Openwrt Routing Lan to VPNLan to Wireguard

dylanteague18 · August 18, 2023, 5:44pm

Hi all,

I'm attempting to create a new bridged device that's used for my Wireguard VPN. This is because I want a specific Ethernet port on my router to be the only port with VPN access. So far, I have connected my computer to the Ethernet port to access the VPN and successfully changed my IP address. I can also access the local IP from LAN 172.16.1.1 while connected to my VPN, but I can't access any other IPs from the LAN interface.

I want the VPNLAN interface to access the LAN interfaces internal IPv4/24 addresses and forward those addresses to the VPN (WG1) server.

You can ignore wg0, as that's for testing purposes.

My Wireguard Server (vps) ping testing

dylanteague18 · August 18, 2023, 5:57pm

/etc/config/firewall

config zone
        option name 'vpnlan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'vpnlan'
        option forward 'ACCEPT'

config zone
        option name 'vpnwan'
        option output 'ACCEPT'
        list network 'wg1'
        option masq '1'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option src 'vpnlan'
        option dest 'vpnwan'

config rule
        option name 'Test'
        list proto 'all'
        option src 'vpnlan'
        option dest 'lan'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Test2'
        list proto 'all'
        option src 'vpnwan'
        option dest 'vpnlan'
        option target 'ACCEPT'
        option enabled '0'

config forwarding
        option src 'lan'
        option dest 'vpnlan'
        option target 'ACCEPT'

config forwarding
        option src 'vpnlan'
        option dest 'lan'
        option target 'ACCEPT'

config rule
        option src 'vpnwan'
        option target 'ACCEPT'
        list proto 'all'
        list dest_ip '172.16.1.0/24'

/etc/config/network

config interface 'vpnlan'
        option device 'br-lan-vpn'
        option proto 'static'
        list ipaddr '10.0.4.1/24'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        option defaultroute '0'

config device
        option type 'bridge'
        option name 'br-lan-vpn'
        list ports 'eth3'
        list ports 'wg1'
        option bridge_empty '1'

config interface 'wg1'
        option proto 'wireguard'
        option private_key 'REDACTED'
        list addresses '10.10.20.3/24'
        option defaultroute '0'

config wireguard_wg1
        option description 'Peer'
        option public_key 'REDACTED'
        option endpoint_host 'REDACTED'
        option endpoint_port '51821'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'

config rule
        option in 'vpnlan'
        option lookup '1742'

config route
        option interface 'wg1'
        option table '1742'
        option target '0.0.0.0/0'

config device
        option name 'wg1'
        option acceptlocal '0'

traceroute to 172.16.1.222 (172.16.1.222), 30 hops max, 60 byte packets
 1  10.10.20.3 (10.10.20.3)  39.788 ms  39.685 ms  39.599 ms

 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * 10.10.20.3 (10.10.20.3)  41.191 ms  39.066 ms

egc · August 18, 2023, 6:51pm

Maybe your table 1742 also needs a local route, it probably only has a default route via the WG interface?
Something like
ip route add 172.16.1.0/24 dev br-lan
note I do not see interface LAN in your etc/config/network but that could just be me

dylanteague18 · August 18, 2023, 6:52pm

I only included the things I'm working on in my /etc/config/network. I can include the whole file but there's a lot of other things I will need to Redact from it.

dylanteague18 · August 18, 2023, 7:02pm

I got it working.

The weird thing now is that the server can ping the IP's but I can't access them while connected to the VPN.

dylanteague18 · August 18, 2023, 7:45pm

How would I route that traffic from the server back to the client?

I can see the ping but I can't access any of it while connected.

I made sure my allowed IP covered the VPN, lan, and the br-lan-vpn.

AllowedIPs = 10.10.20.0/24, 172.16.1.0/24, 10.0.4.0/24

egc · August 18, 2023, 8:21pm

Google site to site setup.
The OpenWRT wiki has a paragraph about it, you must open up the firewall on the client side basically like you would do on a server side.

Easiest is just to add the wg client interface to the lan zone

dylanteague18 · August 18, 2023, 10:29pm

It works whenever I connect to the VPN over my phone. I'm able to access my internal network of 172.16.1.0/24 but whenever I try to connect via my router it does not work.

dylanteague18 · August 18, 2023, 10:31pm

wg1 sends the IP data up to the server and vpnlan+pull_wg1 is supposed to bring the data back to the internal network.

