Problems with VLAN + Wireguard

I have been working on my home server for the last few days and wanted to put all services that are accessible from outside into their own VLAN (something like a DMZ).

In my OpenWrt router I have defined another port as VLAN3 with the IP range 11.0.0.1/24.
My local LAN for PCs, WLAN etc. is VLAN1.

VLAN1 192.168.1.0/24-->VLAN3 11.0.0.1/24    works
VLAN3-->VLAN1                               no connection, thats right
VLAN1-->WAN                                 works
VLAN3-->WAN                                 works

VLAN3 then contains all LXC containers/VMs that should be accessible from outside, e.g. NginX, Jellyfin, qBit etc.
But now I have the problem that as soon as I start Wireguard in my qBit container, the entire container is no longer accessible via VLAN1.
Locally in the same network (VLAN3 11.0.0.1/24 it is available and can be pinged).

As soon as I deactivate Wireguard again, the container is also accessible or pingable again via VLAN1.
So it should be due to the Wireguard config.

In the Wireguard config I have already tried to enable the network range 11.0.0.1/24 via AllowedIPs. However, this only bypasses the Wireguard server and I communicate with the outside world via my real external IP address.
Allowing the ips from VLAN1 (192.168.1.0/24) did not lead to the desired result either

Wireguard
[Interface]

PrivateKey = redacted
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]
PublicKey = redacted
AllowedIPs = 0.0.0.0/0
Endpoint = 194.126.177.7:51820
OpenWrt
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'redacted'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '1.1.1.1'

config device
        option name 'eth0.2'
        option macaddr 'redacted'

config interface 'wan'
        option device 'eth0.2'
        option proto 'static'
        option ipaddr 'redacted'
        option netmask 'redacted'
        option gateway 'redacted'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 3 4 5'
        option vid '1'
        option description 'LAN'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'
        option description 'WAN'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 2'
        option vid '3'
        option description 'DMZ'

config interface 'DMZ'
        option proto 'static'
        option device 'eth0.3'
        option gateway '192.168.1.1'
        list ipaddr '11.0.0.1/24'

The very first thing to do is fix your DMZ interface:

I see two issues here:

  1. you're using a bad address here... you should only use RFC1918 address ranges. The one you have chosen is not in those ranges and will likely cause routing problems. Select from the 192.168.0.0/16, 172.16.0.0/12, or 10.0.0.0/8 ranges (pro-tip: select a /24 so that it is very straight forward and easy to avoid overlaps)
  2. Remove the gateway.

Once those are done, reboot and test again. If it still doesn't work, we'll look into the rest of the config (post the updated config if that review is necessary).

1 Like

Hi psherman, thanks for the hint, I have adjusted this in my configuration. Unfortunately, this has not changed my problem. As soon as I have established the wireguard connection to my VPN provider, I can no longer ping the LXC container in the DMZ from VLAN1.

OpenWrt /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'redacted'
        
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '1.1.1.1'

config device
        option name 'eth0.2'
        option macaddr 'redacted'

config interface 'wan'
        option device 'eth0.2'
        option proto 'static'
        option ipaddr 'redacted'
        option netmask 'redacted'
        option gateway 'redacted'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 3 4 5'
        option vid '1'
        option description 'LAN'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'
        option description 'WAN'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 2'
        option vid '3'
        option description 'DMZ'

config interface 'DMZ'
        option proto 'static'
        option device 'eth0.3'
        list ipaddr '10.0.0.1/24'

I don't see the WG connection in your OpenWrt config... where does this live? Is it on your computer?

The Wireguard client runs in an LXC container with its own IP address in the DMZ (VLAN3). The IP address of the container is 10.0.0.10 In a way, it is like a PC in the network.

Why is it not running within OpenWrt itself?

I think what you are seeing would be expected behavior given that WG is running in that container. You need to either add routes to the container such the relevant traffic is not routed via the tunnel, or you need to run the tunnel directly in OpenWrt which will ensure that the routes are preserved.

1 Like

Unfortunately, my OpenWRT router is not performant enough and should preferably only provide the Internet and manage the vlans and portforwarding. In my network there is my more powerful Proxmox server in which I manage the containers/vm's.

I'm not quite sure whether my problem is with my router or perhaps with my Wireguard configuration.

The problem is not with OpenWrt. It is specifically with the containerized WG environment insofar as you need to make sure it has static routes to ensure that it doesn't route all traffic over the tunnel.

This is, however, out of scope for the OpenWrt forums.

All right. Thanks for your time, I'll read up more on Wireguard. :slightly_smiling_face:

I have found the solution to my problem.
Just for documentation in case others have the same problem.
In the Wireguard config (wg0.conf) you have to make a "PreUp" and "PostDown" entry under [Interface].
In my case it looks like this:

Summary
[Interface]

PrivateKey = redacted
Address = 10.2.0.2/32
DNS = 10.2.0.1
PreUp = ip route add 192.168.1.0/24 via 10.0.0.1 dev eth0
PostDown = ip route del 192.168.1.0/24 via 10.0.0.1 dev eth0

[Peer]
PublicKey = redacted
AllowedIPs = 0.0.0.0/0
Endpoint = 194.126.177.7:51820

This makes the service in the LXC container also available via the VLAN1 network (192.168.1.0/24).