LAN access through WG server - routing problem?

Hi guys

I have the following setup:
lan interface with internet traffic routed over a WG service (client if you will) with rules set by vpn-policy-routing. 192.168.1.128/25 gets routed over it.

I have setup a WG server myself with interface 192.168.3.1/24 and have managed to connect my phone to it over the internet. I am able to ping OpenWRT at 192.168.1.1 but can't connect to any other IPs on the lan. I've tried following Local Wireguard Server + Wireguard Client (Scenario 2) on the vpn-policy-routing page and threads on this forum like this but have had no luck. On trying to ping (e.g. 192.168.1.130 to 192.168.3.132 or vice versa) it always says destination port unreachable.

I guess it's a routing issue? As I do have route_allowed_ips enabled for the server interface I thought that should cover it? I've tried adding static routes (if server, target 192.168.3.0, subnet 255.255.255.0) and disabling policy-based routing but no luck.

Any help would be much appreciated as I have spent hours but to no avail. See configs below. Thank you.

Network
config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'server'
	option proto 'wireguard'
	option listen_port '7495'
	option private_key 'xxx'
	list addresses '192.168.3.1/24'

config wireguard_server
	option persistent_keepalive '25'
	option public_key 'xxx'
	option route_allowed_ips '1'
	list allowed_ips '192.168.3.132/32'

config interface 'wan'
	option proto 'dhcp'
	option macaddr 'xxx'
	option mtu '1492'
	option ifname 'eth0.10'
	option peerdns '0'

config interface 'wan6'
	option proto 'dhcpv6'
	option ifname 'eth0.10'
	option reqaddress 'try'
	option reqprefix 'auto'
	option macaddr 'xxx'
	option mtu '1492'
	option auto '0'
	option peerdns '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5t'
	option vid '10'

config interface 'guest'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wg'
	option proto 'wireguard'
	option private_key 'xxx'
	list addresses '10.5.0.2'
	option delegate '0'

config wireguard_wg
	option persistent_keepalive '25'
	option dns 'xxx'
	option endpoint_port '51820'
	option public_key 'xxx'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'xxx'
Firewall
config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '7495'
	option name 'Allow-WG-Inbound'
	option src 'wan'

config rule
	option name 'VPN-KillSwitch'
	option src 'lan'
	option dest 'wan'
	option target 'REJECT'
	option device 'eth0.10'
	option direction 'out'
	list src_ip '192.168.1.128/29'
	list proto 'all'
	option enabled '0'

config rule
	list proto 'icmp'
	option name 'Allow-NAS-Ping'
	list src_ip '192.168.1.160'
	option dest 'guest'
	option target 'ACCEPT'
	option src 'lan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Guest-DNS'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'Guest-DHCP'
	option src 'guest'

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'server'

config zone
	option name 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'
	list network 'guest'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wg'

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'wan'
	option src 'guest'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'
	option family 'IPv4'
	option reload '1'
VPN Policy Routing
config policy
	option interface 'ignore'
	option name 'local-ignore'
	option dest_addr '192.168.0.0/24'

#Route half of LAN over VPN
config policy
	option name 'lan-wg'
	option interface 'wg'
	option src_addr '192.168.1.128/25'

#Route DNS requests over VPN
config policy
	option interface 'wg'
	option chain 'OUTPUT'
	option name 'dns-wg'
	option dest_addr 'xxx.xxx.xxx.xxx'

config vpn-policy-routing 'config'
	option verbosity '2'
	option src_ipset '0'
	option dest_ipset '0'
	option resolver_ipset 'dnsmasq.ipset'
	option ipv6_enabled '0'
	option boot_timeout '30'
	option iptables_rule_option 'append'
	option procd_reload_delay '1'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option webui_enable_column '1'
	option strict_enforcement '0'
	option webui_chain_column '1'
	list ignored_interface 'server'
	option webui_protocol_column '0'
	option webui_show_ignore_target '1'
	option enabled '1'

Client WG config (Android):

Addresses 192.168.3.132/32
DNS 192.168.1.1
Allowed IPs 0.0.0.0/0

What is the output of ip -4 ro li table all ?

Check with enabled masquerading on the LAN firewall zone and disabled bcp38.

No luck with masquerading on the LAN zone. bcp38 was not enabled according to luci.

