LAN access in Wireguard tunnel

tectonic · 2019-03-10 08:53:05 UTC

Good morning,

I have two Wireguard interfaces running:

One connects to a Mullvad Wireguard server and is for VPN traffic from my home network. I use Policy Based routing to allow, for example, traffic from certain devices to be redirected back over the WAN
One is to allow me to pick up the static IP assigned to me via my ISP and is useful when I'm overseas and want to watch, say Netflix; I appear from my standard, domestic IP address

For the second interface - the one I use to appear from my domestic IP address - I'd also like to be able to access other devices on my LAN. I can't get this bit working.

My LAN is on 192.168.1.1/24
My wg interface is on 10.0.0.1/24. (Possibly) crucially, under the interface config, Firewall Mark is set to 0x10000. I found I had to set this to allow both wg interfaces (as a Mullvad client, and as a server) to work correctly
I have a policy-based rule to ensure that traffic from 10.0.0.1/24 responds over the WAN

So, I'd like clients connect to the 10.0.0.1/24 to be able to communicate to clients in 192.168.1.1/24. This is the bit I'm stuck with.

Here's my firewall config

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'wan wan6'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone 'guest'
	option name 'guest'
	option output 'ACCEPT'
	option network 'guest'
	option input 'REJECT'
	option forward 'REJECT'

config rule 'guest_dhcp'
	option name 'guest_DHCP'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule 'guest_dns'
	option name 'guest_DNS'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'tcpudp'
	option dest_port '53'

config zone 'streaming'
	option output 'ACCEPT'
	option name 'streaming'
	option network 'streaming'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config rule 'streaming_dhcp'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option src 'streaming'
	option name 'streaming_DHCP'

config rule 'streaming_dns'
	option target 'ACCEPT'
	option proto 'tcpudp'
	option dest_port '53'
	option src 'streaming'
	option name 'streaming_DNS'

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'wgzone'
	option masq '1'
	option mtu_fix '1'
	option network 'wg'
	option input 'REJECT'

config forwarding
	option dest 'wgzone'
	option src 'guest'

config forwarding
	option dest 'wan'
	option src 'streaming'

config forwarding
	option dest 'wgzone'
	option src 'streaming'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '1234'
	option name 'Allow-Wireguard-Inbound'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'wgzone'
	option src 'lan'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'wgserver'
	option forward 'ACCEPT'
	option masq '1'
	option network 'wgserver'

config forwarding
	option dest 'wgserver'
	option src 'lan'

config forwarding
	option dest 'wgserver'
	option src 'wan'

config forwarding
	option dest 'lan'
	option src 'wgserver'

config forwarding
	option dest 'wan'
	option src 'wgserver'

Here's my network config. Sensitive details redacted, of course

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8c:4d35:43aa::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'eth1.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'pppoe'
	option username ''
	option password ''
	option peerdns '0'
	option dns '84.200.69.80 84.200.70.40'
	option ipv6 'auto'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	option type 'bridge'

config interface 'wg'
	option proto 'wireguard'
	option private_key ''
	option listen_port '51820'
	list addresses '10.99.57.166/32'
	option force_link '1'

config wireguard_wg
	option public_key ''
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host '185.16.85.130'
	option endpoint_port '51820'
	option persistent_keepalive '25'

config route

config interface 'streaming'
	option proto 'static'
	option type 'bridge'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'wgserver'
	option proto 'wireguard'
	option private_key ''
	option listen_port '1234'
	option fwmark '0x10000'
	list addresses '10.0.0.1/24'

config wireguard_wgserver
	option public_key ''
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option description 'tec'
	list allowed_ips '10.0.0.2/32'

I suspect this is a simple firewall issue, but I can't put my finger on it. It's also possible that I've missed something when creating the interface (do I need to add 192.168.1.1/24 to the list addresses?)

Is anybody able to assist?

Kind regards

lleachii · 2019-03-10 11:10:47 UTC

Simply put that second "domestic WG" Interface in LAN Firewall zone, then. Next, just put Mullivad in WAN Firewall zone (unless their instructions CLEARLY and FULLY explain otherwise).

You're making it complex.

I'm not even sure why you're marking packets.

tectonic · 2019-03-10 21:22:29 UTC

Hi, @lleachii

Thanks very much for that.

That's massively simplified things (and hasn't broken anything). I now have three zones: wan, lan and guest. The Mullvad wg interface is in the wan zone; the domestic wg interface in the lan zone.

I can connect to the domestic wg interface, and clients appear from my ISP's static IP address. However, I still can't connect to 192.168.1.1/24 clients when in the 10.0.0.1/24 subnet. I can ping the router at 192.168.1.1 (from, say, 10.0.0.2), but that's it. Perhaps I'm missing a firewall rule, still?

