Hi guys
I have the following setup:
lan interface with internet traffic routed over a WG service (client if you will) with rules set by vpn-policy-routing. 192.168.1.128/25 gets routed over it.
I have setup a WG server myself with interface 192.168.3.1/24 and have managed to connect my phone to it over the internet. I am able to ping OpenWRT at 192.168.1.1 but can't connect to any other IPs on the lan. I've tried following Local Wireguard Server + Wireguard Client (Scenario 2) on the vpn-policy-routing page and threads on this forum like this but have had no luck. On trying to ping (e.g. 192.168.1.130 to 192.168.3.132 or vice versa) it always says destination port unreachable.
I guess it's a routing issue? As I do have route_allowed_ips enabled for the server interface I thought that should cover it? I've tried adding static routes (if server, target 192.168.3.0, subnet 255.255.255.0) and disabling policy-based routing but no luck.
Any help would be much appreciated as I have spent hours but to no avail. See configs below. Thank you.
Network
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'server'
option proto 'wireguard'
option listen_port '7495'
option private_key 'xxx'
list addresses '192.168.3.1/24'
config wireguard_server
option persistent_keepalive '25'
option public_key 'xxx'
option route_allowed_ips '1'
list allowed_ips '192.168.3.132/32'
config interface 'wan'
option proto 'dhcp'
option macaddr 'xxx'
option mtu '1492'
option ifname 'eth0.10'
option peerdns '0'
config interface 'wan6'
option proto 'dhcpv6'
option ifname 'eth0.10'
option reqaddress 'try'
option reqprefix 'auto'
option macaddr 'xxx'
option mtu '1492'
option auto '0'
option peerdns '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 5t'
option vid '10'
config interface 'guest'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wg'
option proto 'wireguard'
option private_key 'xxx'
list addresses '10.5.0.2'
option delegate '0'
config wireguard_wg
option persistent_keepalive '25'
option dns 'xxx'
option endpoint_port '51820'
option public_key 'xxx'
list allowed_ips '0.0.0.0/0'
option endpoint_host 'xxx'
Firewall
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '7495'
option name 'Allow-WG-Inbound'
option src 'wan'
config rule
option name 'VPN-KillSwitch'
option src 'lan'
option dest 'wan'
option target 'REJECT'
option device 'eth0.10'
option direction 'out'
list src_ip '192.168.1.128/29'
list proto 'all'
option enabled '0'
config rule
list proto 'icmp'
option name 'Allow-NAS-Ping'
list src_ip '192.168.1.160'
option dest 'guest'
option target 'ACCEPT'
option src 'lan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Guest-DNS'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'Guest-DHCP'
option src 'guest'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'server'
config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
list network 'guest'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wg'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'guest'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'bcp38'
option type 'script'
option path '/usr/lib/bcp38/run.sh'
option family 'IPv4'
option reload '1'
VPN Policy Routing
config policy
option interface 'ignore'
option name 'local-ignore'
option dest_addr '192.168.0.0/24'
#Route half of LAN over VPN
config policy
option name 'lan-wg'
option interface 'wg'
option src_addr '192.168.1.128/25'
#Route DNS requests over VPN
config policy
option interface 'wg'
option chain 'OUTPUT'
option name 'dns-wg'
option dest_addr 'xxx.xxx.xxx.xxx'
config vpn-policy-routing 'config'
option verbosity '2'
option src_ipset '0'
option dest_ipset '0'
option resolver_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
option boot_timeout '30'
option iptables_rule_option 'append'
option procd_reload_delay '1'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option webui_enable_column '1'
option strict_enforcement '0'
option webui_chain_column '1'
list ignored_interface 'server'
option webui_protocol_column '0'
option webui_show_ignore_target '1'
option enabled '1'
Client WG config (Android):
Addresses 192.168.3.132/32
DNS 192.168.1.1
Allowed IPs 0.0.0.0/0