Hello
I know the question has been asked many times, but I seem to be missing something.
First of all: I would describe myself as a layman.
I've now spent hours trying to get a working VPN access via Wireguard. It felt like I tried to implement every tip I could find here and hoped that it would work.
Unfortunately, I have probably acted stupidly and hope for a small or maybe bigger push in the right direction.
I just want to be able to access my network (lan2) via VPN on the go. This also works insofar as the handshake works and I can access the IP addresses. However, Internet access is blocked.
The system runs as a VM in Proxmox.
root@OpenWRT:~# ubus call system board
{
"kernel": "5.15.162",
"hostname": "OpenWRT",
"system": "Common KVM processor",
"model": "QEMU Standard PC (i440FX + PIIX, 1996)",
"board_name": "qemu-standard-pc-i440fx-piix-1996",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "x86/64",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
network:
root@OpenWRT:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb2:a2a3:676b::/48'
config interface 'wan'
option device 'eth2'
option proto 'static'
option ipaddr '192.168.0.136'
option netmask '255.255.255.0'
option gateway '192.168.0.1'
list dns '192.168.0.1'
config device
option name 'eth0'
option ipv6 '0'
config device
option name 'eth1'
option ipv6 '0'
config device
option name 'eth2'
option ipv6 '0'
config device
option type 'bridge'
option name 'br-lan2'
list ports 'eth1'
option ipv6 '0'
config interface 'lan2'
option proto 'static'
option device 'br-lan2'
option ipaddr '10.10.1.1'
option netmask '255.255.255.0'
config device
option type '8021q'
option ifname 'br-lan2'
option vid '30'
option name 'br-lan2.30'
option ipv6 '0'
config interface 'vlan30_Gast'
option proto 'static'
option device 'br-lan2.30'
option ipaddr '10.10.30.1'
option netmask '255.255.255.0'
config device
option type '8021q'
option ifname 'br-lan2'
option vid '40'
option name 'br-lan2.40'
option ipv6 '0'
config device
option type '8021q'
option ifname 'br-lan2'
option vid '50'
option name 'br-lan2.50'
option ipv6 '0'
config device
option type '8021q'
option ifname 'br-lan2'
option vid '60'
option name 'br-lan2.60'
option ipv6 '0'
config interface 'vlan50_IoT'
option proto 'static'
option device 'br-lan2.50'
option ipaddr '10.10.50.1'
option netmask '255.255.255.0'
config interface 'vlan40_CCTV'
option proto 'static'
option device 'br-lan2.40'
option ipaddr '10.10.40.1'
option netmask '255.255.255.0'
config interface 'wgServer'
option proto 'wireguard'
option private_key 'XXX'
option listen_port '52349'
list addresses '10.10.101.1/24'
config wireguard_wgServer
option description 'iPhone'
option public_key 'XXX'
option private_key 'YYY'
list allowed_ips '10.10.101.11/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
dhcp:
root@OpenWRT:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'lan30'
option interface 'lan30'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'lan2'
option interface 'lan2'
option start '100'
option limit '100'
option leasetime '12h'
list dhcp_option '6,1.1.1.1,192.168.0.1'
config dhcp 'vlan30_Gast'
option interface 'vlan30_Gast'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'vlan50_IoT'
option interface 'vlan50_IoT'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'vlan40_CCTV'
option interface 'vlan40_CCTV'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,1.1.1.1,192.168.0.1'
config host
option name 'Stromzaehler'
list mac 'C8:C9:A3:10:DF:D1'
option ip '10.10.50.19'
option leasetime 'infinite'
config host
option name 'FlurAP'
list mac 'AC:2A:A1:0D:D0:C0'
option ip '10.10.1.221'
option leasetime 'infinite'
config host
option name 'KuecheAP'
list mac 'AC:2A:A1:0D:E5:58'
option ip '10.10.1.222'
option leasetime 'infinite'
config host
list mac '00:40:AD:99:1D:0E'
option ip '10.10.1.5'
option leasetime 'infinite'
option name 'Wechselrichter'
firewall:
root@OpenWRT:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option synflood_protect '1'
config zone
option name 'lan2'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan2'
list network 'wgServer'
config zone
option name 'gast'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'vlan30_Gast'
config zone
option name 'iot'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'vlan50_IoT'
config zone
option name 'cctv'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'vlan40_CCTV'
config zone
option name 'tv'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config forwarding
option src 'gast'
option dest 'wan'
config rule
option name 'Gast30-DHCP'
option src 'gast'
option dest_port '67 68'
option target 'ACCEPT'
config rule
option name 'Gast30-DNS'
option src 'gast'
option dest_port '53'
option target 'ACCEPT'
config forwarding
option src 'iot'
option dest 'wan'
config rule
option name 'CCTV40-DHCP'
option src 'cctv'
option dest_port '67 68'
option target 'ACCEPT'
config rule
option name 'CCTV40-DNS'
option src 'cctv'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'IoT50-DHCP'
option src 'iot'
option dest_port '67 68'
option target 'ACCEPT'
config rule
option name 'IoT50-DNS'
option src 'iot'
option dest_port '53'
option target 'ACCEPT'
config forwarding
option src 'tv'
option dest 'wan'
config rule
option name 'vlan60-DHCP'
option src 'tv'
option dest_port '67 68'
option target 'ACCEPT'
config rule
option name 'vlan60-DNS'
option src 'tv'
option dest_port '53'
option target 'ACCEPT'
config redirect
option dest 'cctv'
option target 'DNAT'
option name 'Surveillance'
option src 'wan'
option src_dport '9900'
option dest_ip '10.10.40.13'
option dest_port '5000'
config forwarding
option src 'lan2'
option dest 'wan'
config rule
option name 'lan2-DHCP'
option src 'lan2'
option dest_port '67 68'
option target 'ACCEPT'
config redirect
option dest 'cctv'
option target 'DNAT'
option src 'wan'
option src_dport '9901'
option dest_ip '10.10.40.13'
option dest_port '5001'
option name 'Surveillance_htts'
config rule
option name 'lan2-DNS'
option src 'lan2'
option dest_port '53'
option target 'ACCEPT'
config forwarding
option dest 'lan2'
config forwarding
option dest 'lan2'
config forwarding
option dest 'lan2'
config rule
option name 'MQTT to ioBroker'
option src 'iot'
option dest 'lan2'
option dest_port '1882'
option target 'ACCEPT'
list dest_ip '10.10.1.8'
config rule
option name 'MQTT to IoT'
option src 'lan2'
list src_ip '10.10.1.8'
option dest 'iot'
option dest_port '1882'
option target 'ACCEPT'
config rule
option name 'MQTT to EMQX'
option src 'iot'
option dest 'lan2'
list dest_ip '10.10.1.15'
option target 'ACCEPT'
option dest_port '1883'
config rule
option name 'EMQX to IoT'
option src 'lan2'
option dest 'iot'
option dest_port '1883'
option target 'ACCEPT'
list src_ip '10.10.1.15'
config rule
option name 'COAP to ioBroker'
option src 'iot'
option src_port '5683-5684'
option dest 'lan2'
option dest_port '5683-5684'
option target 'ACCEPT'
list dest_ip '10.10.1.8'
config rule
option name 'COAP to IoT'
option src 'lan2'
option dest 'iot'
option dest_port '5683-5684'
option target 'ACCEPT'
list src_ip '10.10.1.8'
config rule
option name 'Online to IoT'
option src 'lan2'
list src_ip '10.10.1.8'
option dest 'iot'
option target 'ACCEPT'
option dest_port '80'
config rule
option src 'iot'
option dest 'lan2'
list dest_ip '10.10.1.8'
option target 'ACCEPT'
option name 'Online to ioBroker'
option dest_port '80'
config redirect
option dest 'lan2'
option target 'DNAT'
option name 'Traccar'
option src 'wan'
option src_dport '5055'
option dest_ip '10.10.1.15'
option dest_port '8082'
config rule
option name 'Allow-IPSec-ESP_lan2'
list proto 'esp'
option src 'wan'
option dest 'lan2'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP_lan2'
list proto 'udp'
option src 'wan'
option dest 'lan2'
option dest_port '500'
option target 'ACCEPT'
option enabled '0'
config rule
option src '*'
list src_ip '192.168.0.7'
option dest '*'
list dest_ip '10.10.1.3'
option target 'ACCEPT'
config rule
option name 'CiscoBlock'
option src 'lan2'
list src_ip '10.10.1.220'
option dest 'wan'
option target 'REJECT'
config redirect
option dest 'lan2'
option target 'DNAT'
option name 'wgServer'
option src 'wan'
option src_dport '52349'
option dest_ip '10.10.1.1'
option dest_port '52349'
Thank you very much for your support