I tried removing the 0x10000 Firewall Mark from my domestic wg interface, but, when I did, I found that there was no internet access for connected clients.

Here's my (much simpler) firewall config


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan streaming wgserver'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option network 'wan wan6 wg'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone 'guest'
	option name 'guest'
	option output 'ACCEPT'
	option network 'guest'
	option input 'REJECT'
	option forward 'REJECT'

config rule 'guest_dhcp'
	option name 'guest_DHCP'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule 'guest_dns'
	option name 'guest_DNS'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'tcpudp'
	option dest_port '53'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '1234'
	option name 'Allow-Wireguard-Inbound'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'guest'

and my network config


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8c:4d35:43aa::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'eth1.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'pppoe'
	option username '...n'
	option password '...'
	option peerdns '0'
	option dns '84.200.69.80 84.200.70.40'
	option ipv6 'auto'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	option type 'bridge'

config interface 'wg'
	option proto 'wireguard'
	option private_key '...'
	option listen_port '51820'
	list addresses '10.99.57.166/32'
	option force_link '1'

config wireguard_wg
	option public_key '...'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host '185.16.85.130'
	option endpoint_port '51820'
	option persistent_keepalive '25'

config route

config interface 'streaming'
	option proto 'static'
	option type 'bridge'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'wgserver'
	option proto 'wireguard'
	option private_key '...'
	option listen_port '1234'
	list addresses '10.0.0.1/24'
	option fwmark '0x10000'

config wireguard_wgserver
	option public_key '...'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option description 'tec'
	list allowed_ips '10.0.0.2/32'

Are you able to spot where I'm going wrong, at all? I'm sure it's something simple, but I'm being a bit of a peanut.

Thanks!

lleachii · 2019-03-10 21:45:51 UTC

Nope, you fixed that by placing the 192 and 10 networks in the same Firewall Zone.

Can you explain how you "discovered" that you had to set a firewall mark?

Add in /etc/config/network -

config route
    option interface 'wgserver'
    option target '10.0.0.0'
    option netmask '255.255.255.0

Remove the option route allowed IPs (or make ''0') from config wireguard_wgserver
Then:

/etc/init.d/network reload

I think the problem is that you created a /32 route.

tectonic · 2019-03-11 00:06:14 UTC

Thanks, again. I'm going nuts trying to figure this out, so I really appreciate your assistance.

No dice, I'm afraid: same result. I'm minded to point the finger at Policy-Based Routing: perhaps the response isn't going back over the wgserver interface, but over something else (maybe out via Mullvad?) so that the response is never received?

Can you explain how you "discovered" that you had to set a firewall mark?

From here: Wireguard server setup [Solved]

lleachii · 2019-03-11 00:48:01 UTC

Can you show your routes...are you doing something odd (i.e. doing policies via the fwmarks)?

jvquintero1021 · 2019-03-11 05:21:02 UTC

Hi @tectonic

I see you followed my advice from that post I made back in July. Try setting in VPR advanced configuration settings set "Append local IP Tables rules" to "! -d 10.0.0.1/24". also make sure that wg interface for the wireguard server is ignored as well.

Also the only reason fwmark was needed was because I was previously experimenting with a setup that had Azire VPN as a wireguard client alongside the WG server. As I no longer am using azire as a client I can't say for sure you will need the fwmark 0x10000 set with the above settings I mentioned. Anyways I would try with and without the fwmark set.

tectonic · 2019-03-11 08:10:35 UTC

Can you show your routes...are you doing something odd (i.e. doing policies via the fwmarks)?

Sorry, that was superfluous and has been removed. The only route I have now is

config route
    option interface 'wgserver'
    option target '10.0.0.0'
    option netmask '255.255.255.0

tectonic · 2019-03-11 08:36:25 UTC

Hi @jvquintero1021

Thanks very much.

I, too, am running both a Wireguard client (Mullvad, in my case) and server. It looks like the fwmark is required, along with the route that @lleachii suggested:

config route
    option interface 'wgserver'
    option target '10.0.0.0'
    option netmask '255.255.255.0

I've done as you suggested. Under VPR advanced settings, I added wgserver to the list of Ignored Interfaces, and added the destination exclusion you posted. It's still not working, but I definitely think that PBR is the issue here. Here's what I'm trying to achieve:

My streaming device is in 192.168.1.1/24 and has a static IP assigned to it. I want this to go over my ISP; e.g. due to Netflix spotting my VPN connection
My HDHomerun Connect is also in 192.168.1.1/24 and has a static IP assigned to it. I don't mind whether this goes through Mullvad or my ISP, but I do need clients in 10.0.0.1/24 to be able to reach it
10.0.0.1/24 should also pick up my ISP IP (since the goal of this exercise is to be able to appear from my ISP IP when overseas)

