Issue with wireguard client and server not working together

Hello everyone, I am trying to create a wireguard host on my OpenWRT router to access my LAN remotely. However I ran into some trouble making it work with my already existing wireguard tunnel to my VPN provider. To be precise, the outgoing traffic from the router goes through the VPN tunnel instead of going to wan. Thus the client never receives the RX packets.

I also have a homelab in a VLAN, which is a separate firewall zone. There is also a lot of port forwardings.
PS. my homelab also runs a wireguard server, which uses the 51820 external port, so the router's server is on 51821

/etc/config/network:

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd56:72d2:b43e::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan3'
list ports 'lan4'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'

config device
option name 'wan'
option macaddr '24:cf:24:28:0f:81'

config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
option metric '20'

config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option metric '20'

config interface '****'
option proto 'none'

config interface 'VLAN'
option proto 'static'
option device 'lan2'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'

config interface 'vpn_privacy'
option proto 'wireguard'
option private_key 'Client PRIVATEKEY'
list addresses '10.2.0.2/32'
list dns '10.2.0.1'

config wireguard_vpn_privacy
option description 'Client Peer'
option public_key 'Client peer PUBLICKEY'
option endpoint_host 'Peer IP'
option endpoint_port '51820'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'

config interface 'wg_server'
option proto 'wireguard'
option private_key 'Server PRIVATEKEY'
option auto '0'
option listen_port '51821'
list addresses '10.14.14.1/32'

config wireguard_wg_server
option description 'Peer1'
option public_key 'Server peer PUBLICKEY'
option private_key 'Server peer PRIVATEKEY'
option preshared_key 'Server peer PSK'
list allowed_ips '10.14.14.1/32'
list allowed_ips '10.14.14.2'
option endpoint_port '51820'
option persistent_keepalive '25'
option route_allowed_ips '1'

/etc/config/firewall:

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg_server'

config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
list device 'tun0'
list network 'wan'
list network 'wan6'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'

config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'vpn_privacy'

config forwarding
option src 'lan'
option dest 'vpn'

config redirect
option target 'DNAT'
option name 'SSH proliant server'
option src 'wan'
option dest_port '22'
option src_dport '42'
option reflection_src 'external'
option dest_ip '192.168.2.230'
option dest 'lan'

config zone
option name 'vlan'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'REJECT'
list network 'VLAN'

config forwarding
option src 'lan'
option dest 'vlan'

config forwarding
option src 'vlan'
option dest 'wan'

config rule
option name 'Disallow-ssh-from-proliant-server'
option src 'vlan'
list src_mac '28:80:23:1C:BA:9D'
option dest_port '22'
list src_ip '192.168.2.230'
option target 'DROP'

config rule
option name 'Disallow-http-from-proliant-server'
option src 'vlan'
list src_mac '28:80:23:1C:BA:9D'
list src_ip '192.168.2.230'
option dest_port '80'
option target 'DROP'

config rule
option name 'Disallow-https-from-proliant-server'
option src 'vlan'
list src_mac '28:80:23:1C:BA:9D'
list src_ip '192.168.2.230'
option dest_port '443'
option target 'DROP'

config redirect
option target 'DNAT'
option src 'wan'
option dest_ip '192.168.2.230'
option dest 'lan'
option dest_port '2022'
option src_dport '22'
option name '(Git) SSH GitLab proliant server'

config redirect
option target 'DNAT'
option name 'HTTP to Reverse Proxy'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.2.230'
option dest_port '80'
option dest 'lan'

config redirect
option target 'DNAT'
option name 'HTTPS to Reverse Proxy'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.2.230'
option dest_port '443'
option dest 'lan'

config redirect
option dest 'vlan'
option target 'DNAT'
option name 'SMTP proliant server'
option src 'wan'
option src_dport '25'
option dest_ip '192.168.2.230'
option dest_port '25'

config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'

