No internet after setting up wireguard interface

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,
I am trying to setup a wireguard connection but as soon as I am creating the interface through luci I am losing IPv4 connectivity to the internet. I can however access the internet using IPv6 (at least those sites that support IPv6).
I guess I am confused why the new interface that I am setting up, is hijacking my traffic already. Ultimately, I'd like wireguard only to be used through a separate wifi, let's call it wg-wifi.
These are the steps that I performed so far:

  1. Install the software package with all its dependencies luci-app-wireguard
  2. After rebooting the router, I am creating a new interface named wg0 using protocol Wireguard VPN
  3. I am using a wireguard configuration file to setup the interface and the peer
  4. I am also creating a new firewall zone named vpn, which I will set to the same values as my wan zone

After Save & Apply I lose connectivity to IPv4; however, I am able to keep using IPv4 in my local network.
I am seeing a handshake in the wireguard status.

These are my config file, after adding the wg0 interface:

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd01:c00l:cafe::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'bat0.3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.3.1'
	option ip6assign '64'
	option ip6hint 'a'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix '60'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config interface 'iot'
	option proto 'static'
	option ipaddr '192.168.133.1'
	option netmask '255.255.255.0'
	option device 'br-iot'
	option ip6assign '64'
	option ip6hint 'c'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.33.1'
	option netmask '255.255.255.0'
	option device 'br-guest'
	option ip6assign '64'
	option ip6hint 'b'

config interface 'bat0'
	option proto 'batadv'
	option routing_algo 'BATMAN_IV'
	option bridge_loop_avoidance '1'
	option gw_mode 'server'
	option hop_penalty '30'

config interface 'batmesh'
	option proto 'batadv_hardif'
	option master 'bat0'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'bat0.133'
	option bridge_empty '1'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'bat0.33'
	option bridge_empty '1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'SomeKey'
	list addresses '192.168.16.253/24'
	option peerdns '0'
	list dns '192.168.16.2'
	list dns '192.168.16.1'

config wireguard_wg0
	option description 'WireguardVPN'
	option public_key 'PublicKey'
	option preshared_key 'PresharedKey'
	list allowed_ips '192.168.16.0/24'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host 'someDynDns'
	option endpoint_port '54321'
	option persistent_keepalive '25'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option channel '149'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'SSID 2'
	option encryption 'psk2+ccmp'
	option key 'someKey'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option mobility_domain '1003'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option band '2g'
	option cell_density '0'
	option htmode 'HT20'
	option channel '11'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'SSID 1'
	option key 'someKey'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option mobility_domain '0003'
	option encryption 'psk2+ccmp'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option mode 'mesh'
	option mesh_id 'beach-mesh'
	option mesh_rssi_threshold '0'
	option encryption 'sae'
	option key 'someKey
	option mesh_fwding '0'
	option network 'batmesh'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'IOT'
	option key 'someKey'
	option network 'iot'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option mobility_domain '0133'
	option encryption 'psk2'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Guest'
	option encryption 'psk2+ccmp'
	option network 'guest'
	option key '12345678'
	option disabled '1'
	option ieee80211r '1'
	option mobility_domain '0033'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'iot'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'iot'

config forwarding
	option src 'iot'
	option dest 'wan'

config rule
	option name 'IOT DNS'
	option src 'iot'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'IOT DHCP'
	list proto 'udp'
	option src 'iot'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'IOT PiHole Access'
	list proto 'udp'
	option src 'iot'
	option dest 'lan'
	option dest_port '53'
	option target 'ACCEPT'
	list dest_ip '192.168.3.2'
	list dest_ip '192.168.3.22'
	list dest_ip 'fd01:c00l:cafe:a::2'
	list dest_ip 'fd01:c00l:cafe:a::22'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'Guest PiHole Access'
	list proto 'udp'
	option src 'guest'
	option dest 'lan'
	option dest_port '53'
	option target 'ACCEPT'
	list dest_ip '192.168.3.2'
	list dest_ip '192.168.3.22'
	list dest_ip 'fd01:c00l:cafe:a::2'
	list dest_ip 'fd01:c00l:cafe:a::22'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'OpenVPN'
	list proto 'udp'
	option src 'wan'
	option src_dport '1194'
	option dest_ip '192.168.3.3'
	option dest_port '1194'

config zone
	option name 'vpn'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg0'
	option input 'REJECT'
	option masq '1'

My main router is a Linksys MR8300 with OpenWRT 22.03.2, and my two mesh nodes / dumb access points are also MR8300s with OpenWRT 22.03.2.

2

The behavior you are seeing is expected based on your current configuration.

Once WG starts and has the route_allowed_ips enabled, it will rewrite the routing table accordingly. In this case, since you have 0.0.0.0/0, that specifies all IPv4 addresses should go through the tunnel -- and so the routing table has been updated to do exactly that. However, your firewall does not have any forwarding rules for lan > vpn or guest > vpn, so the traffic is not allowed to flow as a result of the firewall.

If you setup zone forwarding (lan > vpn, guest > vpn) you should see IPv4 services work normally again. Alternatively, don't enable route_allowed_ips and the routing table will not be affected when WG comes up.

If you want to have a specific network that uses the tunnel and one or more networks that do not, you need to use Policy Based Routing to achieve that.

Finally, a few minor things (not related to your problem):

You can remove the dns related things from this... it doesn't actually do anything. You need to set dns servers in dnsmasq, not here.

You don't need the allowed IPs to 192.168.16.0/24 because the next line is 0.0.0.0/0 which includes the former. This doesn't cause any problems, but just isn't needed.

3 Likes
3

Wow @psherman , thank you so much! Your response was incredibly helpful!
I removed the no longer needed options as well and for now I am having a running wireguard interface which is connected to its peer and it is not interfering with my existing networks. I am now reading up on PBR. My first guess is that I'd use the example Route LAN to OpenVPN and adjust it to work with Wireguard instead.

A quick question on:

Would I be doing this in the interface of the to be created interface for the network which will be using wireguard? Maybe like this as a DHCP option:

s
s1772×922 80.2 KB

Am I on the wrong track?

Thanks a lot for all your help @psherman :slight_smile: