OpenWRT/Proxmox/Wireguard no internet access

Hello

I know the question has been asked many times, but I seem to be missing something.

First of all: I would describe myself as a layman.
I've now spent hours trying to get a working VPN access via Wireguard. It felt like I tried to implement every tip I could find here and hoped that it would work.

Unfortunately, I have probably acted stupidly and hope for a small or maybe bigger push in the right direction.
I just want to be able to access my network (lan2) via VPN on the go. This also works insofar as the handshake works and I can access the IP addresses. However, Internet access is blocked.

The system runs as a VM in Proxmox.

root@OpenWRT:~# ubus call system board
{
        "kernel": "5.15.162",
        "hostname": "OpenWRT",
        "system": "Common KVM processor",
        "model": "QEMU Standard PC (i440FX + PIIX, 1996)",
        "board_name": "qemu-standard-pc-i440fx-piix-1996",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "x86/64",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}

network:

root@OpenWRT:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb2:a2a3:676b::/48'

config interface 'wan'
        option device 'eth2'
        option proto 'static'
        option ipaddr '192.168.0.136'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        list dns '192.168.0.1'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'eth1'
        option ipv6 '0'

config device
        option name 'eth2'
        option ipv6 '0'

config device
        option type 'bridge'
        option name 'br-lan2'
        list ports 'eth1'
        option ipv6 '0'

config interface 'lan2'
        option proto 'static'
        option device 'br-lan2'
        option ipaddr '10.10.1.1'
        option netmask '255.255.255.0'

config device
        option type '8021q'
        option ifname 'br-lan2'
        option vid '30'
        option name 'br-lan2.30'
        option ipv6 '0'

config interface 'vlan30_Gast'
        option proto 'static'
        option device 'br-lan2.30'
        option ipaddr '10.10.30.1'
        option netmask '255.255.255.0'

config device
        option type '8021q'
        option ifname 'br-lan2'
        option vid '40'
        option name 'br-lan2.40'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'br-lan2'
        option vid '50'
        option name 'br-lan2.50'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'br-lan2'
        option vid '60'
        option name 'br-lan2.60'
        option ipv6 '0'

config interface 'vlan50_IoT'
        option proto 'static'
        option device 'br-lan2.50'
        option ipaddr '10.10.50.1'
        option netmask '255.255.255.0'

config interface 'vlan40_CCTV'
        option proto 'static'
        option device 'br-lan2.40'
        option ipaddr '10.10.40.1'
        option netmask '255.255.255.0'

config interface 'wgServer'
        option proto 'wireguard'
        option private_key 'XXX'
        option listen_port '52349'
        list addresses '10.10.101.1/24'

config wireguard_wgServer
        option description 'iPhone'
        option public_key 'XXX'
        option private_key 'YYY'
        list allowed_ips '10.10.101.11/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

dhcp:

root@OpenWRT:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'lan30'
        option interface 'lan30'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'lan2'
        option interface 'lan2'
        option start '100'
        option limit '100'
        option leasetime '12h'
        list dhcp_option '6,1.1.1.1,192.168.0.1'

config dhcp 'vlan30_Gast'
        option interface 'vlan30_Gast'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'vlan50_IoT'
        option interface 'vlan50_IoT'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'vlan40_CCTV'
        option interface 'vlan40_CCTV'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,1.1.1.1,192.168.0.1'

config host
        option name 'Stromzaehler'
        list mac 'C8:C9:A3:10:DF:D1'
        option ip '10.10.50.19'
        option leasetime 'infinite'

config host
        option name 'FlurAP'
        list mac 'AC:2A:A1:0D:D0:C0'
        option ip '10.10.1.221'
        option leasetime 'infinite'

config host
        option name 'KuecheAP'
        list mac 'AC:2A:A1:0D:E5:58'
        option ip '10.10.1.222'
        option leasetime 'infinite'

config host
        list mac '00:40:AD:99:1D:0E'
        option ip '10.10.1.5'
        option leasetime 'infinite'
        option name 'Wechselrichter'

firewall:

root@OpenWRT:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'DROP'
        option synflood_protect '1'

config zone
        option name 'lan2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan2'
        list network 'wgServer'

