OpenWrt not routing traffic

Hi,

For performance reasons, I want to migrate from openvpn to wireguard on my home router. The setup works, the wireguard client connects and can ping the wireguard server. However, it cannot contact anything on the local lan or the Internet. Traceroute on the client shows that traffic does go to the wireguard server.

As far as I can see, the routing seems to be correct. I must be missing something. I hope someone has time to look over my configuration and point out what I'm doing wrong.

Greetings, Remon

#cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdb5:2175:2a75::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option proto 'dhcp'
	option device 'br-lan'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'XXXXX'
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fdf1:e8a1:8d3f:9::1/64'

config wireguard_vpn 'wgclient'
	option public_key 'XXXXX'
	option preshared_key 'XXXXX'
	list allowed_ips '192.168.9.2/32'
#cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	list network 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun+'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'backupDBssh'
	list proto 'tcp'
	option src 'wan'
	option src_dport '8822'
	option dest 'lan'
	option dest_port '22'
	option dest_ip '192.168.9.2'

config redirect
	option target 'DNAT'
	option name 'backupDBveeamdatamover'
	list proto 'tcp'
	option src 'wan'
	option src_dport '6162'
	option dest 'lan'
	option dest_port '6162'
	option dest_ip '192.168.9.2'

config redirect
	option target 'DNAT'
	option name 'backupDBtransmission'
	list proto 'tcp'
	option src 'wan'
	option src_dport '2500-3300'
	option dest 'lan'
	option dest_port '2500-3300'
	option dest_ip '192.168.9.2'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

Try adding the extra option in the following section

config wireguard_vpn 'wgclient'
option route_allowed_ips '1'

Since you're running the OpenWrt wireguard server as a lan device-- not the main router in the network--, that is the same issue that came up in this recent thread.

Thanks for your suggestion, unfortunately this did not solve the issue.

Thank you. I am not able to add a static rout to the main router. It's in ISP lockdown. I did add a static route on a lan client, and after that I can communicate with the VPN client. So it seems that this is the issue (makes sense, too).

I'll have to use the second option that is suggested in the other thread you pointed to. I understand the concept of NAT, but I'm new to openwrt. I've never created another zone and am not sure how to stick the vpn in there. I'm sure someone allready explained that somewhere on this forum and I'll go look for that. If you have a pointer for me then that would make me even happier :slight_smile:

That was actually a lot easier then I expected. I simply used the gui to add a new zone, moved the vpn interface in there and removed it from the LAN zone. In the LAN zone I checked the box for masquerading and bam, everything is working now. Thanks for your help mk24!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.