No internet access from wireguard clients

Hello all :wave:

I'm a newbie with openwrt, I bought a used Netgear r7800 router to install the 19.07 version.

My network is pretty simple :

  • A br-lan interface (192.168.10.0/24) with wireless bridged and using the fiber router (192.168.10.254) has gateway
  • A vpn interface (10.0.10.0/24) using Wireguard VPN protocol assigned to lan firewall zone

Here are configs :

# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4a:6028:22d3::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.10.248'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option gateway '192.168.10.254'
	option ip6assign '64'
	option ifname 'eth1.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'vpn'
	option proto 'wireguard'
	option listen_port '51820'
	option private_key 'xxxxxxxxx'
	list addresses '10.0.10.254/24'

config wireguard_vpn
	option public_key 'xxxxxxx'
	option description 'lweber'
	option preshared_key 'xxxxxxx'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	list allowed_ips '10.0.10.0/24'

On client machine :

# /etc/wireguard/wg.conf

[Interface]
PrivateKey = xxxx
Address = 10.0.10.1/32

[Peer]
PublicKey = xxxx
Endpoint = 1.2.3.4:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepAlive = 25
PreSHaredKey = xxxx

I'm trying to route all traffic through VPN tunnel to my LAN network.
Handshake is successful, and i can ping all my LAN devices except of my modem router (192.168.10.254) which is defined as my LAN gateway and so my client machine has no access to the internet through the VPN tunnel.

I don't have a lot of network skills but I wonder if the problem is related to a missing route on the openwrt ? What do you think about it ?

Thanks for reading.

1 Like

One thing that appears to be missing is a firewall rule to allow inbound wireguard traffic; e.g.:

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '51820'
	option name 'Allow-Wireguard-Inbound'

This might not solve it entirely, but it's at least a piece of the puzzle that's missing.

@Neonox31, try to enable masquerading on the LAN firewall zone.

@tectonic, looks like this is not the main router.

1 Like

Thanks for your answer.

The handshake is done correctly so I don't think the port is blocked.

Thanks a lot, enable masquerading seems working !

Can you please explain me what is masquerading brings on network?

1 Like

The main router has no route to the VPN network.
So, you need to explicitly add the route or enable masquerading.

OK thanks, when you talk about the 'main router', is it the modem router (192.168.10.254) ?
How masquerading prevents the route adding ?

Sorry for my questions, I try to understand :slightly_smiling_face:

Masquerading is a workaround for the missing route.
The route should be on 192.168.10.254 to 10.0.10.254/24 via 192.168.10.248.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.