config zone
        option name 'gast'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan30_Gast'

config zone
        option name 'iot'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan50_IoT'

config zone
        option name 'cctv'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan40_CCTV'

config zone
        option name 'tv'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config forwarding
        option src 'gast'
        option dest 'wan'

config rule
        option name 'Gast30-DHCP'
        option src 'gast'
        option dest_port '67 68'
        option target 'ACCEPT'

config rule
        option name 'Gast30-DNS'
        option src 'gast'
        option dest_port '53'
        option target 'ACCEPT'

config forwarding
        option src 'iot'
        option dest 'wan'

config rule
        option name 'CCTV40-DHCP'
        option src 'cctv'
        option dest_port '67 68'
        option target 'ACCEPT'

config rule
        option name 'CCTV40-DNS'
        option src 'cctv'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'IoT50-DHCP'
        option src 'iot'
        option dest_port '67 68'
        option target 'ACCEPT'

config rule
        option name 'IoT50-DNS'
        option src 'iot'
        option dest_port '53'
        option target 'ACCEPT'

config forwarding
        option src 'tv'
        option dest 'wan'

config rule
        option name 'vlan60-DHCP'
        option src 'tv'
        option dest_port '67 68'
        option target 'ACCEPT'

config rule
        option name 'vlan60-DNS'
        option src 'tv'
        option dest_port '53'
        option target 'ACCEPT'

config redirect
        option dest 'cctv'
        option target 'DNAT'
        option name 'Surveillance'
        option src 'wan'
        option src_dport '9900'
        option dest_ip '10.10.40.13'
        option dest_port '5000'

config forwarding
        option src 'lan2'
        option dest 'wan'

config rule
        option name 'lan2-DHCP'
        option src 'lan2'
        option dest_port '67 68'
        option target 'ACCEPT'

config redirect
        option dest 'cctv'
        option target 'DNAT'
        option src 'wan'
        option src_dport '9901'
        option dest_ip '10.10.40.13'
        option dest_port '5001'
        option name 'Surveillance_htts'

config rule
        option name 'lan2-DNS'
        option src 'lan2'
        option dest_port '53'
        option target 'ACCEPT'

config forwarding
        option dest 'lan2'

config forwarding
        option dest 'lan2'

config forwarding
        option dest 'lan2'

config rule
        option name 'MQTT to ioBroker'
        option src 'iot'
        option dest 'lan2'
        option dest_port '1882'
        option target 'ACCEPT'
        list dest_ip '10.10.1.8'

config rule
        option name 'MQTT to IoT'
        option src 'lan2'
        list src_ip '10.10.1.8'
        option dest 'iot'
        option dest_port '1882'
        option target 'ACCEPT'

config rule
        option name 'MQTT to EMQX'
        option src 'iot'
        option dest 'lan2'
        list dest_ip '10.10.1.15'
        option target 'ACCEPT'
        option dest_port '1883'

config rule
        option name 'EMQX to IoT'
        option src 'lan2'
        option dest 'iot'
        option dest_port '1883'
        option target 'ACCEPT'
        list src_ip '10.10.1.15'

config rule
        option name 'COAP to ioBroker'
        option src 'iot'
        option src_port '5683-5684'
        option dest 'lan2'
        option dest_port '5683-5684'
        option target 'ACCEPT'
        list dest_ip '10.10.1.8'

config rule
        option name 'COAP to IoT'
        option src 'lan2'
        option dest 'iot'
        option dest_port '5683-5684'
        option target 'ACCEPT'
        list src_ip '10.10.1.8'

config rule
        option name 'Online to IoT'
        option src 'lan2'
        list src_ip '10.10.1.8'
        option dest 'iot'
        option target 'ACCEPT'
        option dest_port '80'

config rule
        option src 'iot'
        option dest 'lan2'
        list dest_ip '10.10.1.8'
        option target 'ACCEPT'
        option name 'Online to ioBroker'
        option dest_port '80'

config redirect
        option dest 'lan2'
        option target 'DNAT'
        option name 'Traccar'
        option src 'wan'
        option src_dport '5055'
        option dest_ip '10.10.1.15'
        option dest_port '8082'

