (hidden)
  allowed ips: 10.0.5.4/32
  persistent keepalive: every 25 seconds

peer: xxxxxxxxxxxx
  preshared key: (hidden)
  allowed ips: 10.0.5.5/32
  persistent keepalive: every 25 seconds
root@OpenWrt:~#

cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan wg_lan'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard-lan'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf5:8ea9:ee4d::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr '62:38:e0:b5:d7:60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wg_lan'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxx'
        option listen_port '51820'
        list addresses '10.0.5.1/24'
        option mtu '1420'

config wireguard_wg_lan
        option public_key 'xxxxxxxxxxxxx'
        option preshared_key 'xxxxxxxxxxxxx'
        option description '1_lan_laptop'
        list allowed_ips '10.0.5.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key 'xxxxxxxxxxxxx'
        option preshared_key 'xxxxxxxxxxxxx'
        option description '2_lan_phone'
        list allowed_ips '10.0.5.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key 'xxxxxxxxxxxxx'
        option preshared_key 'xxxxxxxxxxxxx'
        option description '3_lan_guest1'
        list allowed_ips '10.0.5.4/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key 'xxxxxxxxxxxxx'
        option preshared_key 'xxxxxxxxxxxxx'
        option description '4_lan_guest2'
        list allowed_ips '10.0.5.5/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config file

[Interface]
PrivateKey = xxxxxxxxxxxxx
Address = 10.0.5.2/32
DNS = 10.0.5.1

[Peer]
PublicKey = xxxxxxxxxxxxx
PresharedKey = xxxxxxxxxxxxx
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = xxxxxxxxxxxxx:51820
PersistentKeepalive = 25

trendy · December 22, 2022, 4:51pm

Configs are correct and there packets exchanged, so there is proper handshake. However, are you certain that your devices are not having any firewall which is blocking the non-local networks?
Can you browse the internet from the 1_lan_laptop ?

BrianO · December 22, 2022, 5:05pm

Thanks for your response. Yes I am able to browser the internet through 1_lan_laptop and 2_lan_phone. ipleak shows the correct ip of my router.

mmstano · December 22, 2022, 5:49pm

I had the same issue before. Even though you have 0.0.0.0/0 so all ip’s can be resolved once your road warrior devices reach your lan, the wg subnet and lan subnet are different addresses. It was solved for me by adding a route that allowed those two subnets to “talk to each other”.

mmstano · December 22, 2022, 5:59pm

I’m on the go and can’t think of the CLI command to make this route, but in Luci, it looks like a Static ipv4 route added with wireguard as interface, unicast route type, with 0.0.0.0/0 as the target, then as an ipv4 rule with rule type unicast, lan as incoming interface, outgoing interface as unspecified, and I have it setup on its own route table

trendy · December 22, 2022, 6:38pm

This is not necessary, OpenWrt has an interface on both networks, so it has both routes in its routing table.
@BrianO then you can verify that there are no packets coming back by trying this.
opkg update; opkg install tcpdump; tcpdump -i br-lan -vn net 10.0.5.0/24
Then try from your wg clients to access the lan hosts.
After you capture some packets exit with Ctrl-c and paste here the output.

mmstano · December 22, 2022, 7:05pm

I don’t understand then. I spent a good 2 weeks when I first setup my vpn a couple years ago and I couldn’t get my cellphone to see any of my lan devices when connected to the vpn. I knew it was working cause I had a handshake and my cellphone showed my home ip address. It wasn’t until I happened upon a post mentioning that route and adding it myself that I then was able to access other devices on my lan via vpn.

Even though the devices have routes on openwrt, they’d still need to be defined if they are not on the same routing table, no?

trendy · December 22, 2022, 7:55pm

All devices use OpenWrt as default gateway so they will send to it the packets for networks they don't have routes.
Openwrt has routes to both lan and wireguard.
If the network is different it may not work and another static route could be needed.

jav · December 24, 2022, 12:28pm

In /etc/config/firewall, as you're using multiple values, instead of:

option network 'lan wg_lan'

you should write:

list network 'lan wg_lan'

trendy · December 24, 2022, 2:58pm

option network 'lan wg_lan' is a correct way. If you want to write a list, it must be separated:

list network 'lan'
list network 'wg_lan'

jav · December 24, 2022, 3:48pm

My mistake. lists items should be in different lines as you explain.

