Remote access to home network with Wireguard on OpenWRT configuration (multiple VLANs)

Hi there,

In short, I'd like to set up Wireguard so I can access a couple of servers from my laptop or phone when away from home. I could get Wireguard up and running between one client and my server, but can't access my servers (actual servers doing some work, no Windows systems here :smiley: ) which sit in a VLAN firewall zone (that's where my setup may differ from the documentation).

Thanks to anyone who's willing to help here :slight_smile:

In more details:
I've been using OpenWRT for a few years now, it's running on a RPi4 at the heart of my home network. It's a router sitting between my FTTH router and my VLAN networks - one for our devices (named LAN, on 192.168.7.0/24 VLAN 7), one for IOT (192.168.3.0/24 VLAN 3), one for guests (192.168.9.0/24 VLAN 9) and a management network to access my WAP, etc (192.168.111.0/24 VLAN 111).
Behind the ISP router, we find 192.168.1.0 no VLAN, so TV boxes can get fed (ISP uses specific routing here and you wouldn't want to touch this).

On the RPi, I run two physical interfaces. One is dedicated to WAN, the other is running the VLAN'd interfaces. To spice up all that, there is AdGuard Home up and running.

I've set up the VPN interface (10.20.10.1/32) with its own firewall zone (VPN). From the client on my cellphone I get the connection but can't get access to my local systems. I guess the issue is all about routing from that zone to my target zone (say LAN) and allowing for a way back.
If I enable "route_allowed_ips", I get my static routing table with an entry for 192.168.7.0/24 to VPN interface which basically kills that subnetwork...

Please note my ISP router is under featured and can't be replaced (unless I switch to another ISP): no static routes can be implemented, nor can one get it acting as a bridge.

Sorry, info will come in the wrong order but I'm limited to one media per post.

Interfaces:

Static routes:

# ip route list
default via 192.168.1.1 dev eth1 
192.168.1.0/24 dev eth1 scope link  src 192.168.1.2 
192.168.3.0/24 dev eth0.3 scope link  src 192.168.3.1 
192.168.7.0/24 dev eth0.7 scope link  src 192.168.7.1 
192.168.9.0/24 dev eth0.9 scope link  src 192.168.9.1 
192.168.111.0/24 dev eth0.111 scope link  src 192.168.111.1

WG client (from /etc/config/network):

config wireguard_VPN
    option description 'ONECLIENT'
    option public_key 'ONEPUBKEY'
    option private_key ONEPRIVATEKEY'
    option preshared_key 'ONEPSK'
    option persistent_keepalive '25'
    option route_allowed_ips '0'
    list allowed_ips '10.20.10.0/32'
    list allowed_ips '192.168.7.0/24'

WG interface:

config interface 'VPN'
    option proto 'wireguard'
    option private_key 'THISPRIVATEKEY'
    list addresses '10.20.10.1'
    option listen_port '51555'
    list dns '192.168.7.1'

Firewall zones:

Firewall ports forwards:

And the VPN status:

Again, thanks a lot to anyone taking the time to assist me here !
Cheers !

The allowed_ips confuses a lot of people. allowed_ips are IPs that will be seen as source addresses from the other end of the tunnel. If you have a "road warrior" phone with a single IP being its end of the tunnel, everything that it sends will have a source address of that one IP, so at the server side, allowed_ips is just that one /32.

If you set the Wireguard tunnel IP as a /24, then a route to the /32s of each of the road warriors is inherent, and route_allowed_ips need not be set.

Generally on the road warrior, it's allowed_ips are the whole Internet 0.0.0.0/0, and the phone will route all Internet access into the tunnel. If you only want to reach LANs via the VPN, then you would need to specify each LAN as an allowed_ip, or declare a whole private address space (such as 192.168.0.0/16) as allowed_ip.

1 Like

Super ! I'll fix this, but this won't solve the routing problem I fear.
And as explained in my first post, I only want 192.168.0.0/16 from my roaming devices.

