I want to connect from LAN via Wireguard

hdog01 · June 5, 2020, 3:43am

Hi.
I want to connect from LAN via Wireguard.
In other words. I want to access the VPN's IP to the LAN client.
The ping test was completed by connecting peers to each other.
However, if I enter the LAN address on my computer, the VPN address is not output.

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd15:5672:3a87::/48'
	option multipath 'disable'
	option mptcp_path_manager 'fullmesh'
	option mptcp_scheduler 'default'
	option mptcp_checksum '0'
	option mptcp_debug '0'
	option mptcp_syn_retries '5'
	option mptcp_fullmesh_num_subflows '1'
	option mptcp_fullmesh_create_on_err '1'
	option mptcp_ndiffports_num_subflows '1'
	option congestion 'cubic'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option multipath 'off'

config interface 'lan'
	option proto 'static'
	option multipath 'off'
	option ipaddr '192.168.0.40'
	option netmask '255.255.254.0'
	option ifname 'eth0'
	list dns '192.168.10.11'
	option gateway '192.168.10.1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '<key>'
	option listen_port '51820'
	option multipath 'off'
	list addresses '192.168.10.1/32'

config wireguard_wg0
	option description 'test'
	option public_key '<key>'
	option route_allowed_ips '1'
	option endpoint_host '<vpnhost>'
	option endpoint_port '51820'
	list allowed_ips '192.168.10.11/32'

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option fullcone '1'
	option network ' '

config zone 'wan'
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option fullcone '1'
	option network 'wan'

config zone 'wireguard'
	option name 'wireguard'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option device 'wg0'
	option fullcone '1'

config forwarding 'wireguard_wan'
	option src 'wireguard'
	option dest 'wan'

config forwarding 'wireguard_lan'
	option src 'wireguard'
	option dest 'lan'

config forwarding 'lan_wireguard'
	option src 'lan'
	option dest 'wireguard'

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'unblockmusic'
	option type 'script'
	option path '/var/etc/unblockmusic.include'
	option reload '1'

config redirect
	option target 'DNAT'
	option proto 'tcp udp'
	option src 'wan'
	option src_dport '80'
	option dest 'lan'
	option dest_port '80'

config redirect
	option target 'DNAT'
	option name '2'
	option proto 'tcp udp'
	option src 'wan'
	option src_dport '80'
	option dest 'wan'
	option dest_port '80'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option network ' '
	option fullcone '1'

config forwarding

config forwarding
	option src 'wg'
	option dest 'wan'

config forwarding
	option src 'wg'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'wg'

config forwarding
	option src 'wan'
	option dest 'wg'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option network ' '
	option fullcone '1'

config forwarding
	option src 'wg'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'wg'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option network ' '
	option fullcone '1'

config forwarding
	option src 'wg'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'wg'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'wg0'
	option masq '1'
	option fullcone '1'

config forwarding
	option src 'wg'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'wg'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '51820'
	option name 'Allow-Wireguard-Inbound'

psherman · June 5, 2020, 5:03am

Is this router being use as a main router, or is this some secondary device?

And is the OpenWrt side of the WG tunnel acting as a server (to allow a remote network or device to access the network behind this router), as a client (such as a tunnel to a commercial VPN service), or a site-to-site configuration?

The gateway is not valid for the subnet of the LAN -- that should probably be removed (did you put that there for the WG interface??), and I'm not sure why you have all that multi path stuff going on.

hdog01 · June 5, 2020, 5:16am

This is the default kernel.
I want to output the IP of wg0 interface via LAN.
The IP of the default router is printed on the site.
This site does not show the vpn IP address of wg0.
In other words. I want to change the default site IP to vpn IP. Via LAN.

psherman · June 5, 2020, 5:23am

I don’t understand what you mean by outputting the wireguard vpn ip out the lan.

What are you trying to do - does one of these paradigms fit your needs?

hdog01 · June 5, 2020, 5:34am

VPN Client.
For example, in Japan -> Chinese IP can be used in Japan. Display Chinese IP through LAN dynamic IP.

psherman · June 5, 2020, 6:22am

It doesn't quite work like that... the IP address of the other side doesn't "come out" of the router.

In the 'client' configuration, all of the devices on the LAN will have a private IP address in the subnet controlled by the local router. The traffic that would normally go from the LAN > WAN goes LAN > WG tunnel > WG endpoint > internet.

So, for example, I have an OpenWrt VPN 'server' at my house in the US and a travel router that I use when I travel abroad which acts as a VPN client. The VPN is entirely transparent to the devices on my travel router -- when it is activated, the data travels through my own internet connection at home.

If this is what you are looking to achieve, you should do the following:

remove the gateway under the LAN (192.168.10.1)
remove the dns under the LAN (192.168.10.11)
remove the listen_port from the wireguard interface definition.
make sure that the address of the wiguarard interface definition matches the adddress of the 'allowed_IPs' on the other peer
change the wireguard allowed_ip's to 0.0.0.0/0 if you intend to send all traffic through the tunnel.

Also make sure that the other wireguard peer is connrectly configured.

Finally, there is a bunch of other stuff that has been configured on this router which may make troubleshooting your wg connection complicated (for example, you have the multi path stuff, some unblock music rules in the firewall, etc. So, if the above items don't fix the issue (and if you know the wg peer on the other end is configured properly), you may need to reset your router to defaults and try again so that you can be certain that these other things aren't messing up your wg configuration.

hdog01 · June 5, 2020, 6:54am

Still communicating with each other. However, the IP address value does not change.

psherman · June 5, 2020, 6:56am

Maybe you should start over (reset to defaults) since there may be other factors involved. A default OpenWrt configuration is a safe place to start.

trendy · June 5, 2020, 9:58am

Notice that there is no lan interface assigned to lan zone. I guess that nothing works from lan to wan or wg.

psherman · June 5, 2020, 2:55pm

Good catch. I missed that one.

system · June 15, 2020, 2:59pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.