How to access to LAN via OpenWrt Wireguard

There are many topics about this subject but im a total noob and cant figure it out.

So i want to access my LAN machines with my laptop while i am on the go. I have sucesfuly configured the wireguard and my laptop connects without a hitch to wireguard (i get my public ip that my ISP gives to my router with OpenWRT)
I run wireguard server on my router if that is important.

What is the easy way to set this up?

Local ip of my router is 192.168.1.1
DHCP for LAN is setup on 192.168.1.1xx - 250
Wireguard is on 10.14.0.1/24 and listens to port 12345

firewall config:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'WG_Server'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option src 'wan'
	option proto 'igmp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option proto 'udp'
	option dest 'lan'
	option dest_ip '224.0.0.0/4'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option proto 'udp'
	option dest_ip '224.0.0.0/4'
	option target 'ACCEPT'

config redirect
	option dest_port '12345'
	option src 'wan'
	option name 'Wireguard'
	option src_dport '12345'
	option target 'DNAT'
	option dest_ip '192.168.1.1'
	option dest 'lan'
	list proto 'udp'

network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd0c:772b:a372::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option igmp_snooping '1'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr '14:91:82:9f:5c:b0'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option peerdns '0'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '14:91:82:9f:5c:b0'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'
	option reqprefix 'auto'
	option reqaddress 'try'
	option peerdns '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'WG_Server'
	option proto 'wireguard'
	option private_key '<privatkey>'
	option listen_port '12345'
	list addresses '10.14.0.1/24'

config wireguard_WG_Server
	option public_key '<public key>'
	option description 'RN9S'
	option persistent_keepalive '25'
	list allowed_ips '10.14.0.3/32'
	option route_allowed_ips '1'
	option endpoint_port '12345'

config wireguard_WG_Server
	option public_key '<public key>'
	option description 'Mojca_Latitude'
	option persistent_keepalive '25'
	list allowed_ips '10.14.0.4/32'
	option route_allowed_ips '1'
	option endpoint_port '12345'

Anyhelp is much appreciated

b.r.

The Wireguard interface is in the same firewall zone as LAN and you allow forwarding.

So, it's already done.

Congrats!

Are you having issues?

Yeah i cant acess my nas that has an ip 192.168.1.235

Did you program a gateway IP into the NAS?

Wait...allow that IP range also on the interfaces.

Can you explain what doyou mean with that? Somone told me that i have to setup a routing betwen LAN and wireguard to acess LAN.

You need to allow the IPs though on the WG interfaces.

But your laptop should send all traffic to the OpenWrt, and it has a route already.

Gateway IP. The NAS needs to know the router address to communicate to other subnets.

OK how do i do that (keep in mind i am a noob)

Laptop does connect to wireguard and as i said i do get my public router ip on laptop using 4g+wireguard. So the tunnel is working to the router but i can not acess LAN computers, LAN printer etc....

In your laptop need to add:

allowed_ips 192.168.1.0/24
and a route
192.168.1.0/24 with gw 10.14.0.1

(Layer 3 tunnels don't need gateway IPs, they do need an interface specified.)

@gabrielo

You mean here?

This is fine, upon connection, you'd send all traffic to the WG interface. Thanks, it helped to show the config to confirm this.

You also allow all IPs already.

Is 192.168.1.1 configured as the Gateway in the NAS?

192.168.1.1 is the router ip (Linksys EA8500 with openwrt 19.07) if you mean that and the nas is connected to that router with cable and getting the ip form router DHCP

I don't know about terminology, but how the laptop will know about 192.168.1.0/24 is behind 10.14.0.1 ??

I was too thinking about that, i thik i need to tell somehow WG or laptop with WG that there is a 192.168.1.xxx subnet or how do you call that

if you have 0.0.0.0/0 in allowed ips the 192.168.1.0/24 is not needed

Did you set in the NAS:

• IP 192.168.1.235
• Mask 255.255.255.0 (or /24)
• Gateway 192.168.1.1

?

Remove these lines from the peer config stanzas on the openwrt side.

Do you have a working handshake?
wg show

Make sure that your LAN machines allow access from other subnets. Windows, for example, by default has firewall rules that prohibit incoming connections from a different subnet. This is a setting in the local firewall (ie windows firewall)

I didnt set anything in the NAS, everything is done by DHCP on router and from my local stationary computer i added network path and it worrks normaly

Ok..thats good.