I hopeful this is an easy fix, but I have exhausted my limited technical foo and scoured every posting about this trying every suggestion that I understood with no success. I appreciate any help that can be offered. Please note, and don't judge, I'm not a network guy and don't pretend to understand routing, etc. If the fix requires more than configuration changes, I'm going to need some hand holding.
Problem: With Wireguard "server" and "client" activated and running I can access LuCI on the "client" side and SSH into the "client" Pi/Openwrt device. I cannot access the Internet nor can I reach the Wireguard "server"
Background:
I have a Raspberry Pi 4 Model B Rev 1.5 running OpenWrt 23.05 built as a travel router (10.6.6.1) to tunnel all traffic back to my home Internet connection.
At home I have a Raspberry Pi 4 Model B Rev 1.5 running OpenWrt 23.05 functioning as my VPN server (192.168.2.1). This Pi is connected to an xFinity gateway router (10.0.0.1).
This setup is successfully running with OpenVPN, but I wanted to experiment with Wireguard to see if I can get improved performance.
On the Wireguard experiment...
I have the Wireguard "Server" side successfully installed and functioning. I can connect from a peer "client" using the Wireguard mobile app as well as the Wireguard application for Windows surf the Internet, access the server side Wireguard device, etc.
The final step is to get Wireguard installed on the travel router and route all traffic back to my home Internet connection as I have done with OpenVPN and with Wireguard on my other two test devices.
Travel Router Setup
-Pi's onboard WiFi radio (radio0) used in client mode to connect to the Internet.
-Pi's onboard ethernet port (eth0) as well as a USB WiFi dongle (radio1) are used in AP mode for clients to connect to the travel router.
-The OpenVPN installation is configured with a Kill-Switch and bound to the network interface 'vpnclient' only relevant b/c
-Network interface 'GNETWRK' exists to deal with Captive Portals and allows users untunneled access to the Internet. SSID 'GNET' is attached the 'GNETWRK' interface which is assigned to the 'GNET' firewall zone.
-I assigned my 'Wireguard' network interface to the 'GNET' firewall zone as well
Travel Router Configs (network and firewall)
**/etc/config/network**
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb8:babe:c6a2::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.6.6.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wwan'
option proto 'dhcp'
config interface 'vpnclient'
option proto 'none'
option device 'tun0'
config interface 'GNETWRK'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'
config interface 'Wireguard'
option proto 'wireguard'
option private_key '<PrvKey>'
option listen_port '1194'
option auto '0'
list addresses '192.168.9.2/32'
list dns '1.1.1.1'
list dns '10.0.0.1'
config wireguard_Wireguard
option description 'WGSVR'
option preshared_key '<PSK>'
option endpoint_host '<xFinityWANIP>'
option endpoint_port '1194'
option public_key '<PubKey'
option route_allowed_ips '1'
list allowed_ips '0.0.0.0/0'
**/etc/config/firewall**
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vpnclient'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wwan'
config zone 'vpn'
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun+'
config forwarding 'lan_vpn'
option src 'lan'
option dest 'vpn'
config zone
option name 'GNET'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option log '1'
option family 'ipv4'
list network 'GNETWRK'
list network 'Wireguard'
config forwarding
option src 'GNET'
option dest 'wan'
<THESE RULES WERE SETUP WHEN THE GNET FW ZONE WAS MORE LOCKED DOWN>
config rule
option name 'GNET-DNS'
option src 'GNET'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'GNET-DHCP'
list proto 'udp'
option src 'GNET'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'GNET-SSH-LuCI'
list proto 'tcp'
option src 'GNET'
option dest_port '22 80 443'
option target 'ACCEPT'
<NO CHANGES TO STANDARD RULES SO THEY ARE ABBREVIATED HERE>
config rule 'Allow-DHCP-Renew'
config rule 'Allow-Ping'
config rule 'Allow-IGMP'
config rule 'Allow-DHCPv6'
config rule 'Allow-MLD'
config rule 'Allow-ICMPv6-Input'
config rule 'Allow-ICMPv6-Forward'
config rule 'Allow-IPSec-ESP'
config rule 'Allow-ISAKMP'
<NO CHANGES TO STANDARD RULES SO THEY ARE ABBREVIATED HERE>
wg show
interface: Wireguard
public key: <PubKey>
private key: (hidden)
listening port: 1194
peer: <PeerKey>
preshared key: (hidden)
endpoint: <xFinityWANIP>:1194
allowed ips: 0.0.0.0/0
latest handshake: 28 seconds ago
transfer: 2.18 KiB received, 9.61 KiB sent
FWIW here are two IPv4 traceroutes executed using OpenWRT Network Diagnostics in LuCI with the Travel router connected to my AT&T phone.
INACTIVE Wireguard tunnel.
traceroute to openwrt.org (139.59.209.225), 20 hops max, 46 byte packets
1 172.20.10.1 5.653 ms
2 107.243.2.12 92.413 ms
3 *
4 *
5 *
6 *
7 *
8 *
9 *
10 *
11 *
12 62.115.44.250 163.417 ms
13 *
14 *
15 *
16 *
17 *
18 139.59.209.225 166.314 ms
ACTIVE Wireguard tunnel
traceroute to openwrt.org (139.59.209.225), 20 hops max, 46 byte packets
1 192.168.9.1 124.188 ms
2 10.0.0.1 119.739 ms
3 96.120.80.205 117.279 ms
4 96.110.245.217 106.317 ms
5 162.151.163.102 130.124 ms
6 162.151.162.137 117.702 ms
7 96.110.43.193 127.712 ms
8 96.110.33.178 121.150 ms
9 50.248.116.42 119.063 ms
10 62.115.143.236 128.648 ms
11 62.115.136.200 117.587 ms
12 62.115.141.245 118.175 ms
13 *
14 62.115.127.7 228.321 ms