Remove list allowed_ips '192.168.7.0/24'

If you want your roaming devices only to connect to your servers then use as Allowed IPs on the roaming clients:
192.168.0.0/16 and 10.20.10.0/24 instead of 0.0.0.0/0

Thanks egc, you mean I should only adjust allowed_ips on the client ? No matter if the address range is not allowed on the server ? This is probably in contradiction with the previous answer from mk24, but I can try.

Your roaming client NAT's its traffic so all traffic from the client comes from its WG interface e.g. 10.20.10.2/32

and now looking closer I see another mistake on the peer, this is wrong:
list allowed_ips '10.20.10.0/32'

You should set the address of the peer e.g. 10.20.10.2/32

Oh and I would enable route_allowed_ips not enabling this is one of the mistakes often made when setting up WG on OpenWRT as it is disabled by default. all other firmwares have it enabled by default.
You usually want a return route back so enable it.
(BUT it is exactly as Mike said using a /24 for the interface already sets a return route back but often a /32 is used and then it will not work unless the route_allowed_ips is set, so in your case it is redundant but for the record please set it)

OK, I'm beginning to understand how far I was from the solution !

So I set on the client:
allowed_ips = 192.168.7.0/24,10.20.10.0/24

On the server, the WG peer:

allowed_ips = 10.20.10.2/32
route_allowed_ips = 1

I checked the routing table on the system, seems clean but I don't have routes/rules between the VPN and LAN zones.

# ip route list
default via 192.168.1.1 dev eth1 
192.168.1.0/24 dev eth1 scope link  src 192.168.1.2 
192.168.3.0/24 dev eth0.3 scope link  src 192.168.3.1 
192.168.7.0/24 dev eth0.7 scope link  src 192.168.7.1 
192.168.9.0/24 dev eth0.9 scope link  src 192.168.9.1 
192.168.111.0/24 dev eth0.111 scope link  src 192.168.111.1

Maybe there's something missing here ?!?
Again, thank you !

That is moving in the right direction :slight_smile:

Next stop is the firewall.

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

Here you go !

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.10.176",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 3",
	"model": "Raspberry Pi 4 Model B Rev 1.5",
	"board_name": "raspberrypi,4-model-b",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.5",
		"revision": "r20134-5f15225c1e",
		"target": "bcm27xx/bcm2711",
		"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
	}
}
root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config device
	option name 'br-lan'
	option type 'bridge'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '7'
	option name 'eth0.7'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '9'
	option name 'eth0.9'
	option ipv6 '0'

config interface 'LAN'
	option proto 'static'
	option device 'eth0.7'
	option ipaddr '192.168.7.1'
	option netmask '255.255.255.0'
	option broadcast '192.168.7.255'
	option gateway '192.168.1.1'

config interface 'GUESTS'
	option proto 'static'
	option device 'eth0.9'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option broadcast '192.168.9.255'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'eth0'
	option vid '111'
	option name 'eth0.111'
	option ipv6 '0'

config interface 'admin'
	option proto 'static'
	option device 'eth0.111'
	option ipaddr '192.168.111.1'
	option netmask '255.255.255.0'
	option broadcast '192.168.111.255'
	option gateway '192.168.1.1'

config interface 'IOT'
	option proto 'static'
	option device 'eth0.3'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option broadcast '192.168.3.255'

config device
	option name 'eth0.3'
	option type '8021q'
	option ifname 'eth0'
	option vid '3'
	option ipv6 '0'

config device
	option name 'eth1'
	option ipv6 '0'

config interface 'WAN2'
	option device 'eth1'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option broadcast '192.168.1.255'

config interface 'VPN'
	option proto 'wireguard'
	option private_key 'KEYHERE'
	list addresses '10.20.10.1'
	option listen_port '51555'
	list dns '192.168.7.1'