config rule
        option name 'Allow-IPSec-ESP_lan2'
        list proto 'esp'
        option src 'wan'
        option dest 'lan2'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ISAKMP_lan2'
        list proto 'udp'
        option src 'wan'
        option dest 'lan2'
        option dest_port '500'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option src '*'
        list src_ip '192.168.0.7'
        option dest '*'
        list dest_ip '10.10.1.3'
        option target 'ACCEPT'

config rule
        option name 'CiscoBlock'
        option src 'lan2'
        list src_ip '10.10.1.220'
        option dest 'wan'
        option target 'REJECT'

config redirect
        option dest 'lan2'
        option target 'DNAT'
        option name 'wgServer'
        option src 'wan'
        option src_dport '52349'
        option dest_ip '10.10.1.1'
        option dest_port '52349'

Thank you very much for your support

hi,

this stanza in your config is a wireguard peer config. in my understanding allowed_ips means what ip address is allowed to send through to this peer. as per your config only one ip address is allowed but i guess you want to allow any, i.e. any ip address because you want your iphone to access to internet via wg server. so I'd add list allowed_ips 0.0.0.0/0. but let's wait for others to fix me.

This cannot be the solution, then the handshake isnt successful and no connection to the outside is possible.

But thanks, I tried without success

Here's what my config looks like:

config interface 'vpn'
	option proto 'wireguard'
	option private_key '===REDACTED==='
	option listen_port '51810'
	list addresses '10.10.0.1/24'
	list addresses 'fd00:10:10::1/64'
	option mtu '1320'

config wireguard_vpn 'wgclient'
	option public_key '===REDACTED==='
	option description 'MBP'
	option persistent_keepalive '25'
	option private_key '===REDACTED==='
	list allowed_ips '10.10.0.4/32'
	list allowed_ips 'fd00:10:10::4/128'

config wireguard_vpn
	option description 'Pixel 7'
	option public_key '===REDACTED==='
	option private_key '===REDACTED==='
	option persistent_keepalive '25'
	list allowed_ips '10.10.0.2/32'
	list allowed_ips 'fd00:10:10::2/128'

and I think the only relevant thing in /etc/config/firewall:

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'

config forwarding
	option src 'lan'
	option dest 'wan'

(which looks very similar to yours).

A couple of things that may/may not help:

  1. Do you have wgServer -> Advanced -> Use Default Gateway enabled? I'm not sure where that ends up in the config files.
  2. The biggest challenge I've had with initial WG setup was getting DNS working. Make sure your peer gets it's DNS setup correct and that you can resolve names when the WG tunnel is connected.

A couple of questions I don't have answers for:

  1. Does iOS need some flag to default network traffic to the tunnel?
  2. There is something strange in your setup since you're running DHCP for your WAN interface?!

Hope any of that helps!

Thank you for making such an effort. Unfortunately, they didn't lead to the hoped-for success either.
I'm now at the point where it works theoretically. I get the handshake, come into LAN and can use the Internet with the WG client. However, only with the following settings of the wan zone:

config zone
     option name "wan"
     option list network "wan"
     option input "ACCEPT"
     option output "ACCEPT"
     option forward "REJECT"
     option masq "1"
     option mtu_fix "1"

The handshake only works with option input ACCEPT, if I set it to REJECT, no more handshake is possible.

Maybe someone here knows the solution?

I think that option list network "wan" should be just list network "wan" (also, I don't know if LuCI cares about single-quotes vs double quotes, but I assume not).

Note that in your initial WAN zone definition you were missing option masq "1", which is what is necessary if running split LAN/WAN zones to allow inbound traffic matching outbound connections to be accepted. Now you fixed that, but looks like you might have screwed up the syntax for defining the WAN zone?

Maybe LuCI accepts this alternate syntax, but it's probably worth checking to be 100% sure.

image

Thats the original.

Sorry for the confusion

it's really "only" about -> input "ACCEPT"

I would like to set this to "REJECT" as it is recommended.

If I do this, then the handshake no longer works.

Try the following

Remove this rule:

Add this rule:

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '52349'
	option proto 'udp'
	option target 'ACCEPT'

A simple ACCEPT rule for the port should be sufficient

Reboot the router and check if WAN INPUT could be set to REJECT