OpenWrt & Wireguard - No Access to Internal IPs

Also, can you verify the IP of your phone, as this config differs from your iPhone picture (which says 10.0.1.3)

Please explain what you mean by "showing us the results of your tests"? None of your suggestion (for which I am very grateful) worked. I think I tried all of your suggestions so far.

Do you want me to post logs? If so, please tell me which.

Also, please tell me what WG command you want me to issue.

Regarding "list allowed_ips '10.0.1.2/32'" - that's a good catch! When trying to strip down the config for posting, I removed all but one of the peers. I have both of them in my full config, with the proper keys:


config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxx'
	option listen_port '1195'
	list addresses '10.0.1.1/24'

config wireguard_wg0
	option public_key 'xxx'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '10.0.1.2/32'

config wireguard_wg0
	option public_key 'xxx'
	option persistent_keepalive '25'
	list allowed_ips '10.0.1.3/32'

config wireguard_wg0
	option public_key 'xxx'
	list allowed_ips '10.0.1.4/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg0
	option public_key 'xxx'
	list allowed_ips '10.0.1.5/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

The output of the following would be useful:

  • complete /etc/config/network (remove the keys from WG)
  • complete /etc/config/firewall
  • output (from the command line) of the command: wg show (again, remove keys)
  • results from ping tests on your iPhone (screen grabs okay) -- hopefully you have a ping tool (if not, get one from the app store). Pings of interest will be 10.0.1.1, 10.0.0.1, 10.0.0.113, 8.8.8.8, and google.com.
1 Like

I agree with @psherman to see the configs and outputs - as now you're showing 4 peers in your config. Also to verify, I surmise you created a Private Key for each peer?

Also, you have this on a few peers; but and omitted on others. I suggest removing those and using the blanket 10.0.1.0/24 static route instead.

That firewall coloring is bizarre. This is mine:

First of all: thank you so much for your kind patience everybody, I really appreciate it :slight_smile:

  • /etc/config/network
root@OpenWrt> config$ cat network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdcb:1ef1:f209::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '10.0.0.1'
	option ip6assign '60'
	option dns '8.8.8.8 8.8.4.4'
	option ifname 'eth0.1'
	option netmask '255.255.255.0'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr ''

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr ''

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface '8372'
	option proto 'dhcp'
	option ifname 'eth1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key ''
	option listen_port '1195'
	list addresses '10.0.1.1/24'

config wireguard_wg0
	option public_key ''
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '10.0.1.2/32'

config wireguard_wg0
	option public_key ''
	option persistent_keepalive '25'
	list allowed_ips '10.0.1.3/32'

config wireguard_wg0
	option public_key ''
	list allowed_ips '10.0.1.4/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg0
	option public_key ''
	list allowed_ips '10.0.1.5/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config route
	option interface 'wg0'
	option target '10.0.1.0'
	option netmask '255.255.255.0'
  • /etc/config/firewall
root@OpenWrt> config$ cat firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 wwan 8372'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option name 'Allow-OpenVPN'
	option dest_port '1194'
	option src 'wan'
	option enabled '0'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option name 'Allow-WireGuard'
	option dest_port '1195'

config include
	option path '/etc/firewall.user'

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'wireguard'
	option input 'ACCEPT'
	option network 'wg0'
	option mtu_fix '1'

config forwarding
	option dest 'wan'
	option src 'wireguard'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'wireguard'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'wireguard'
  • wg show
root@OpenWrt> config$ wg show
interface: wg0
  public key: (hidden)
  private key: (hidden)
  listening port: 1195

peer: (hidden)
  endpoint: (hidden):63569
  allowed ips: 10.0.1.3/32
  latest handshake: 10 seconds ago
  transfer: 2.15 MiB received, 4.58 MiB sent
  persistent keepalive: every 25 seconds

peer: (hidden)
  allowed ips: 10.0.1.2/32
  persistent keepalive: every 25 seconds

peer: (hidden)
  allowed ips: 10.0.1.4/32
  persistent keepalive: every 25 seconds