Here's my PBR config (with comments). Interestingly, when I remove the last rule (10.0.0.1/24 over the WAN), I can reach clients in 192.168.1.1/24 just fine. But, when I do this, clients connected to 10.0.0.1/24 end up with Mullvad's IP rather than my ISP's:

/etc/config/vpn-policy-routing

# route TV over ISP IP to not bother Netflix blockers
config policy
	option name 'TV'
	option local_address '192.168.1.100'
	option interface 'wan'
	option proto 'tcp'
	option chain 'PREROUTING'

# this device works better when going over my ISP
config policy
	option chain 'PREROUTING'
	option interface 'wan'
	option name 'Hello'
	option local_address '192.168.1.102'
	option proto 'tcp'

# This entire subnet goes over my ISP because sometime's it's useful
config policy
	option proto 'tcp'
	option chain 'PREROUTING'
	option interface 'wan'
	option name 'Streaming'
	option local_address '192.168.3.1/24'

config vpn-policy-routing 'config'
	option verbosity '2'
	option ipv6_enabled '0'
	option dnsmasq_enabled '0'
	option strict_enforcement '1'
	option boot_timeout '30'
	option ipset_enabled '1'
	list ignored_interface 'wgserver'
	option enabled '1'
	option append_local_rules '! -d 10.0.0.1/24'

# clients connected to my wireguard server should pick up my ISP IP
config policy
	option proto 'tcp'
	option chain 'PREROUTING'
	option interface 'wan'
	option name 'wgserver'
	option local_address '10.0.0.0/24'

This can't be impossible, but I know there's a gap in my knowledge here that's preventing me from resolving it.

All the best

tectonic · 2019-03-11 08:40:06 UTC

...and, I think this is the problem. When I add 10.0.0.1/24 to the PBR: a client in 10.0.0.1/24 tries to connect to a LAN client in 192.168.1.1/24, but the response goes over the WAN rather than remaining local. So, do I need to add an exclusion; something like "! -d 192.168.1.1/24"?

lleachii · 2019-03-11 14:22:40 UTC

I can't help; because for some reason, you aren't showing all your routes at once. And for some reason, you're putting routes in 2 places. That's quite confusing.

I hope @jvquintero1021 can better assist.

tectonic · 2019-03-11 16:16:39 UTC

Sorry, @lleachii; you're absolutely correct. It is getting a bit confusing. During the week, I'll clear all my settings and start again from scratch and try to keep everything as simple as possible. I can then post back if things still aren't working.

Thanks for your assistance and sorry for the confusion.

All the best.

jvquintero1021 · 2019-03-11 17:18:17 UTC

@tectonic

I have pretty much the exact same setup as you. The only difference being I no longer have my a wireguard interface setup as a client. My provider is PIA over OpenvVPN interface.

I think what is happening is when you setup mullvad vpn as a wireguard interface it changes your routers default routing table. In OpenVPN you would make sure the option route_nopull '1' was set to keep WAN as the default route. In Wireguard the option route_allowed_ips '0' should do the same but I've found that the wireguard interface would still change the default route, this is why when you delete your VPR policy

# clients connected to my wireguard server should pick up my ISP IP
config policy
	option proto 'tcp'
	option chain 'PREROUTING'
	option interface 'wan'
	option name 'wgserver'
	option local_address '10.0.0.0/24'

your clients end up going over the default route (mullvad) because you no longer have a VPR policy telling them to go over the WAN.

You can try setting this as a VPR policy

# clients connected to my wireguard server should pick up my ISP IP
config policy
	option proto 'tcp'
	option chain 'PREROUTING'
	option interface 'wan'
	option name 'LAN routing'
	option local_address '192.168.1.0/24 10.0.0.0/24'

This makes sure both your LAN and wgserver clients are going over your WAN. Also this is a very useful command that will help in troubleshooting

/etc/init.d/vpn-policy-routing support

tectonic · 2019-03-11 21:53:19 UTC

Thanks, @jvquintero1021. I didn't know about route_allowed_ips, so that's handy to know.

I've started from scratch. So far, I've got the basics working: WireGuard server; no Mullvad WireGuard client; no PBR. So far, so good: I can connect to my WireGuard server, clients appear from my ISP's IP address, and I can access clients in my lan zone.

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'Streaming lan wgserver'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'guest'
	option input 'REJECT'
	option network 'Guest'

config forwarding
	option dest 'wan'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'guest_dhcp'
	option src 'guest'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'guest_dns'
	option src 'guest'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '52000'
	option name 'Allow-Wireguard-Inbound'

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2c:dd09:d634::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'pppoe'
	option username ''
	option password ''
	option ipv6 'auto'
	option peerdns '0'
	option dns '84.200.69.80 84.200.70.40'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'Streaming'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'Guest'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

config interface 'wgserver'
	option proto 'wireguard'
	option private_key ''
	option listen_port '52000'
	list addresses '192.168.99.1/24'

config wireguard_wgserver
	option public_key ''
	list allowed_ips '192.168.99.2/32'
	option persistent_keepalive '25'
	option description 'a'

Next-up is the tricky business of adding-in the Mullvad WG client and some PBR rules. But, at least I've got a base from which to work now.

lleachii · 2019-03-11 23:31:21 UTC

You didn't?