From what I'm noticing vpnlan still assumes it's on the same network as everything else and prevents me from accessing the internal network but I could be wrong about that.

dylanteague18 · August 19, 2023, 3:48am

How can I route two bridges together? I have everything working it seems but I can't get vpnlan and lan to communicate with each other besides the routers IP of 172.16.1.1. Both of them can access that.

vgaetera · August 19, 2023, 4:33am

netifd can automatically create all the necessary routes.

dylanteague18 · August 19, 2023, 5:25am

I have not used PBR at all so far and have achieved most of what I want.

All I want to figure out right now is to pass LAN to VPNLAN which are both bridged interfaces. Do I need PBR for this?

dylanteague18 · August 19, 2023, 5:56am

None of these options help me.

vgaetera · August 19, 2023, 5:57am

PBR is a technique involving custom routing rules and tables.
You may not be aware, but you are already using it.

It should work as long as you carefully follow the above advice.

dylanteague18 · August 19, 2023, 7:42am

I have tried this:

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-VPN-to-LAN'
uci set firewall.@rule[-1].src='vpnlan' # Adjust the zone name if different
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-LAN-to-VPN'
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].dest='vpnlan' # Adjust the zone name if different
uci set firewall.@rule[-1].target='ACCEPT'

uci commit firewall
/etc/init.d/firewall restart

I have added this:

And I've put both vpnlan and pull_wg1 on there on firewall zone as that makes things a lot simpler.

I still have not be able to get them to talk to each other. I'm connected to my VPN with the gateway of 10.0.4.1

dylanteague18 · August 19, 2023, 7:44am

I'm still confused

vgaetera · August 19, 2023, 8:16am

while uci -q delete network.@rule[0]; do :; done
while uci -q delete network.@route[0]; do :; done
uci -q delete network.wg1.defaultroute
uci del_list network.@device[0].ports="wg1"
uci set network.@wireguard_wg1[0].route_allowed_ips="1"
uci set network.lan.ip4table="1"
uci set network.vpnlan.ip4table="2"
uci set network.wg1.ip4table="3"
uci set network.vpnlan_wg1="rule"
uci set network.vpnlan_wg1.in="vpnlan"
uci set network.vpnlan_wg1.lookup="3"
uci set network.vpnlan_wg1.priority="30000"
uci commit network
/etc/init.d/network restart
uci -q delete firewall.lan_vpnlan
uci set firewall.lan_vpnlan="forwarding"
uci set firewall.lan_vpnlan.src="lan"
uci set firewall.lan_vpnlan.dest="vpnlan"
uci -q delete firewall.vpnlan_lan
uci set firewall.vpnlan_lan="forwarding"
uci set firewall.vpnlan_lan.src="vpnlan"
uci set firewall.vpnlan_lan.dest="lan"
uci commit firewall
/etc/init.d/firewall restart

dylanteague18 · August 20, 2023, 5:54am

This worked for me

I have one last question. I've spend all of today on it and I'm unsure how to do it. I believe I've already setup the correct rules on the server side for wireguard.

PostUp = iptables -I INPUT -p udp --dport 51821 -j ACCEPT
PostUp = iptables -I FORWARD -i ens3 -o wg0 -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
PostUp = ip6tables -I FORWARD -i wg0 -j ACCEPT
PostUp = ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
#PostUp = iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 80 -j DNAT --to-destination 10.10.20.3:80
#PostUp = iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 443 -j DNAT --to-destination 10.10.20.3:443
PostUp = iptables -t nat -I PREROUTING -i ens3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.20.3:80
PostUp = iptables -t nat -I PREROUTING -i ens3 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.10.20.3:443

PostDown = iptables -D INPUT -p udp --dport 51821 -j ACCEPT
PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
PostDown = ip6tables -D FORWARD -i wg0 -j ACCEPT
PostDown = ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
#PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 80 -j DNAT --to-destination 10.10.20.3:80
#PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 443 -j DNAT --to-destination 10.10.20.3:443
PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.20.3:80
PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.10.20.3:443

How do I port forward port 80 and 443 through the interface now?

I've tried this:

I've read online that I need to setup a SNAT on openwrt but I would like some guidance if I should actually do this.

10.0.4.246 is the device I'm trying to give access to port 80 and 443

config redirect
        option dest 'vpnlan'
        option target 'DNAT'
        option src 'vpnlan'
        option src_ip '10.10.20.3'
        option src_port '80'
        option src_dport '80'
        option dest_ip '10.0.4.246'
        option dest_port '80'

config redirect
        option dest 'vpnlan'
        option target 'DNAT'
        option src 'vpnlan'
        option src_ip '10.10.20.3'
        option src_port '443'
        option src_dport '443'
        option dest_ip '10.0.4.246'
        option dest_port '443'

system · August 30, 2023, 6:26am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.