Hello! I have an issue with WireGuard setup on OpenWRT router.
I can ping -I wg0 google.com
from router via ssh but clients have no access to the internet.
I've read/watched a few guides and all of them was setting up firewall by the same way which is printed below but it not works for me.
Setup:
OpenWRT router (AX3600) connected to coax router with internet access.
OpenWRT router added as DMZ of coax router.
Ping from client:
PING 8.8.8.8 (8.8.8.8): 56 data bytes
92 bytes from openwrt (192.168.1.1): Destination Port Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 e318 0 0000 3f 01 c6ce 192.168.1.10 8.8.8.8
Request timeout for icmp_seq 0
92 bytes from openwrt (192.168.1.1): Destination Port Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 15d7 0 0000 3f 01 9410 192.168.1.10 8.8.8.8
Request timeout for icmp_seq 1
92 bytes from openwrt (192.168.1.1): Destination Port Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 614e 0 0000 3f 01 4899 192.168.1.10 8.8.8.8
Request timeout for icmp_seq 2
92 bytes from openwrt (192.168.1.1): Destination Port Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 4987 0 0000 3f 01 6060 192.168.1.10 8.8.8.8
Request timeout for icmp_seq 3
92 bytes from openwrt (192.168.1.1): Destination Port Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 f97c 0 0000 3f 01 b06a 192.168.1.10 8.8.8.8
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdcf:fbc0:248f::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
option mtu '1500'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
list ipaddr '192.168.1.1/24'
option gateway '192.168.0.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
config device
option name 'wan'
option ipv6 '1'
config interface 'wg0'
option proto 'wireguard'
option private_key 'XXXXX'
list addresses '10.8.0.3/32'
option mtu '1200'
list dns '10.8.0.1'
config wireguard_wg0
option description 'DO'
option public_key 'XXXXX'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host 'XXXXX'
option endpoint_port '51820'
option persistent_keepalive '0'
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
list device 'tun+'
list network 'wan'
option masq '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option target 'DNAT'
option name 'switch'
option dest_ip '192.168.1.16'
option src 'wan'
option dest 'lan'
list proto 'udp'
option src_dport '1024-65535'
option dest_port '1024-65535'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
list network 'wg0'
option masq '1'
config forwarding
option src 'lan'
option dest 'vpn'
Thank you in advance!