OK, glad you fixed that!

As I noted, likely was the issue.

tectonic · 2019-03-12 10:48:55 UTC

Sorry, @lleachii, you're right: I was aware of its existence as you had highlighted it to me earlier. I wasn't clear on its purpose, though.

I'm very grateful for the help you and @jvquintero1021 have provided. The good news is that I think
I've got it all working now with a client and server running side-by-side, and with the requisite lan access. I'll do some more testing tonight when I'm back home and then post my configs here in case they're useful to somebody else.

jvquintero1021 · 2019-03-12 12:30:30 UTC

Great news, glad to help!

tectonic · 2019-03-15 19:38:21 UTC

Yep, looks like this is all working now. It seems the important detail is, indeed, to ensure route_allowed_ips is '0' to keep the WAN as the default route.

I was scratching my head today trying to figure out why all-of-a-sudden, I couldn't reach clients in my LAN through the WireGuard tunnel. It was because I was sitting on a 192.168.1.1/24 subnet at the time, so there was a clash when trying to reach clients on my home 192.168.1.1/24 subnet. So, I've changed my LAN subnet at home to something different to reduce the chances of a clash.

Anyway, for posterity, here are my configs in case they're useful for somebody else:

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2c:dd09:d634::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ipaddr '192.168.100.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'pppoe'
	option username ''
	option password ''
	option ipv6 'auto'
	option peerdns '0'
	option dns '84.200.69.80 84.200.70.40'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'Streaming'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'Guest'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

config interface 'wgserver'
	option proto 'wireguard'
	option private_key ''
	option listen_port '52000'
	list addresses '192.168.99.1/24'

config wireguard_wgserver
	option public_key ''
	list allowed_ips '192.168.99.2/32'
	option persistent_keepalive '25'
	option description 'client1'

config interface 'mullvad'
	option proto 'wireguard'
	option private_key ''
	list addresses '10.99.57.166'
	option force_link '1'

config wireguard_mullvad
	option public_key ''
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '185.16.85.130'
	option persistent_keepalive '25'
	option description 'gb2-wireguard'

/etc/config/firewall

onfig defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'Streaming lan wgserver'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'mullvad wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'guest'
	option input 'REJECT'
	option network 'Guest'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'guest_dhcp'
	option src 'guest'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'guest_dns'
	option src 'guest'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '52000'
	option name 'Allow-Wireguard-Inbound'

config forwarding
	option dest 'wan'
	option src 'guest'

config forwarding
	option dest 'wan'
	option src 'lan'

/etc/config/vpn-policy-routing

config policy
	option proto 'tcp'
	option chain 'PREROUTING'
	option interface 'wan'
	option name 'TV'
	option local_address '192.168.100.100'

config policy
	option proto 'tcp'
	option chain 'PREROUTING'
	option interface 'wan'
	option name 'Hello'
	option local_address '192.168.100.102'

config policy
	option proto 'tcp'
	option chain 'PREROUTING'
	option name 'Private'
	option interface 'mullvad'
	option local_address '192.168.100.1/24'

config vpn-policy-routing 'config'
	option verbosity '2'
	option ipv6_enabled '0'
	option ipset_enabled '1'
	option dnsmasq_enabled '0'
	option strict_enforcement '1'
	option boot_timeout '30'
	list ignored_interface 'wgserver'
	option append_local_rules '! -d 192.168.99.1/24'
	option enabled '1'

config policy
	option proto 'tcp'
	option chain 'PREROUTING'
	option name 'Guest'
	option local_address '192.168.4.1/24'
	option interface 'mullvad'

tectonic · 2019-03-15 07:36:50 UTC

On a similar note:

Is it possible to append multiple local IP tables rules (Under 'Advanced Configuration')? I currently have:

! -d 192.168.99.1/24

and would like to also add:

! -d 192.168.3.1/24

I've tried the following, with no luck:

! -d 192.168.3.1/24, 192.168.99.1/24

I've also tried adding an extra append_local_rules option to /etc/config/vpn-policy-routing

Thanks in advance.

vgaetera · 2019-03-15 19:38:21 UTC

$ ipcalc 192.168.0.0/16
Network:	192.168.0.0/16
Netmask:	255.255.0.0 = 16
Broadcast:	192.168.255.255

Address space:	Private Use
Address class:	Class C
HostMin:	192.168.0.1
HostMax:	192.168.255.254
Hosts/Net:	65534