Incoming traffic from wireguard interface

I have a network configured with wireguard client. There is access from VPN to the local network. But no access from VPN to the upstream router.

Is that a statement or a question?

If it's the latter then we're going to need a lot more detail. Where does OpenWRT fit into all this? Is Wireguard running on an OpenWRT device? Is the upstream router running OpenWRT?

We'll also need details of configs. Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
2 Likes

Question :slight_smile:

{
	"kernel": "4.14.90",
	"hostname": "GL-SFT1200",
	"system": "MIPS sf19a28",
	"model": "GL-SFT1200",
	"board_name": "glinet,gl-sft1200",
	"release": {
		"distribution": "OpenWrt",
		"version": "LEDE",
		"revision": "r0-d5ed025",
		"codename": "",
		"target": "siflower\/sf19a28-fullmask",
		"description": "OpenWrt  18.06"
	}
}

root@GL-SFT1200:~# ubus call system board
{
	"kernel": "4.14.90",
	"hostname": "GL-SFT1200",
	"system": "MIPS sf19a28",
	"model": "GL-SFT1200",
	"board_name": "glinet,gl-sft1200",
	"release": {
		"distribution": "OpenWrt",
		"version": "LEDE",
		"revision": "r0-d5ed025",
		"codename": "",
		"target": "siflower\/sf19a28-fullmask",
		"description": "OpenWrt  18.06"
	}
}
root@GL-SFT1200:~# ^C
root@GL-SFT1200:~# ^C
root@GL-SFT1200:~# cat /etc/config/network 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd86:efe1:dd7c::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option hostname 'GL-SFT1200-e4e'
	option ipaddr '192.168.92.1'
	option ifname 'eth0.1 wg0'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '94:83:c4:14:5e:4f'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option hostname 'GL-SFT1200-e4e'
	option ipv6 '0'
	option metric '10'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr '94:83:c4:14:5e:4e'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option disabled '1'

config interface 'guest'
	option ifname 'guest'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option group '0'
	option forcelink '1'
	option ipaddr '192.168.9.1'
	option ip6assign '60'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 5t'

config switch_port
	option device 'switch0'
	option port '5'
	option pvid '2'

config interface 'wwan'
	option proto 'dhcp'
	option metric '20'


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option nonwildcard '1'
	option localservice '1'
	option resolvfile '/tmp/resolv.conf.vpn'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'
	option dhcpv6 'disabled'
	option ra 'disabled'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option dhcpv6 'disabled'
	option ra 'disabled'

config domain 'localhost'
	option name 'console.gl-inet.com'
	option ip '192.168.92.1'

config host '5026901813DA'
	option mac '50:26:90:18:13:DA'
	option ip '192.168.92.10'
root@GL-SFT1200:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	option network 'wan wan6 wwan'

config forwarding
	option src 'lan'
	option dest 'wan'
	option enabled '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option name 'Allow-UDP-udpxy'
	option dest_ip '224.0.0.0/4'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
	option reload '1'

config include 'gls2s'
	option type 'script'
	option path '/var/etc/gls2s.include'
	option reload '1'

config include 'glfw'
	option type 'script'
	option path '/usr/bin/glfw.sh'
	option reload '1'

config include 'glqos'
	option type 'script'
	option path '/usr/sbin/glqos.sh'
	option reload '1'

config zone 'guestzone'
	option name 'guestzone'
	option network 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding 'guestzone_fwd'
	option src 'guestzone'
	option dest 'wan'
	option enabled '1'

config rule 'guestzone_dhcp'
	option name 'guestzone_DHCP'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule 'guestzone_dns'
	option name 'guestzone_DNS'
	option src 'guestzone'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config rule 'sambasharewan'
	option src 'wan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'DROP'

config rule 'sambasharelan'
	option src 'lan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'ACCEPT'

config rule 'AllowWireguard'
	option name 'Allow-Wireguard'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp tcp'
	option family 'ipv4'
	option dest_port '32173'

config zone 'wireguard'
	option name 'wireguard'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option device 'wg0'
	option masq6 '1'
	option forward 'ACCEPT'

config forwarding 'wireguard_wan'
	option src 'wireguard'
	option dest 'wan'

config forwarding 'wireguard_lan'
	option src 'wireguard'
	option dest 'lan'

config forwarding 'lan_wireguard'
	option src 'lan'
	option dest 'wireguard'

config forwarding 'guest_wireguard'
	option src 'guestzone'
	option dest 'wireguard'

config forwarding 'wireguard_guest'
	option src 'wireguard'
	option dest 'guestzone'

I don't believe this device is officially supported by OpenWRT and is instead using a proprietary GL.inet firmware.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using. GL.iNet forums (forum.gl-inet.com) might be a good place to start.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

3 Likes