config wireguard_VPN
	option description 'Pixel'
	option public_key 'KEYHERE'
	option private_key 'KEYHERE'
	option preshared_key 'KEYHERE'
	option persistent_keepalive '25'
	list allowed_ips '10.20.10.2/32'
	option route_allowed_ips '1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'
	option flow_offloading '1'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'WAN2'
	option forward 'REJECT'
	option input 'REJECT'

config zone
	option name 'IOT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option log '1'
	option log_limit '10'
	option forward 'REJECT'
	list network 'IOT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option log '1'
	option log_limit '10'
	list network 'LAN'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'IPV6::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'GUESTS'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'GUESTS'

config zone
	option name 'ADMIN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'admin'

config forwarding
	option src 'IOT'
	option dest 'wan'

config forwarding
	option src 'GUESTS'
	option dest 'wan'

config forwarding
	option src 'ADMIN'
	option dest 'wan'

config redirect 'adguardhome_dns_53'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option target 'DNAT'
	option name 'Adguard Home'
	option dest 'lan'
	option dest_port '53'

config forwarding
	option dest 'lan'

config forwarding
	option src 'IOT'

config rule
	option name 'SOMEPROTOCOL'
	list proto 'tcp'
	option src 'IOT'
	option dest 'lan'
	option dest_port '1234'
	option target 'ACCEPT'
	list src_ip '192.168.3.0/24'
	list dest_ip 'SOMEIP'

config rule
	option name 'ANOTHERPROTOCOL'
	list proto 'tcp'
	option src 'IOT'
	list src_ip '192.168.3.0/24'
	option dest 'lan'
	option dest_port '4321'
	option target 'ACCEPT'
	list dest_ip 'IPHERE'

config rule
	option name 'IOT_HTTP'
	list proto 'tcp'
	option src 'lan'
	list src_ip '192.168.7.0/24'
	option dest 'IOT'
	list dest_ip '192.168.3.0/24'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest_port '80'

config redirect
	option target 'DNAT'
	option name 'Wireguard'
	list proto 'udp'
	option src 'wan'
	option dest_ip '10.20.10.1'
	option src_dport 'PORT_FROM_ISPROUTER'
	option dest_port '51555'
	option dest 'VPN'
	option family 'ipv4'

config zone
	option name 'VPN'
	option output 'ACCEPT'
	list device 'VPN'
	list network 'VPN'
	option mtu_fix '1'
	list subnet '10.20.10.0/32'
	option forward 'REJECT'
	option input 'REJECT'

config forwarding
	option src 'VPN'
	option dest 'wan'

root@OpenWrt:~# wg show
interface: VPN
  public key: KEYHERE
  private key: (hidden)
  listening port: 51555

peer: KEYHERE
  preshared key: (hidden)
  endpoint: WANIP:WANPORT
  allowed ips: 10.20.10.0/32, 192.168.7.0/24
  latest handshake: 12 minutes, 1 second ago
  transfer: 10.57 KiB received, 403.61 KiB sent
  persistent keepalive: every 25 seconds
root@OpenWrt:~# 

A few rules have been removed but these would not be relevant as addressing other subnets than LAN.

I am assuming this is a regular router with a WAN and LAN but there are things in your network which I am not certain about e.g. all the option gateway '192.168.1.1' , but I do not have a Pi and only use DSA for vlans so I will refrain from commenting about that

It is not the problem but use list addresses '10.20.10.1/24'

Remove this rule:

Replace it with:

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51555'
	option proto 'udp'
	option target 'ACCEPT'

Remove the rule:

Replace with:

config zone
	option name 'VPN'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option input 'ACCEPT'
	list network 'VPN'

Now make forward to all zones you want, you probably only need to allow forward to lan zone e.g.:

But if necessary make other forwards e.g. to wan if you want internet access or to iot or guest etc

Reboot router and test again.

