LAN cannot connect to WAN zone when VPN disabled

Hi new to OpenWrt and I just setup a Wiregurad VPN on my router. The VPN connection is working fine but I want to be able to disable the connection and have all the LAN traffic forwarded to WAN. When I disable my VPN connection I cannot access WAN from my LAN. I did set my LAN zone to forward both to WAN and WGZONES. I also set Gateway metrics on both my Mullvad (10) and WAN (20) interfaces.

Here is my configs:

/etc/config/network (Keys removed)

config interface 'loopback'        
        option device 'lo'            
        option proto 'static'                  
        option ipaddr '127.0.0.1'              
        option netmask '255.0.0.0'
                              
config globals 'globals'           
        option ula_prefix 'fd50:2867:c02f::/48'
                                      
config device                
        option name 'br-lan'   
        option type 'bridge'  
        list ports 'eth1.1'        
                                      
config interface 'lan'                
        option device 'br-lan' 
        option proto 'static'    
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'  
                                
config interface 'wan'                                                   
        option device 'eth0.2'         
        option proto 'dhcp'                            
        option metric '20'      
        option peerdns '0'                                               
                                                                         
config interface 'wan6'                                
        option device 'eth0.2'                         
        option proto 'dhcpv6'                                           
                                    
config switch                                                            
        option name 'switch0'                                            
        option reset '1'                                                
        option enable_vlan '1'                                          
                                    
config switch_vlan                           
        option device 'switch0'                                          
        option vlan '1'                                                  
        option ports '1 2 3 4 6t'     
config interface 'Mullvad'   
        option proto 'wireguard'
        option private_key <PRIVATEKEY>
        list addresses '10.66.2.123/32'
        list addresses 'fc00:bbbb:bbbb:bb01::3:27a/128'
        option force_link '1' 
        option metric '10'      
                                                                         
config wireguard_Mullvad               
        option description 'Atlanta'                   
        option public_key <PUBLICKEY>
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host '66.115.180.234'                            
        option endpoint_port '51820'   
                                                                        
config interface 'wg0'              
        option proto 'wireguard'    
        option private_key <PRIVATEKEY>
        option listen_port '51820'                                       
        list addresses '192.168.9.1/24'
        option auto '0'                                                 
                                    
config wireguard_wg0 'wgclient'                                          
        option preshared_key <PRESHAREDKEY>
        option public_key <PUBLICKEY>
        option route_allowed_ips '1'   
        list allowed_ips '192.168.9.18/32'                              
        option description 'Phone'  
        option private_key <PRIVATEKEY>

/etc/config/firewall (Truncated)

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
config zone                                     
        option name 'WGZONE'                 
        option output 'ACCEPT'                  
        option forward 'REJECT'        
        option masq '1'                     
        option mtu_fix '1'                  
        list network 'Mullvad'                  
        option input 'REJECT'                
                                                                                                
config forwarding                           
        option src 'lan'                    
        option dest 'wan'                       
                                             
config forwarding                               
        option src 'lan'               
        option dest 'WGZONE'

Did you restart network or reboot after disabling?

Yes, I did try rebooting after disabling the VPN and I still could not access the WAN from LAN. I also tried removing the VPN from the LAN forwarding firewall and rebooting but still no access to the WAN.

When you disable that link, are there still active routes left? You can check this by just typing route into the terminal.
I'm guessing your wireguard link doesn't go down because you forced it to be up.

Blank string should be between sections.

1 Like

Check from both router and client:

nslookup example.org
ping 8.8.8.8

Take a look at this:

1 Like

It should be fine since the OP has specified a custom metric on the WAN.

1 Like

After disabling the VPN I do not have an active link. I would be seeing a "Mullvad" in the Use Iface when the VPN connection is active.

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gen-045-037-064 0.0.0.0         UG    20     0        0 eth0.2
45.37.64.0      *               255.255.224.0   U     20     0        0 eth0.2
66.115.180.234  gen-045-037-064 255.255.255.255 UGH   20     0        0 eth0.2
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan

With the VPN disabled
Router:

root@OpenWrt:~# nslookup example.org
Server:		127.0.0.1
Address:	127.0.0.1:53

Non-authoritative answer:
Name:	example.org
Address: 93.184.216.34

Non-authoritative answer:
Name:	example.org
Address: 2606:2800:220:1:248:1893:25c8:1946

pinging 8.8.8.8 works from router as well

On my PC

Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	example.org
Address: 93.184.216.34
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out

pinging 8.8.8.8 works on my pc even when the VPN connection disabled.

I tried restarting the WAN connections after disabling the VPN but still no WAN connection. Also I do have my VPN metric set to 10 and my WAN to 20.

It must be a problem with your DNS resolver on the client, see:

resolvectl --no-pager status

Perhaps you are advertising a VPN-specific resolver with DHCP.

Even after I diasble the VPN interface my client PC is still using the VPN's DNS. In my DHCP and DNS settings I am not setting anything in the DNS forwardings and I don't set 10.64.0.1 anywhere I can find in my settings.

resolvectl --no-pager status
Global
       Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: foreign
      DNS Domain: lan

Link 2 (enp0s31f6)
    Current Scopes: DNS
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.64.0.1
       DNS Servers: 10.64.0.1
        DNS Domain: lan

1 Like

Providing custom DNS with DHCP

Yes that fixed my issue! I now can now enable/disable the VPN with out issue. My DNS will be set to the ones in the link on or off the VPN connection. Thanks!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.