Anyway, OT configuration ("option" with multiple values) isn't correct, and that's probably the reason the firewall isn't properly configured.

trendy · December 24, 2022, 7:24pm

While not common anymore, it is not wrong.
Check the firewall configuration, wan zone, here.

mk24 · December 24, 2022, 7:54pm

One line option with multiple values is deprecated and could stop working with any update. Always use the multiple line list syntax instead.

Note that if a road warrior is connected to a LAN (coffee shop etc) with IP subnet the same as your home LAN, routing through a VPN to the home LAN will not work. The local route installed upon connecting to the coffee shop will have priority over a 0.0.0.0/0 route. The most straightforward fix for this is to use an unusual number for your home LAN IP.

BrianO · December 25, 2022, 11:36pm

Thanks for the feedback. I stepped away from this for a couple days due to Christmas. I started the tcpdump, then connected my phone through the mobile network, then activated wireguard, then tried to connect to my network printer. The connection was not successful. These are the results:

root@OpenWrt:~# tcpdump -i br-lan -vn net 10.0.5.0/24
tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
23:32:12.690666 IP (tos 0x0, ttl 63, id 41078, offset 0, flags [DF], proto UDP (17), length 76)
    10.0.5.3.48063 > 192.168.1.145.161:  { SNMPv1 { GetRequest(33) R=186722051  .1.3.6.1.4.1.1240.2.3.4.1.1.0 } }
23:32:12.706533 IP (tos 0x0, ttl 63, id 41079, offset 0, flags [DF], proto UDP (17), length 77)
    10.0.5.3.55260 > 192.168.1.145.161:  { SNMPv1 { GetRequest(34) R=0  .1.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.1 } }
23:32:12.771007 IP (tos 0x0, ttl 63, id 41088, offset 0, flags [DF], proto UDP (17), length 76)
    10.0.5.3.48063 > 192.168.1.145.161:  { SNMPv1 { GetRequest(33) R=186722051  .1.3.6.1.4.1.1240.2.3.4.1.1.0 } }
23:32:12.870432 IP (tos 0x0, ttl 63, id 41093, offset 0, flags [DF], proto UDP (17), length 76)
    10.0.5.3.48063 > 192.168.1.145.161:  { SNMPv1 { GetRequest(33) R=186722051  .1.3.6.1.4.1.1240.2.3.4.1.1.0 } }
23:32:12.970958 IP (tos 0x0, ttl 63, id 41101, offset 0, flags [DF], proto UDP (17), length 76)
    10.0.5.3.48063 > 192.168.1.145.161:  { SNMPv1 { GetRequest(33) R=186722051  .1.3.6.1.4.1.1240.2.3.4.1.1.0 } }
23:32:13.070254 IP (tos 0x0, ttl 63, id 41109, offset 0, flags [DF], proto UDP (17), length 77)
    10.0.5.3.53724 > 192.168.1.145.161:  { SNMPv1 { GetRequest(34) R=0  .1.3.6.1.4.1.2435.2.4.3.99.3.1.6.1.2.1 } }
23:32:13.078902 IP (tos 0x0, ttl 63, id 41110, offset 0, flags [DF], proto UDP (17), length 76)
    10.0.5.3.48063 > 192.168.1.145.161:  { SNMPv1 { GetRequest(33) R=186722051  .1.3.6.1.4.1.1240.2.3.4.1.1.0 } }
23:32:13.170833 IP (tos 0x0, ttl 63, id 41120, offset 0, flags [DF], proto UDP (17), length 76)
    10.0.5.3.48063 > 192.168.1.145.161:  { SNMPv1 { GetRequest(33) R=186722051  .1.3.6.1.4.1.1240.2.3.4.1.1.0 } }
23:32:13.271025 IP (tos 0x0, ttl 63, id 41125, offset 0, flags [DF], proto UDP (17), length 76)
    10.0.5.3.48063 > 192.168.1.145.161:  { SNMPv1 { GetRequest(33) R=186722051  .1.3.6.1.4.1.1240.2.3.4.1.1.0 } }

I am not entirely sure how to interpret them. Any help would be appreciated. Thank you

BrianO · December 25, 2022, 11:36pm

I now have it setup like this, but it did not make a difference.

BrianO · December 25, 2022, 11:37pm

This is good to know. I will keep this in mind and eventually change the ip range of my home network

jav · December 26, 2022, 7:53am

Looks like the printer isn't responding. Does it have a default route back to the wg VPN device?

It also may be an issue with SNMP configuration, but I assume its working fine when connected directly on the LAN, right?