If it does not work please send current configs again plus output of wg show redact keys

I have applied your changes but connection to VPN is lost.
Will re-re-check the changes and post any relevant things I may find.
192.168.1.1 is the address of the ISP router, so that's my packet's way out :slight_smile:

interface: VPN
  public key:KEY
  private key: (hidden)
  listening port: 51555

peer: KEY
  preshared key: (hidden)
  allowed ips: 10.20.10.2/32
  persistent keepalive: every 25 seconds

This very much looks like it:

# ip route list
default via 192.168.1.1 dev eth1 
10.20.10.0/24 dev VPN scope link  src 10.20.10.1 
10.20.10.2 dev VPN scope link 
192.168.1.0/24 dev eth1 scope link  src 192.168.1.2 
192.168.3.0/24 dev eth0.3 scope link  src 192.168.3.1 
192.168.7.0/24 dev eth0.7 scope link  src 192.168.7.1 
192.168.9.0/24 dev eth0.9 scope link  src 192.168.9.1 
192.168.111.0/24 dev eth0.111 scope link  src 192.168.111.1

Cheers !

Yes, I haven't seen a mistake, and when starting network or firewall services, I see no complaint for a missing parameter. Rebooted the system for precaution. From the client (my phone which is on cellular network only), I see no packets back from my server now.

Configuration again:

# cat /etc/config/network
[... unchanged ...]
config interface 'VPN'                                                   
        option proto 'wireguard'                                         
        option private_key 'KEYHERE'
        list addresses '10.20.10.1/24'
        option listen_port '51555'    
        list dns '192.168.7.1'                                          
                                                                         
config wireguard_VPN                                                       
        option description 'ONEPEER'                                         
        option public_key 'ANOTHERKEY'   
        option private_key 'KEY.KEY'  
        option preshared_key 'PSK'
        option persistent_keepalive '25'
        list allowed_ips '10.20.10.1/24'
        option route_allowed_ips '1'

And the firewall, keeping only WAN, LAN and VPN stuff:

# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'
	option flow_offloading '1'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'WAN2'
	option forward 'REJECT'
	option input 'REJECT'

[...]

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option log '1'
	# option log_limit '10'
	list network 'LAN'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'IPV6/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

[...]

config redirect 'adguardhome_dns_53'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option target 'DNAT'
	option name 'Adguard Home'
	option dest 'lan'
	option dest_port '53'

[...]

config rule 'wg'
	option name 'Allow-Wireguard'
	option src 'wan'
	option dest_port '51555'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'VPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'VPN'

config forwarding
	option src 'VPN'
	option dest 'lan'

The list allowed_ips is wrong that should be the wg address of the peer.

Please post your wg client config

Good morning and thanks !
I have set as follows:
list allowed_ips '10.20.10.2'
with no luck - VPN client TX counter rises while RX is stuck at 0 kB.

Client is the Wireguard android app, so "translating":

IP: 10.20.10.2/32
Allowed IPs: 192.168.77.0/24,10.20.10.0/24
TCP KA: 25

I'll reboot my openWRT just to make sure nothing got stuck with the config changes.

For the record, routing table:

# ip route list
default via 192.168.1.1 dev eth1 
10.20.10.0/24 dev VPN scope link  src 10.20.10.1 
10.20.10.2 dev VPN scope link 
192.168.1.0/24 dev eth1 scope link  src 192.168.1.2 
192.168.3.0/24 dev eth0.3 scope link  src 192.168.3.1 
192.168.7.0/24 dev eth0.7 scope link  src 192.168.7.1 
192.168.9.0/24 dev eth0.9 scope link  src 192.168.9.1 
192.168.111.0/24 dev eth0.111 scope link  src 192.168.111.1

I do not think you have a network 192.168.77.0/24
To make sure it is not a client problem just use 0.0.0.0/0 as allowed IPs on your phone
To make sure it is not a port forward problem connect your phone to the ISP router and use as endpoint address in your phone the WAN ip address of the RPi: 192.168.1.2

1 Like