peer: (hidden)
  allowed ips: 10.0.1.5/32
  persistent keepalive: every 25 seconds
  • ping 10.0.0.1 (this and all following pings are from the iPhone while connected to WG)
PING 10.0.0.1 (10.0.0.1)
44 bytes from 10.0.0.1 : icmp_seq=0 ttl=64 time=170 ms
44 bytes from 10.0.0.1 : icmp_seq=1 ttl=64 time=76 ms
44 bytes from 10.0.0.1 : icmp_seq=2 ttl=64 time=74 ms
44 bytes from 10.0.0.1 : icmp_seq=3 ttl=64 time=104 ms
44 bytes from 10.0.0.1 : icmp_seq=4 ttl=64 time=633 ms
--- 10.0.0.1 ping statistics ---
5 packets transmitted, 5 packets received, lost 0.0 %
  • ping 10.0.1.1
PING 10.0.1.1 (10.0.1.1)
44 bytes from 10.0.1.1 : icmp_seq=0 ttl=64 time=82 ms
44 bytes from 10.0.1.1 : icmp_seq=1 ttl=64 time=131 ms
44 bytes from 10.0.1.1 : icmp_seq=2 ttl=64 time=87 ms
44 bytes from 10.0.1.1 : icmp_seq=3 ttl=64 time=213 ms
44 bytes from 10.0.1.1 : icmp_seq=4 ttl=64 time=113 ms
44 bytes from 10.0.1.1 : icmp_seq=5 ttl=64 time=76 ms
--- 10.0.1.1 ping statistics ---
6 packets transmitted, 6 packets received, lost 0.0 %
  • ping 10.0.0.113
PING 10.0.0.113 (10.0.0.113)
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
--- 10.0.0.113 ping statistics ---
5 packets transmitted, 0 packets received, lost 100.0 %
  • ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8)
44 bytes from 8.8.8.8 : icmp_seq=0 ttl=52 time=664 ms
44 bytes from 8.8.8.8 : icmp_seq=1 ttl=52 time=106 ms
44 bytes from 8.8.8.8 : icmp_seq=2 ttl=52 time=111 ms
44 bytes from 8.8.8.8 : icmp_seq=3 ttl=52 time=596 ms
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 4 packets received, lost 20.0 %

44 bytes from 8.8.8.8 : icmp_seq=4 ttl=52 time=523 ms

Yes, I did.

Thanks for pointing out that glitch, I activated "route_allowed_ips" for this peer as well, still not working.

How exactly would I change to "blanket 10.0.1.0/24 static route"?

I just set up the zones and the forwarding etc, the coloring was done by OpenWrt (I guess).

See above.

(Be sure to use 255.255.255.0, as you already pointed out.)

Do you have any other devices/hosts on the 10.0.0.0/24 network that you can try to ping? The fact that you can ping the router @ 10.0.0.1 and the Google DNS server (internet at 8.8.8.8) suggests to me that there are no routing or connectivity issues.

I'm wondering if the route is really necessary. What happens if you remove this?

Also, you might try restarting the whole router just to make sure everything gets initialized properly.

Why is forwarding set to Reject?

edit: Actually multiple things seem off. Try following this guide: https://doc.turris.cz/doc/en/public/wireguard

Just noticing that you may still have the route_allowed_ips option missing from the iPhone peer config (on the OpenWrt side) (this was mentioned earlier, but may not have been corrected). Be sure to allow routing.

Maybe I'm wrong but I think the problem is in the netmask.
Why don't you use a netmask / 23 or / 22 in the whole configuration?
In the initial question you put three differents netmasks,and it's not good for the same net.

Address: 10.0.0.1 00001010.00000000.0000000 0.00000001
Netmask: 255.255.254.0 = 23 11111111.11111111.1111111 0.00000000
Wildcard: 0.0.1.255 00000000.00000000.0000000 1.11111111
=>
Network: 10.0.0.0/23 00001010.00000000.0000000 0.00000000
HostMin: 10.0.0.1 00001010.00000000.0000000 0.00000001
HostMax: 10.0.1.254 00001010.00000000.0000000 1.11111110
Broadcast: 10.0.1.255 00001010.00000000.0000000 1.11111111
Hosts/Net: 510 Class A, Private Internet

WG is a routed (L3) interface, so the networks must not overlap. Using /24 networks on the LAN and WG interface is known to work well (WG peers must be /32).

2 Likes

Ok, but... Isn't it needed /23 if you want 10.0.0.0 and 10.0.1.0 on the same net? Because 10.0.0.0/24 is not in the same subnet as 10.0.1.0/24
What about...

Again, the WG interface is Layer 3. It will not pass that. You have to address (or subnet) the WG network and LAN separately.

See: https://www.wireguard.com/#cryptokey-routing

Nonetheless, 0.0.0.0/0 as allowed IPs on the phone peers solves your concerns.

1 Like

Thanks for the link...

1 Like

Whoa!

Is your OpenWrt the real Internet gateway???

  • I.E. Do your devices on LAN receive the OpenWrt as its gateway
  • I.E.:

In other words...

Is this the OpenWrt running Wireguard???

:thinking:

(Your wording seems as if "LET sick" the the gateway. If so, you are not sending traffic to the device, or router running the WG tunnel.)

Hello everybody,

sorry for the delay (I was super tired and had to go to bed).

I restarted the router in the meantime, as suggested by @psherman and it works now!

So many thanks to everybody who made suggestions (especially to @lleachii wo was unbelievably patient), I couldn't have come to this point without you!

Thank you, thank you, thank you!!! :slight_smile:

P.S.: All peers now have route_allowed_ips set. Also, I'd love to mark a post as solution, not sure though if it really was only one thing that I needed to change :confused:

2 Likes

Hello, I just recently set up some OpenWrt boxes as Wireguard clients. After some initial problems, they run great now.

Is your OpenWrt box to run as client or server? The difference seems not to be this important, though.

Can you send your /etc/config/network and /etc/config/firewall files? Just the parts that are relevant for this setup.