Issue with Routing Traffic Between LAN and VPN Network using Wireguard

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello everyone,

I have been setting up a home network using OpenWRT and WireGuard VPN and am encountering some difficulties in getting my traffic properly forwarded between my lan4 interface and my VPN. this router being worked on is setup as a dumbAP behind another openwrt router.

My current setup includes lan, lan4 and vpn networks. My aim is to route all traffic from lan4 through the VPN, and I would also like to allow traffic from the VPN to reach lan4. my VPN is a static IP that allows port fowarding, i will be running a webserver on a device connected through the lan4 interface.

The main issue I am facing is that I can ping the lan4 router (10.10.14.1) from a device connected to lan4 (in this case 10.10.14.3), but I cannot reach the internet. It seems to me that this might be a routing or forwarding issue, but despite several attempts, I couldn't find a solution to this.

i have confirmed that the wireguard vpn is connected and has a connection. from openwrt i can ping using the wg0 interface. (ping google.com -I wg0)

Here are my configuration files for your reference (keys redacted):

dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '1.1.1.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list dhcp_option '6,192.168.1.1,192.168.1.1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'lan4'
	option interface 'lan4'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,10.255.255.1'

firewall


config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config route
	option interface 'wg0'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '100'

config defaults
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wg0'

config forwarding
	option src 'lan4'
	option dest 'vpn'

config zone
	option name 'lan4'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan4'

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd50:f086:d64f::/48'

config device
	option name 'eth0'

config device
	option type 'bridge'
	option name 'br-eth'
	list ports 'eth0'
	list ports 'vpn'
	list ports 'wan'

config device
	option name 'lan1'
	option macaddr '28:d0:f5:56:4e:43'

config device
	option name 'lan2'
	option macaddr '28:d0:f5:56:4e:43'

config device
	option name 'lan3'
	option macaddr '28:d0:f5:56:4e:43'

config device
	option name 'lan4'
	option macaddr '28:d0:f5:56:4e:43'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.170'
	option gateway '192.168.1.1'
	option device 'br-eth'
	option metric '5'
	list dns '192.168.1.1'
	list dns '1.1.1.1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'EL6F1/********************3hnXQ='
	list addresses '100.100.68.72/32'
	option peerdns '0'

config interface 'lan4'
	option proto 'static'
	option device 'lan4'
	option ipaddr '10.10.14.1'
	option netmask '255.255.255.0'
	list dns '10.255.255.1'

config wireguard_wg0
	option description 'Imported peer configuration'
	option public_key '99Kk/D1AJ********************lX1bSfUE='
	option preshared_key 'V3I8yL********************9tZ6q0MvE='
	option endpoint_host '64.***.**.132'
	option endpoint_port '1194'
	list allowed_ips '0.0.0.0/0'

resolv.conf

search lan
nameserver 1.1.1.1
nameserver 2606:4700:4700::1111

I would greatly appreciate any guidance or suggestions to resolve this issue. Thanks in advance!

Edit: i had posted the wrong config :confused:

2

I think that when having other subnets set up on your dumb AP you have to MASQUERADE over the LAN interface:
option masq '1'
(or set a static route on the main router)

Note that only your lan4 will use the VPN , other clients connect to your main lan will just bypass the dumb AP and the VPN

2 Likes
3

this is by design, i want only traffic from lan4 to be routed through the vpn.

i have turned on MASQUERADE for the lan interface but i did not change anything, ignoring the vpn and changeing the fowarding to be LAN4 to lan still does not work so im confident in saying this is not a vpn issue. any other ideas?

4

There are quite a few major issues here... I think you may be best served by resetting and starting from scratch.

Can you confirm that this device is a secondary router? It seems that you have a main router at 192.168.1.1 and that this has a lan address of 192.168.1.170.

Is this secondary router also serving as the DHCP server for lan network, or does he main router serve this purpose?