How to access internet through WireGuard server?

gyzerok · October 17, 2022, 3:16am

Hello everyone!

I have configured a WireGuard server on my router and it seems to work fine (mostly through this guide). I can connect and am able to access LuCI interface from my phone with it.

One other thing I would like to achieve - is to be able to surf internet from under my routers' internet connection.

I assume it has to do with firewall configuration, but can't really figure out what should be changed. Can you help me?

Here is my config:

config zone 'lan'
	option name 'lan'
	list network 'lan'
	list network 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

psherman · October 17, 2022, 3:20am

Your firewall is fine...

Let's see your /etc/config/network file and the WG config for the 'client' peer.

gyzerok · October 17, 2022, 3:25am

@psherman thank you for helping!

Is this what you are asking for?

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option ipv6 'auto'
	option username '***'
	option password '***'

config interface 'vpn'
	option proto 'wireguard'
	option private_key '***'
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fdf1:e8a1:8d3f:9::1/64'

config wireguard_vpn 'wgclient'
	option preshared_key '***'
	option description 'Fedor'
	option public_key '***'
	option private_key '***'
	option endpoint_host '***.duckdns.org'
	option endpoint_port '51820'
	list allowed_ips '192.168.9.18/32'
	option route_allowed_ips '1'

psherman · October 17, 2022, 5:31am

This doesn't quite look right, but before I make any recommendations, I need to see both peers in the WG connection.

Which one did you post here -- is this the 'server' or the 'client'?
Can you please post the other, as well?

gyzerok · October 17, 2022, 7:20am

I want my router to act as a server and my phone to be a client. So I guess that means the peer on OpenWRT is a server peer?

On my phone setup is as follows

gyzerok · October 17, 2022, 12:49pm

I've realized that there might be another thing related to the problem - I am using dnscrypt-proxy for DOH.

Here is my config

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
 	option noresolv '1'
 	option localuse '1'
 	option boguspriv '0'
 	option cachesize '0'
 	list server '127.0.0.53'

gyzerok · October 18, 2022, 3:41am

It looks like DNS was indeed the problem here.

The following snippet solved it for me

config dhcp 'vpn'
	option interface 'vpn'
	option ignore '1'

Edit:
Apparently it was not it. What fixed it was supplying DNS servers in the config of iOS client. I am wondering how can I configure it to use routers DNS server.

Edit 2:
For some reason initially giving 192.168.1.1 as the DNS server on the client didn't work. But then it started working. So now everything is as I expect it.