OpenWrt 23.05 on RP4 using Wireguard "client" peer unable to access Internet

I hopeful this is an easy fix, but I have exhausted my limited technical foo and scoured every posting about this trying every suggestion that I understood with no success. I appreciate any help that can be offered. Please note, and don't judge, I'm not a network guy and don't pretend to understand routing, etc. If the fix requires more than configuration changes, I'm going to need some hand holding.

Problem: With Wireguard "server" and "client" activated and running I can access LuCI on the "client" side and SSH into the "client" Pi/Openwrt device. I cannot access the Internet nor can I reach the Wireguard "server"

Background:

I have a Raspberry Pi 4 Model B Rev 1.5 running OpenWrt 23.05 built as a travel router (10.6.6.1) to tunnel all traffic back to my home Internet connection.

At home I have a Raspberry Pi 4 Model B Rev 1.5 running OpenWrt 23.05 functioning as my VPN server (192.168.2.1). This Pi is connected to an xFinity gateway router (10.0.0.1).

This setup is successfully running with OpenVPN, but I wanted to experiment with Wireguard to see if I can get improved performance.

On the Wireguard experiment...

I have the Wireguard "Server" side successfully installed and functioning. I can connect from a peer "client" using the Wireguard mobile app as well as the Wireguard application for Windows surf the Internet, access the server side Wireguard device, etc.

The final step is to get Wireguard installed on the travel router and route all traffic back to my home Internet connection as I have done with OpenVPN and with Wireguard on my other two test devices.

Travel Router Setup

-Pi's onboard WiFi radio (radio0) used in client mode to connect to the Internet.
-Pi's onboard ethernet port (eth0) as well as a USB WiFi dongle (radio1) are used in AP mode for clients to connect to the travel router.
-The OpenVPN installation is configured with a Kill-Switch and bound to the network interface 'vpnclient' only relevant b/c
-Network interface 'GNETWRK' exists to deal with Captive Portals and allows users untunneled access to the Internet. SSID 'GNET' is attached the 'GNETWRK' interface which is assigned to the 'GNET' firewall zone.
-I assigned my 'Wireguard' network interface to the 'GNET' firewall zone as well

Travel Router Configs (network and firewall)

**/etc/config/network**

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb8:babe:c6a2::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.6.6.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wwan'
        option proto 'dhcp'

config interface 'vpnclient'
        option proto 'none'
        option device 'tun0'

config interface 'GNETWRK'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'

config interface 'Wireguard'
        option proto 'wireguard'
        option private_key '<PrvKey>'
        option listen_port '1194'
        option auto '0'
        list addresses '192.168.9.2/32'
        list dns '1.1.1.1'
        list dns '10.0.0.1'

config wireguard_Wireguard
        option description 'WGSVR'
        option preshared_key '<PSK>'
        option endpoint_host '<xFinityWANIP>'
        option endpoint_port '1194'
        option public_key '<PubKey'
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'
**/etc/config/firewall**

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpnclient'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wwan'

config zone 'vpn'
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun+'

config forwarding 'lan_vpn'
        option src 'lan'
        option dest 'vpn'

config zone
        option name 'GNET'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option log '1'
        option family 'ipv4'
        list network 'GNETWRK'
        list network 'Wireguard'

config forwarding
        option src 'GNET'
        option dest 'wan'

<THESE RULES WERE SETUP WHEN THE GNET FW ZONE WAS MORE LOCKED DOWN>

config rule
        option name 'GNET-DNS'
        option src 'GNET'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'GNET-DHCP'
        list proto 'udp'
        option src 'GNET'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'GNET-SSH-LuCI'
        list proto 'tcp'
        option src 'GNET'
        option dest_port '22 80 443'
        option target 'ACCEPT'

<NO CHANGES TO STANDARD RULES SO THEY ARE ABBREVIATED HERE>
config rule 'Allow-DHCP-Renew'
config rule 'Allow-Ping'
config rule 'Allow-IGMP'
config rule 'Allow-DHCPv6'
config rule 'Allow-MLD'
config rule 'Allow-ICMPv6-Input'
config rule 'Allow-ICMPv6-Forward'
config rule 'Allow-IPSec-ESP'
config rule 'Allow-ISAKMP'
<NO CHANGES TO STANDARD RULES SO THEY ARE ABBREVIATED HERE>
wg show

interface: Wireguard
  public key: <PubKey>
  private key: (hidden)
  listening port: 1194

peer: <PeerKey>
  preshared key: (hidden)
  endpoint: <xFinityWANIP>:1194
  allowed ips: 0.0.0.0/0
  latest handshake: 28 seconds ago
  transfer: 2.18 KiB received, 9.61 KiB sent
FWIW here are two IPv4 traceroutes executed using OpenWRT Network Diagnostics in LuCI with the Travel router connected to my AT&T phone. 

INACTIVE Wireguard tunnel. 

traceroute to openwrt.org (139.59.209.225), 20 hops max, 46 byte packets
 1  172.20.10.1  5.653 ms
 2  107.243.2.12  92.413 ms
 3  *
 4  *
 5  *
 6  *
 7  *
 8  *
 9  *
10  *
11  *
12  62.115.44.250  163.417 ms
13  *
14  *
15  *
16  *
17  *
18  139.59.209.225  166.314 ms

ACTIVE Wireguard tunnel 

traceroute to openwrt.org (139.59.209.225), 20 hops max, 46 byte packets
 1  192.168.9.1  124.188 ms
 2  10.0.0.1  119.739 ms
 3  96.120.80.205  117.279 ms
 4  96.110.245.217  106.317 ms
 5  162.151.163.102  130.124 ms
 6  162.151.162.137  117.702 ms
 7  96.110.43.193  127.712 ms
 8  96.110.33.178  121.150 ms
 9  50.248.116.42  119.063 ms
10  62.115.143.236  128.648 ms
11  62.115.136.200  117.587 ms
12  62.115.141.245  118.175 ms
13  *
14  62.115.127.7  228.321 ms

Try this, move

To the WAN zone and reboot.

That did the trick! Thank you so much.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.