config redirect
option dest 'vlan'
option target 'DNAT'
option name 'Matrix federation proliant server'
option src 'wan'
option src_dport '8448'
option dest_ip '192.168.2.230'
option dest_port '8448'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'SMTPS proliant'
option src 'wan'
option src_dport '465'
option dest_ip '192.168.2.230'
option dest_port '465'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'Postfix submisson proliant'
option src 'wan'
option src_dport '587'
option dest_ip '192.168.2.230'
option dest_port '587'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'Dovecot IMAP proliant'
option src 'wan'
option src_dport '143'
option dest_ip '192.168.2.230'
option dest_port '143'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'Dovecot IMAPS proliant'
option src 'wan'
option src_dport '993'
option dest_ip '192.168.2.230'
option dest_port '993'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'Dovecot POP3 proliant'
option src 'wan'
option src_dport '110'
option dest_ip '192.168.2.230'
option dest_port '110'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'Dovecot POP3S proliant'
option src 'wan'
option src_dport '995'
option dest_ip '192.168.2.230'
option dest_port '995'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'Dovecot ManageSieve proliant'
option src 'wan'
option src_dport '4190'
option dest_ip '192.168.2.230'
option dest_port '4190'

config redirect
option dest 'vlan'
option target 'DNAT'
option name 'SMTP LAN to VLAN'
option src 'lan'
option src_dport '25'
option dest_ip '192.168.2.230'
option dest_port '25'

config rule
option name 'Test Lan -> Wan'
option src 'vlan'
list src_mac '28:80:23:1C:BA:9D'
list src_ip '192.168.2.230'
option src_port '10025'
option dest 'wan'
option dest_port '25'
option target 'ACCEPT'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'FTP Jellyfin'
option src 'wan'
option src_dport '41'
option dest_ip '192.168.2.230'
option dest_port '21'
option enabled '0'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'Wireguard proliant'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.2.230'
option dest_port '51820'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'Minecraft server'
option src 'wan'
option src_dport '25565'
option dest_ip '192.168.2.230'
option dest_port '25565'
option enabled '0'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'iLO server HTTPS'
option src 'wan'
option src_dport '420'
option dest_ip '192.168.2.232'
option dest_port '443'
option enabled '0'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'iLO server SSH'
option src 'wan'
option src_dport '422'
option dest_ip '192.168.2.232'
option dest_port '22'
option enabled '0'

config rule
option name 'Allow Wireguard server'
list proto 'udp'
option src 'wan'
option dest_port '51821'
option target 'ACCEPT'

/etc/config/pbr:

config pbr 'config'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'none'
option ipv6_enabled '0'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '1'
option webui_show_ignore_target '1'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
option enabled '1'
list ignored_interface 'vpnserver'
list ignored_interface 'wgserver'
list ignored_interface 'wg_server'

config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'

config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'

config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'

config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'

config policy
option name 'Proliant to WAN'
option interface 'wan'
option src_addr '192.168.2.230'

config policy
option name 'Work Laptop to WAN'
option src_addr '192.168.1.169'
option interface 'wan'

config policy
option name 'Work iPhone to WAN'
option src_addr '192.198.1.177'
option interface 'wan'

Thanks

It looks like you are using PBR, that has a user file to do exactly that:
image

It does a decent job finding out what the server is but is not fool proof, so try that first , reboot after enabling

1 Like

I do not have this file installed. Where can I find it ?

You might consider upgrading but if that is not feasible here it is:

pbr.user.wg_server_and_client

#!/bin/sh
# shellcheck disable=SC1091,SC3043
# This code is based on idea of https://github.com/egc112

WAN_INTERFACE='wan'
_ret='1'

insert_ip_rule() {
	local disabled proto listen_port
	config_get disabled "$1" disabled "0"
	config_get proto "$1" proto
	config_get listen_port "$1" listen_port
	if [ "$disabled" -ne '1' ] && [ "$proto" = 'wireguard' ] && [ -n "$listen_port" ]; then
		ip rule del sport "$listen_port" table "pbr_${WAN_INTERFACE}" >/dev/null 2>&1
		ip rule add sport "$listen_port" table "pbr_${WAN_INTERFACE}" >/dev/null 2>&1 && _ret=0
	fi
}

. /lib/functions.sh
config_load network
config_foreach insert_ip_rule 'interface'

return $_ret

Copy contents to /usr/share/pbr.user.wg_server_and_client
and add to the PBR user files

Wow, it's instantly working, I get a handshake between my client and my server, Thanks a lot !
The issue now is that my server always never responds to the client, and I don't know why. But it looks more like a Wireguard config issue than anything else.

Glad it works :slight_smile:

Make a separate thread about that, for testing disable your WG client and disable PBR.

Post in the new thread, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
wg show

Welp, no need, I figured it out, I just messed up my peer configuration, it works now, still thanks for the help !

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.