OpenWrt Wireguard, Wrt not main router

I have a Pfsense-box as the main Internet-facing router in my network, with an OpenWRT-router providing a WiFi access-point and other services. Since Pfsense doesn't do Wireguard, I planned to use the OpenWRT-box for it.

I basically followed the instructions for "Wireguard basic" in the OpenWRT-docs to set up a Wireguard-instance, with a Ubuntu Linux - machine connecting to it. Ubuntu can access LAN and I can access Ubuntu from LAN, but Ubuntu cannot access Internet.

How does one setup a Wireguard-server on OpenWRT so that connecting peers can access Internet as well, when the OpenWRT-box isn't the Internet-facing router?

https://forum.netgate.com/topic/150943/i-made-a-wireguard-package-for-pfsense/ ?

@WereCatf, welcome to the community!

You would set it up as normal - in addition to the of a firewall input rule on the OpenWrt, you also port forwarding the Wireguard UDP port from the PfSence' border, to the OpenWrt. Simple.

I would simply setup the WG interface to the LAN Firewall zone, and it should go via Internet on the PfSence like traffic would on OpenWrt's LAN.

Except that's what I've already done and it's not working, like I said already in the first post.

I see no configs. All I see is:

For assistance with a real setup, please post Wireguard configs for this Ubuntu machine and the OpenWrt. Please obscure your keys.

/etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd17:fd9b:3c49::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.7'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'
        option gateway '192.168.1.1'
        option broadcast '192.168.1.255'
        list dns '192.168.1.1'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option type 'bridge'
        option stp '1'
        option delegate '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'wg0'
        option proto 'wireguard'
        option private_key PRIVKEY
        option listen_port '51820'
        list addresses '192.168.9.1/24'

config wireguard_wg0
        option public_key PUBKEY
        option description 'ubuvm'
        option persistent_keepalive '25'
        list allowed_ips '192.168.9.0/24'
        list allowed_ips 'fdf1:7610:d152:3a9c::1/64'
        option preshared_key PSK
        option route_allowed_ips '1'

/etc/config/firewall:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan wg0'

config zone 'wan'
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'
        option input 'ACCEPT'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option enabled '0'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

Ubuntu's wg0.conf:

[Interface]
Address = 192.168.9.2/24,fdf1:7610:d152:3a9c::2/64
PrivateKey = PRIVKEY
DNS = 192.168.9.1

[Peer]
PublicKey = PUBKEY
PresharedKey = PSK
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = 192.168.3.1:51820

Change to:

list allowed_ips '192.168.9.2/32'
list allowed_ips 'fdf1:7610:d152:3a9c::2/128'

Well, I did that, but nothing changed. Can access LAN and LAN can access the Ubuntu-peer, but Ubuntu can't access Internet.

Did you reboot?

And...unrelated to OpenWrt...

Have you made routes for the Ubuntu machine to use the Wireguard for Internet???

sudo ip route add 0.0.0.0/1 dev wg0
sudo ip route add 128.0.0.0/1 dev wg0

EDIT: BTW, you never gave the OpenWrt side an IPv6 address (e.g. assign fdf1:7610:d152:3a9c::1/64)

Yes, I did reboot and yes, it is related since that was the question I asked. As for the routes: I have tried that and it's still a no-go.

I guess I'll try the solution that @diizzy mentioned, then.

Sorry, I didn't realize you wanted us to help you configure the Ubuntu machine too, my apologies.

I hope you added the route to the Ubuntu, and not the OpenWrt. Otherwise, I don't see how it's related. If you don't understand how to setup the Ubuntu, I advise testing a peer with the Wireguard Smartphone app first. All the client routing is done for you and you can eliminate the Ubuntu as the issue.

In the network config the wan interface has IP 192.168.3.1/24 but no gateway. lan has IP, mask, gateway and dns to 192.168.1.1 which I suppose is the pfsense.
So the lan is actually also wan, but you don't masquerade the lan zone in the firewall, which means that the pfsense must have a static route for 192.168.1.0/24 via 192.168.1.7 to work.

Good catch!

When I said setup as normal, I assumed the LAN and WAN were untouched.

I don't understand that logic. The Pfsense-box is the one handling the LAN-network, ie. 192.168.1.0/24. You're saying the OpenWRT-box needs have the Pfsense-box as its gateway for the LAN-network and the Pfsense-box needs to have the OpenWRT-box as its gateway for the same network? That seems rather...circular.

For a VPN client to reach the Internet, the OpenWrt VPN server needs to route them from the 192.168.9 VPN tunnel network to the Internet.

You have the OpenWrt router / VPN server configured as a LAN device on the 192.168.1.0 network of your main router. Basically its WAN network 192.168.3 isn't doing anything, nor does it need to. You can just remove that network.

If you're only interested in VPN clients reaching the Internet, the simplest way would be a forward between two firewall zones with masquerade (NAT) enabled on the destination zone. When running the VPN server in the main router the WAN network is already masquerading, to do it through the LAN network as on a LAN device requires adding that to the firewall configuration.

No its not circular...but I personally thought the route needs to exist for 192.168.9.0/24 via 192.168.1.7. This is because you are forwarding traffic to the PfSence over LAN that is not masqueraded.

Or you can just setup the OpenWrt as normal (connecting to WAN) and it should work as-is.

I knew I must have been missing something. I'll give masquerading a go.

Sorry that was a typo, I meant 192.168.9.0/24