How to properly route WireGuard traffic?

I have a WireGuard interface at 10.10.10.1/24 on my lan firewall zone. The connection works fine, however from remote devices/wg peers, I am only able to access 3 devices on my LAN.

I can access:

  • The OpenWRT router (192.168.1.1, 192.168.2.1)
  • My wireless access point (192.168.1.10)
  • My modem (192.168.100.1) and WAN

I cannot access anything else on the network, including Windows computers, a Linux server, and my NAS.

I believe the issue is that the majority of devices will reject traffic outside of their local network, but I'm not sure if this is the case. Regardless, enabling masquerading on the lan zone seems to solve all my issues.

As far as I'm aware, masquerading will hurt my router's performance. I also just want to understand what's going on here. Could someone help me understand why most LAN devices are inaccessible to my WireGuard interface?

Thank you.

This is true of Windows, for sure. It is not uncommon for some NAS OS's to have a similar restrictions. Most linux distros don't do this by default, but if you have a local firewall enabled, that could account for it.

This is not an ideal solution, but it works because of the nature of masquerading.

Generally not, but it does depend on how it's applied.

Let's start by reviewing your configuration.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
1 Like

I see. Probably not the issue, then.

root@OpenWrt:~# ubus call system board

at /etc/config/firewall{
        "kernel": "5.15.134",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Luxul XBR-4500 V1",
        "board_name": "luxul,xbr-4500-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "bcm53xx/generic",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}



root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix Removed
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        list ipaddr '192.168.1.1/24'
        option delegate '0'

config device
        option name 'wan'
        option macaddr Removed

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wg0'
        option proto 'wireguard'
        option private_key Removed
        option listen_port '51820'
        list addresses '10.10.10.1/24'

config wireguard_wg0
        option public_key Removed
        option preshared_key Removed
        option description Removed
        option persistent_keepalive '25'
        list allowed_ips '10.10.10.2/32'
        option route_allowed_ips '1'

config wireguard_wg0
        option description Removed
        option public_key Removed
        option preshared_key Removed
        option persistent_keepalive '25'
        list allowed_ips '10.10.10.3/32'
        option route_allowed_ips '1'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan3:u*'

config interface 'pve'
        option proto 'static'
        option device 'br-lan.2'
        option delegate '0'
        list ipaddr '192.168.2.1/24'



root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'pve'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'pve'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'pve'
        option dest 'wan'

config forwarding
        option src 'pve'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'pve'

config rule
        option name 'Allow-WireGuard'
        list proto 'udp'
        option src 'wan'
        option dest_port '51820'
        option target 'ACCEPT'

You should upgrade to 23.05.4 when you can.

I see an issue here:

First, in VLAN 1 'd recommend that you mark the ports with :u* to explicitly set the untagged+PVID status. However, the bigger issue is that you have port lan3 untagged in both VLANs. That port should be removed from VLAN 1.

Try making that change, then reboot and test again.

I've made those changes just now, but I don't believe they are relevant to my issue. The issue persists after rebooting.

Let's take a look at the config of the remote peer's WG interface.
Also, how is this being tested? What network is the remote peer connected to?

I would check the configuration of the devices that cannot be reached. The fact that you can reach at least 3 devices suggests that the routing is working as expected, and it is very likely the local device rules that are preventing access.

1 Like

All I have to add to @psherman comprehensive answer is that you basically have two options: either you enable NAT, so those devices perceive only local connections, or you open their firewalls.

1 Like