Openwrt wireguard client

pattagghiu · June 21, 2025, 3:33pm

Hello,
my home openwrt has a wireguard server. It works, i can connect from my pc/my phone and access local resources.
Now i'm setting up another openwrt in my holiday home and i want to set it as wireguard client to access home devices.
Seems easy.
Well i'm totally stuck, and at network level!
I could tell you that i set up the connection, key and all the rest, but it seems my problem is different. With a linux client connected to the holiday router i can connect to wireguard server, and i can do this:

massi@Greenbook:/home$ nc -zvu <home ip> <home wireguard port>
<home ip>: inverse host lookup failed: Host name lookup failure
(UNKNOWN) [<home ip>] <home wireguard port> (?) open

Not taking care of dns error at the moment, but the wireguard port is reachable.
And i can do the same with a tcp port open on the home router
If i do the same on the holiday router itself, the port is not reachable at all! But the tcp port is reachable..

I can't honestly understand why. The installation is clean, just installed a 24.10.1
Obviously i can try whatever i want to setup wireguard, but it at network level the server is not reachable there is nothing i can do..

just looking for ideas..

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7b:7cf1:6235::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.123.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option type 'bridge'

root@OpenWrt:~# cat /etc/config/firewall 

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wanWifi'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

psherman · June 21, 2025, 3:42pm

There is no wireguard shown in your config. What was it that you want help with?

pattagghiu · June 21, 2025, 3:47pm

that's because the wireguard client can't even connect to the server because the router itself is not able to connect to the remote host, while devices connected locally can and this doesn't make any sense even without configuring a wireguard connection
I'm trying to understand why a client in the lan zone can get this

massi@Greenbook:/home$ nc -zvu <home ip> <home wireguard port>
<home ip>: inverse host lookup failed: Host name lookup failure
(UNKNOWN) [<home ip>] <home wireguard port> (?) open

and the router it can't

root@OpenWrt:~# nc -zvu <home ip> <home wireguard port>
Warning: Host <home ip> isn't authoritative! (direct lookup failed)

psherman · June 21, 2025, 3:48pm

Wireguard doesn’t respond to port scans, by design. It will only respond if there is a valid cryptographic connection.

pattagghiu · June 21, 2025, 4:17pm

thanks, so netcat is not reliable on this?
good to know, so strange result for the netcat on the linux client

psherman · June 21, 2025, 4:19pm

Correct, netcat and other port scanners will not yield a result for a wireguard port.

pattagghiu · June 21, 2025, 5:05pm

adding one point
i tried to tell my client openwrt to use the dns server on the other side of the tunnel, with this:

config interface 'Wireguard'
        option proto 'wireguard'
        option private_key 'x'
        list dns '192.168.1.1'
        list addresses '192.168.2.4/32'

this seems to be unused by dnsmasq, even if..

root@rutto:~# cat /tmp/resolv.conf.d/resolv.conf.auto
# Interface Wireguard
nameserver 192.168.1.1

I got it to be used adding it manually to dnsmasq upstreams servers, but i'm not sure this is the correct way (there would be no sense in specifying it in wireguard config, right?)
am i missing something?

if i do not specify it in dnsmasq config dns queries are not forwarded

root@rutto:~# nslookup homeassistant.lan
Server:         127.0.0.1
Address:        127.0.0.1:53

** server can't find homeassistant.lan: NXDOMAIN

** server can't find homeassistant.lan: NXDOMAIN

root@rutto:~# nslookup homeassistant.lan 192.168.1.1
Server:         192.168.1.1
Address:        192.168.1.1:53

Name:   homeassistant.lan
Address: 192.168.111.118

Non-authoritative answer:

psherman · June 21, 2025, 5:12pm

Yes, your observations are entirely expected. The dns entry in the network interface stanza doesn't directly impact dnsmasq, and is largely irrelevant except for the actual upstream (typically wan) connection.

Make sure that your two networks (local, home) use different domains (by default, both will be .lan). Once that is done, you can create a DNS entry that will use the home dns for all of the domain names that reference hosts at your home location.

pattagghiu · June 21, 2025, 5:18pm

this is exactly what i did, thanks.
I'm not understanding what is its role for the upstream connection if dnsmasq is not using it, but anyway thanks, if this is how it is expected to work i'm ok with it

mk24 · June 21, 2025, 6:01pm

Every list dns goes into the same list regardless of which interface it is listed under. That one list is then used in failover / round robin fashion for DNS forwards. Any server listed must be prepared to resolve any possible name not just your private ones. If a server returns NXDOMAIN that is considered a live server providing a final result and no other servers in the list will be consulted.

If you need only a specific domain (such as your private .lan) to always go to a certain DNS server that is done with a list domain in /etc/config/dhcp. The server listed for a specific domain will be used only for that domain, any other domain will use the general list.