OpenWrt & Wireguard - No Access to Internal IPs

rlx · December 12, 2019, 6:34pm

Hello all,

I have been playing and experimenting with my router now for weeks (literally!), but I can't get my desired setup to fully work as intended, so please allow me to ask for your help.

I did quite some searching for past forum discussions, but none of the ones I found seems to fit my problem, at least I couldn't make any sense in a way that lead me to a solution.

I have the following components that I need to work together:

OpenWrt router (provides wireless, firewall, wireguard interface etc.)
LET stick (Internet access, firewall disabled, client IP of OpenWrt router in DMZ)
A Raspberry PI attached to the router via both Ethernet and Wifi

Router IP: 10.0.0.1/16

Wireguard Interface: 10.0.1.1/24

Raspberry Pi: 10.0.0.113/32 (Wifi), 10.0.0.112/32 (Ethernet)

Firewall configuration:

WG port (I chose to go with 1195) is open in the firewall.

What I got to work:

I can connect to the WG interface with various clients from external networks
The peers can connect to the router IP 10.0.0.1
The peers can connect to the Internet

What I did not succeed in getting to work so far:

A WG peer connected to the WG interface, able to access the router IP 10.0.0.1 as well as the Internet, cannot connect to the Raspberry on either internal IP.

What am I doing wrong? I am stuck, please help me!

mikma · December 12, 2019, 6:39pm

If you are using 10.0.0.1/16 on the LAN interface then you can't use 10.0.1.1/24 on the wireguard interface since they are overlapping. Devices on the LAN won't be able to talk to wireguard peers. Either you use 10.0.0.1/24 on the LAN, or you use for example 10.1.0.1/16, which don't overlap whith 10.0.1.1/24.

rlx · December 12, 2019, 6:42pm

I would like to keep 10.0.0.1/16 for the router address.

What would I have to use for the WG interface address in that case?

psherman · December 12, 2019, 6:45pm

You can keep the address, just change the subnet mask to /24. The reason they are overlapping is that you are using a /16 on that interface. Unless you actually need to access 65K hosts on your network, the /16 is just unnecessary.

Also, in your firewall, add forwarding from Wireguard > LAN.

If that doesn't work, please post your WG configs (both on the OpenWrt side and one of the remote peers; sanitize by removing keys and public IP addresses, but don't change your private IP addresses and please make it very clear what you have redacted as to avoid confusion).

rlx · December 12, 2019, 6:55pm

Alright, I think I reconfigured everything both of you suggested:

Wireguard config:

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxxxx='
	option listen_port '1195'
	list addresses '10.0.1.1'

config wireguard_wg0
	option public_key 'xxxxx='
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '10.0.1.2/32'

Forgot to mention: there is no firewall active on the Pi.

lleachii · December 12, 2019, 7:00pm

You haven't mentioned the peer's config yet.

So I'm guessing you still can't reach the LAN with these configs?

rlx · December 12, 2019, 7:04pm

Absolutely correct, my bad. It's an iPhone, no idea how to export in plain text, so here's a summary:

Interface:
10.0.1.2/32
DNS: 10.0.1.1,10.0.0.1,8.8.8.8

Peer:
Endpoint: xxx.xxx.org:1195
Allowed IPs: 0.0.0.0./0
Keepalive: 25

You assume correctly: still not working.

lleachii · December 12, 2019, 7:23pm

Change to /24

psherman · December 12, 2019, 7:23pm

Try turning off masquerading and MSS clamping in the WG firewall zone.

psherman · December 12, 2019, 7:26pm

remove 10.0.1.1.
DNS 10.0.0.1 and 8.8.8.8 should work.

rlx · December 12, 2019, 7:58pm

I did, no luck - still cannot access 10.0.0.113

Contrary to that, I can access 10.0.0.113 from my laptop (10.0.0.101) which is connected to my Wifi.

lleachii · December 12, 2019, 8:00pm

Huh???

This is the same network, this should work.

To be clear, where are you testing the iPhone from?

rlx · December 12, 2019, 8:05pm

Laptop: connected via (internal) Wifi to the router (10.0.0.1)
Raspberry (10.0.0.113): connected to internal Wifi
iPhone: external LTE network, connected to the router's WG interface - I can access 10.0.0.1, but not 10.0.0.113

I know it's weird. As I said in my first post, has been bothering me and driving me crazy for weeks now, I am clueless.

lleachii · December 12, 2019, 8:08pm

Not weird. Turn off masquerade on WG firewall zone. The phone currently only sees 10.0.0.1.

rlx · December 12, 2019, 8:18pm

Still no luck, please see firewall zones and phone config below.

lleachii · December 12, 2019, 8:20pm

I thought you were told to remove the duplicate DNS server?
Do you have a static route configured in the OpenWrt for 10.0.1.0/24 pointing toward the WG interface?

config route
	option interface 'wg0'
	option target '10.0.1.0'
	option netmask '255.255.255.0'

rlx · December 12, 2019, 8:28pm

Sorry!
I missed the post that said to remove the DNS. I did so now, no change.

I put the route config part into /etc/config/network and issued /etc/init.d/network restart after that.

Again, no change.

Btw, I am disconnecting and reconnecting to WG from the phone after each config change to be on the safe side.

rlx · December 12, 2019, 8:29pm

Shouldn't the netmask be 255.255.255.0?

rlx · December 12, 2019, 8:30pm

No, doesn't make a difference.

lleachii · December 12, 2019, 8:31pm

Yes, 255.255.255.0
Can you start showing us the results of your tests?
Can we see the results of the WG command?