Output of ip -4 ro li table all:

default via xxx dev eth0.10 table wan 
192.168.1.0/24 dev br-lan table wan proto kernel scope link src 192.168.1.1 
192.168.2.0/24 dev br-guest table wan proto kernel scope link src 192.168.2.1 
192.168.3.132 dev server table wan proto static scope link 
default via 10.5.0.2 dev wg table wg 
192.168.1.0/24 dev br-lan table wg proto kernel scope link src 192.168.1.1 
192.168.2.0/24 dev br-guest table wg proto kernel scope link src 192.168.2.1 
192.168.3.132 dev server table wg proto static scope link 
default via xxx dev eth0.10 proto static src xxx
xxx via xxx dev eth0.10 proto static 
xxx/22 dev eth0.10 proto kernel scope link src xxx 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.2.0/24 dev br-guest proto kernel scope link src 192.168.2.1 
192.168.3.132 dev server proto static scope link 
local 10.5.0.2 dev wg table local proto kernel scope host src 10.5.0.2 
broadcast xxx dev eth0.10 table local proto kernel scope link src xxx 
local xxx dev eth0.10 table local proto kernel scope host src xxx 
broadcast xxx dev eth0.10 table local proto kernel scope link src xxx 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
broadcast 192.168.2.0 dev br-guest table local proto kernel scope link src 192.168.2.1 
local 192.168.2.1 dev br-guest table local proto kernel scope host src 192.168.2.1 
broadcast 192.168.2.255 dev br-guest table local proto kernel scope link src 192.168.2.1 
broadcast 192.168.3.0 dev server table local proto kernel scope link src 192.168.3.1 
local 192.168.3.1 dev server table local proto kernel scope host src 192.168.3.1 
broadcast 192.168.3.255 dev server table local proto kernel scope link src 192.168.3.1

Hi, I have a working connection from WAN Interface into my Lan WireGuardINterface and its all working great, first, I made a Firewall mark, I use port 51800 for my WGLan Interface, so its 0xCA58 as FW Mark (using a Dec Bin Hex Calculator to find out FW Mark for Port 51800), addiotionally I made DNS listen, and so, added in DNSMASQ Section DHCP and DNS the WireguardLan INterface (replies to DNS requests on my WGLAN interface) to that it Listens on that Interface. My Wireguard Server IP in my case 10.0.01 is set as DNS Server and forwards requests ton internal Lan interface, also Cryptorouting works, added HostNames for my WireGuard Clients to addiotnal HOSTS, and so can connect to a Parrot Linux Machine that sits inside my lan and is also connected to my WGLan interface, by its hostname inside the WireGuardLan Interface Network. So its all fully encrypted up to the end device.

I have no clue if this will solve your trouble, but for me its working all perfect.

Im havin 2 WireGUard Interfaces, one for MULLVADvpn with a port open to my internal WGLan Interface, for I can enter from Outside World to my Lan securly.

I can connect beeing not home with my iPhone t my WGLAN indertace, and surf over my Home MullvadIP, and access fileshares and ssh through Wireguard Tunnel into my Lan Machines.
Good Luck!

This is correct. Are the hosts which you are trying to reach Windows by any chance? They are known to block incoming requests from other subnets by default. Or is there any other firewall on the hosts?

Thanks for checking all that trendy, I appreciate it.

I don't have any Windows machines - I've been trying to connect a Ubuntu machine with another Ubuntu machine and have tried it with an Android device as well. I am able to ping devices on the 192.168.2.1/24 guest network from the 192.168.1.1/24 LAN.

It shouldn't have anything to do with my DHCP/DNSMASQ settings right? If all else fails I might try upgrading the 19.07 snapshot I'm currently using to see if that might make a difference. Keen to hear if anyone thinks of any other things worth trying!

Interesting - just after I sent the above post I figured I would try pinging from 192.168.3.132 to one of the machines on the 192.168.2.1/24 guest interface (a flatmate's iMac) and that actually gets a reply! There is apparently something blocking the LAN from reaching the WG clients but not from the Guest interface reaching the WG clients

In summary:
LAN <> Guest works
Guest <> WG clients works
LAN <> WG clients does NOT work

Right, I figured it out. Although 'forward' was set to 'accept' in the General settings it was in fact set to 'reject' in LuCi for the LAN interface. Changing this in LuCi fixed the issue although I still don't quite understand this as the firewall config I posted does show forward 'accept' for the LAN interface...

Either way, I'm happy. Thanks for all your help guys

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.