No outbound internet access when connected to wireguard server

I have a node connected to a switch on my router running a Wireguard server. I can establish a handshake properly (both internal IP and external IP after port forwarding 51820). However, I get no outbound internet access when connected into the node from the client.

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd0b:c24d:66f8::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option peerdns '0'
	list dns '2001:4860:4860::8888'
	list dns '2001:4860:4860::8844'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'lan2'
	option bridge_empty '1'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'

config device
	option type 'bridge'
	option name 'ClusterBridge'
	list ports 'lan3'
	option bridge_empty '1'

config interface 'Cluster'
	option proto 'static'
	option device 'ClusterBridge'
	option ipaddr '172.16.0.1'
	option netmask '255.255.255.0'

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'
	list network 'Cluster'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'WGVPN'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
	option enabled '0'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Guest-DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'
	option enabled '0'

config rule
	list proto 'all'
	option src 'lan'
	option dest 'lan'
	option target 'ACCEPT'
	option enabled '0'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'node1'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '172.16.0.10'
	option dest_port '51820'
	list proto 'udp'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'node2'
	list proto 'udp'
	option src 'wan'
	option src_dport '51821'
	option dest_ip '172.16.0.20'
	option dest_port '51821'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'node3'
	list proto 'udp'
	option src 'wan'
	option src_dport '51822'
	option dest_ip '172.16.0.30'
	option dest_port '51822'

Do to confirm, Wireguard is running on this node, and that node is not openwrt, correct?

If that is the case, your issue might be out of scope for these forums, but let’s find out more:

• what is the internal ip address of the node in question?
• what is the subnet of the wireguard network?

The node is not running on the same node as OpenWRT, but this was working before so I assume I can get it working with openwrt settings alone.

172.16.0.30 is the node running Wireguard on the 172.16.0.0/24 subnet and I'm connecting in from 192.168.1.0/24 subnet.

I have packet forwarding enabled.

What is the wireguard subnet? It must not overlap with any of your other networks.

10.0.0.1/24

[Interface]
PrivateKey = redacted
Address = 10.0.0.1/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
ListenPort = 51820

[Peer]
PublicKey = redacted
AllowedIPs = 10.0.0.2/32

Ok. You can try setting a static route on your router:

10.0.0.0/24 via 172.16.0.30

In Luci, is this the correct setup?

image992×748 49.3 KB

I'm still not able to hit outbound with this configuration. Cluster is the interface associated to the 172.16.0.0/24 subnet

The gateway needs to be the address of the host that has the wireguard server setup.

I've updated to the below by setting gateway to IP of the node running the WG server, but still no luck.

image966×750 48.7 KB

SSH into router, I can confirm the route is present:

10.0.0.0/24 via 172.16.0.30 dev ClusterBridge

Actually, the route may not be necessary because I see that you setup masquerading on the host running wg.

But that said, the problem is not openwrt related because wireguard is.l not actually running on an openwrt host.

Check the firewall and routing configs on the host itself.

Dang, I'm just at a loss as to what could have happened. I changed some OpenWRT config last night, but then VPN stopped working.

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE; sysctl -w net.ipv4.ip_forward=1
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE; sysctl -w net.ipv4.ip_forward=0

Is there anything on the OpenWRT side that might resolve this? This packet config seems correct as far as I can tell.

What did you change?

From a question you and I were discussing last night, I just basically wiped any rules and routes I had, but these nodes are also recently images with a fresh linux install so things should be in a clean slate.

Judging by the routes

default via 172.16.0.1 dev eno1 proto dhcp src 172.16.0.30 metric 100
10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.1
172.16.0.0/24 dev eno1 proto kernel scope link src 172.16.0.30 metric 100
172.16.0.1 dev eno1 proto dhcp scope link src 172.16.0.30 metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown

It seems logical to me that this should allow me to talk to outbound internet. I'm obviously missing something, but it's hard to discern what.

The above seems in contradiction.
But anyway you wrote that you could get a proper handshake and could reach your WG server from outside.

If you cannot have outbound internet traffic when connected from outside via your WG server then the return route for the WG subnet is probably missing.

As @psherman already noted set a static route for the WG subnet to the WG server

The port forward rule exists, but that's for connecting outbound through WAN, but I'm connecting in from laptop to 172.16.0.30 directly as the endpoint for the WG server.

I've added the static route though and still no luck.

This route looks OK: No outbound internet access when connected to wireguard server - #9 by Schachte

If that implies you are testing from inside then that could be a potential problem.
Better test your WG server from outside e.g. with phone or laptop on cellular

The same results appear when using hotspot on mobile.

Ugh, I had the wrong subnet on the client config!

172.16.0.4 instead of 10.0.0.4

Thanks guys, much appreciated for the help and tips. I was beginning to lose it.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.