How to allow WireGuard VPN access LAN?

Hi! I know there are plenty of topics out there already but frankly I can't apply the instructions to my case.
Installed WireGuard VPN on my OpenWrt 21.02 and it's configured to work at 10.0.0.1/24 with client being 10.0.0.2/32 (as instructed here https://www.youtube.com/watch?v=TQxwqY-m30Y). I can connect to this VPN server from my phone over cellular network.
What I want to achieve is to be able to: 1. access my LAN resources as if I was in the local network, 2. browse the Internet as I'd be sitting in my LAN (which I think would work if 1 would).

My LAN is 192.168.1.0/24. I think I'm missing some routing between 10.0.0.0/24 and 192.168.1.0/24 but have no idea how to get it done (routing or bridge interface?).

I'd be very glad for any hint how to fix it.

# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd70:8341:e81f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

config interface 'WG'
        option proto 'wireguard'
        option private_key [covered up]
        option listen_port '51820'
        list addresses '10.0.0.1/24'

config wireguard_WG
        option preshared_key [covered up]
        list allowed_ips '10.0.0.2/32'
        option route_allowed_ips '1'
        option endpoint_port '51820'
        option description 'Peer 1'
        option public_key [covered up]
# ifconfig
WG        Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.0.0.1  P-t-P:10.0.0.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:1730 errors:69 dropped:0 overruns:0 frame:69
          TX packets:63 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:197364 (192.7 KiB)  TX bytes:2556 (2.4 KiB)

br-lan    Link encap:Ethernet  HWaddr [covered up]
          inet addr:192.168.1.3  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::c641:1eff:fe22:6e23/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:219718 errors:0 dropped:58801 overruns:0 frame:0
          TX packets:58275 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:28377053 (27.0 MiB)  TX bytes:36351439 (34.6 MiB)

eth0      Link encap:Ethernet  HWaddr [covered up]
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5107296 errors:0 dropped:60 overruns:0 frame:0
          TX packets:2643852 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4249428994 (3.9 GiB)  TX bytes:1481267006 (1.3 GiB)

eth1      Link encap:Ethernet  HWaddr [covered up]
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:22672 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22672 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1613837 (1.5 MiB)  TX bytes:1613837 (1.5 MiB)

wlan0     Link encap:Ethernet  HWaddr [covered up]
          inet6 addr: fe80::c441:1eff:fe22:6e27/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2531817 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4918875 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1423845752 (1.3 GiB)  TX bytes:4173330693 (3.8 GiB)

wlan1     Link encap:Ethernet  HWaddr [covered up]
          inet6 addr: fe80::c641:1eff:fe22:6e25/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:62939 errors:0 dropped:0 overruns:0 frame:0
          TX packets:323369 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:22272810 (21.2 MiB)  TX bytes:199258908 (190.0 MiB)
# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option log '1'
        list network 'lan'
        list network 'WG'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option log '1'
        list network 'wan'
        list network 'wan6'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option log '1'

config forwarding
        option src 'vpn'
        option dest 'wan'

config forwarding
        option src 'vpn'
        option dest 'lan'

config rule 'wg'
        option name 'Allow-WireGuard'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'
        option src '*'

Welcome to the community!

Have you tried simply adding the interface to tje LAN Firewall Zone to accomplish your goal?

1 Like

On the peer 1 configuration, you'd need to add allowed_ips 0.0.0.0/0 in order to route everything through the tunnel.

If you did not reboot the router after setup try that.

It is possible that everything is working but that the LAN clients you want to reach with your phone from outside have their own firewall.
If so make sure the firewall of the LAN clients allows traffic from the WG server i.e. traffic from 10.0.0.0/24.

As a quick test to see if this is the problem you can turn on Masquerading of the LAN zone (as I now see that the WG interface is added to the LAN zone)

No. On the router, allowed IPs from the phone is 10.0.0.2/32. Every packet that the phone sends into the tunnel will have this source IP.
On the phone, allowed IPs is usually 0.0.0.0/0, to redirect all phone Internet usage through the VPN. Packets returning to the phone through the tunnel could have any address on the Internet. If you don't want to route the whole Internet via VPN, you still need the tunnel (10.0.0.0/24) and the home LAN as allowed_ips on the phone.

Note that in either case if the phone happens to be connected to a hotel, etc. WiFi network with the same private IP subnet as the home LAN, routing to the home LAN will not work, since the phone will have a local route to these IPs via the local WiFi connection.

It appears that your OpenWrt router for WG is not the main router on the network. Instead, this appears to be just 'another device on the lan.'

In this situation, you need to either enable a static route on your main router (if supported) or enable masquerading on the lan firewall zone of this router.

Option 1: enable a static route for 10.0.0.0/24 via < IP address of OpenWrt WG router > (it's set to DHCP, so I don't know what the address is).

Option 2: Enable masquerading, and move WG to its own zone, like this...

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

config zone 'wg'
        option name 'wg'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'WG'

config forwarding
        option src 'wg'
        option dest 'lan'

next, you can remove all of this:

And your endpoint port on the OpenWrt peer config should be removed:

1 Like

Yes, it's been added

1 Like

If the lan and WG are in the same zone, you must have a static route on the main router. Or, use option 2 above.

3 Likes

That's right, maybe I didn't express myself accurately. The allowed_ips 0.0.0.0/0 must be set on the peer1 for the tunnel, not on OpenWrt for peer1, where the 10.0.0.2/32 is correct.

Correct, my OpenWrt router 192.168.1.3 works as a wifi repeater which simply connects all clients to LAN addresses pool managed by main router's DHCP (192.168.1.0/24).
Turning the Masquerading on LAN zone on did the trick, thank you!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.