OpenWrt Wireguard site-to-site - No lan access

Hi,
I have two routers running OpenWrt with a site-to-site WireGuard connection. While I can access the other site's router using both the WireGuard IP and the LAN IP from any device within the LAN, I'm unable to access any other devices within the LAN from the other site.

This is my configuration:

SITE A
vlan 1: 10.0.0.0/24
vlan 2: 10.0.1.0/24
vlan 3: 10.0.2.0/24

/etc/config/network

config interface 'wg_xc_vpn'
        option proto 'wireguard'
        option private_key '##################################'
        option listen_port '51820'
        list addresses '10.10.10.1/32'

config wireguard_wg_xc_vpn
        option description 'wg_cento_vpn'
        option public_key '##################################'
        option route_allowed_ips '1'
        option endpoint_host '##########'
        option endpoint_port '51820'
        list allowed_ips '10.10.10.0/24'
        list allowed_ips '10.2.0.0/24'
        list allowed_ips '10.2.1.0/24'

/etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'VPN'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'guest-dhcp'
        list proto 'udp'
        option src 'guest'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'guest-dns'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'guest-isolation'
        option src 'guest'
        option dest 'wan'
        option target 'DROP'
        list dest_ip '10.0.0.0/24'
        list dest_ip '10.0.1.0/24'

config zone
        option name 'host'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'host'

config forwarding
        option src 'host'
        option dest 'wan'

config forwarding
        option src 'host'
        option dest 'guest'

config forwarding
        option src 'host'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'guest'

config forwarding
        option src 'lan'
        option dest 'host'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'HomeAssistant'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '10.0.0.11'
        option dest_port '443'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'OpenVPN1194'
        option family 'ipv4'
        list proto 'udp'
        option src 'wan'
        option src_dport '1194'
        option dest_ip '10.0.0.12'
        option dest_port '1194'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'OpenVPN1195'
        option family 'ipv4'
        list proto 'udp'
        option src 'wan'
        option src_dport '1195'
        option dest_ip '10.0.0.13'
        option dest_port '1194'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'OpenVPN1196'
        list proto 'udp'
        option src 'wan'
        option src_dport '1196'
        option dest_ip '10.0.0.11'
        option dest_port '1194'

config redirect
        option dest 'vpn'
        option target 'DNAT'
        option name 'Wireguard51820'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.10.10.1/32'
        option dest_port '51820'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg_xc_vpn'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'wan'

config forwarding
        option src 'host'
        option dest 'vpn'

route output

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.100.1   0.0.0.0         UG    0      0        0 pppoe-wan
10.0.0.0        *               255.255.255.0   U     0      0        0 br-lan.1
10.0.1.0        *               255.255.255.0   U     0      0        0 br-lan.2
10.0.2.0        *               255.255.255.0   U     0      0        0 br-lan.3
10.2.0.0        *               255.255.255.0   U     0      0        0 wg_xc_vpn
10.2.1.0        *               255.255.255.0   U     0      0        0 wg_xc_vpn
10.10.10.0      *               255.255.255.0   U     0      0        0 wg_xc_vpn
79.31.218.20    192.168.100.1   255.255.255.255 UGH   0      0        0 pppoe-wan
192.168.100.1   *               255.255.255.255 UH    0      0        0 pppoe-wan

SITE B
vlan 1: 10.2.0.0/24
vlan 2: 10.2.1.0/24
vlan 3: 10.2.2.0/24

/etc/config/network

config interface 'wg_cento_vpn'
        option proto 'wireguard'
        option private_key '##################################'
        option listen_port '51820'
        list addresses '10.10.10.2/32'

config wireguard_wg_cento_vpn
        option description 'wg_xc_vpn'
        option public_key '##################################'
        option endpoint_host '##########'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        list allowed_ips '10.10.10.0/24'
        list allowed_ips '10.0.0.0/24'
        list allowed_ips '10.0.1.0/24'

/etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'openvpn'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'guest'

config rule
        option name 'guest-dhcp'
        list proto 'udp'
        option src 'guest'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'guest-dns'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'guest-isolation'
        option src 'guest'
        option dest 'wan'
        option target 'DROP'
        list dest_ip '10.2.0.0/24'
        list dest_ip '10.2.1.0/24'

config zone
        option name 'host'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'host'

config forwarding
        option src 'host'
        option dest 'guest'

config forwarding
        option src 'host'
        option dest 'lan'

config forwarding
        option src 'host'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'host'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg_cento_vpn'

config forwarding
        option src 'vpn'
        option dest 'wan'

config redirect
        option dest 'vpn'
        option target 'DNAT'
        option name 'Wireguard51820'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.10.10.2/32'
        option dest_port '51820'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'host'
        option dest 'vpn'

route output

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.100.1   0.0.0.0         UG    0      0        0 pppoe-wan
10.0.0.0        *               255.255.255.0   U     0      0        0 wg_cento_vpn
10.0.1.0        *               255.255.255.0   U     0      0        0 wg_cento_vpn
10.2.0.0        *               255.255.255.0   U     0      0        0 br-lan.1
10.2.1.0        *               255.255.255.0   U     0      0        0 br-lan.2
10.2.2.0        *               255.255.255.0   U     0      0        0 br-lan.3
10.10.10.0      *               255.255.255.0   U     0      0        0 wg_cento_vpn
192.168.100.1   *               255.255.255.255 UH    0      0        0 pppoe-wan
212.171.45.27   192.168.100.1   255.255.255.255 UGH   0      0        0 pppoe-wan

I just can't figure out what I'm doing wrong

You have a "list network 'openvpn'" and a "list network 'VPN'" on the WAN zone that should not hurt, but are probably unused.

However, in relation with the issue, I would move the wireguard interface to its own zone, and add forwarding rules to the other zones.

Thank you, eduperez.
"list network 'openvpn'" and "list network 'VPN'" are used, respectively on site B and site A for the openvpn VPN, which I currently use to connect from B to A. For openvpn, I used the WAN zone and it works correctly.
For wireguard, I preferred to create a dedicated zone. When I connect with wireguard, I disable openvpn on site B, so in that case it is indeed unused, but I cannot remove it because it is the only way I can access site A, which is very far away.
Do you think it's better if I use the WAN zone also for the wireguard interface?

A simple traffic rule allowing the port is sufficient e.g.:

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

On site A you do not have all the subnets set as allowed IPs you are missing vlan 3: 10.2.2.0/24 it this is intentional the OK.

Routing looks good so check if the allow forward rules are present in both directions.
Furthermore your LAN clients will have their own firewall which might reject traffic from the subnets of the other side so make sure to allow e.g. 10.0.0.0/8 on the LAN clients

That is certainly no good, you have to allow traffic so just like any WG server (you are basically setting up two "servers") you can set the WG interface in the lan zone if you do not want a separate zone

Thanks ecg, moving the wg interface to the LAN zone, all devices are accessible from both VPNs.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.