Remote LAN access with WireGuard

dylanteague18 · April 26, 2023, 6:21am

Hi friends,

I have been frustrated working on this issue for over five days now, and despite my best efforts, I am unable to find a resolution. Having thoroughly researched guides, YouTube videos, and forum posts, I've reached a point where I feel it's necessary to turn to the community for assistance.

This is currently my setup. The VPNLAN and WG1 interfaces are connected and provide a separate internet connection over a Wi-Fi network that I can access on my Nintendo switch. This network works fine and can be ignored (no issues).

Picture for Router is Below
The issue I'm having is with my WG0 interface. I'm trying to create something called a "bounce server"

“Router” - The machine that will serve as the gateway (inwards) to your LAN
“Server” - The machine with a publicly accessible IP that all clients will connect to. Also known as a “Bounce Server”
“Client” - You, trying to connect to your LAN remotely somewhere

Here's the guide I followed: Remote LAN access with WireGuard (laroberto.com)

In case you're wondering why I haven't opted for port forwarding, it's because I'm behind a NAT in my apartment complex, which prevents me from doing so. Moreover, employing this alternative method offers security benefits that I'd like to capitalize on.

The problem arises when I attempt to permit the 192.168.1.0/24 subnet as an Allowed IP through my WG0 interface. This action results in my router crashing and losing access to it. I suspect that this issue may be related to configuring split tunneling, which I believe needs to be set up (I'm unsure of how to do this).

The interesting part about this whole issue is that whenever I add 0.0.0.0/0 to the Allowed IPs in the WG0 interface and create a static route of

target: 0.0.0.0
IPv4-Netmask: 0.0.0.0

I can successfully ping my router's interface at 192.168.1.1 and access the OpenWRT homepage through the Wireguard tunnel established on my phone, all without losing my internet connection. This progress brings me closer to my ultimate objective; however, I require assistance in gaining access to the other local IPs without compromising my LAN internet connection.

Pings:

Thank you. I hope someone is able to help me with this issue.

Edit: I made some changes and added 192.168.1.0/24 to my allowed ips list for WG0 and changed the Input from accept to reject in the firewall for smartvpn but I now can't ping 192.168.1.1

psherman · April 26, 2023, 6:24am

Does your remote network have the same subnet? (192.168.1.0/24)? If so, that will need to be changed on one side or the other.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

dylanteague18 · April 26, 2023, 6:31am

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd17:7a3f:c172::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'
        option igmp_snooping '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'e8:48:b8:10:dd:e5'
        option acceptlocal '1'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'
        list dns '192.168.1.213'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2 3 4'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '0t 1'

config device
        option type 'bridge'
        option name 'br-tun0'
        option ipv6 '0'
        option mtu '1500'
        option txqueuelen '1000'
        option bridge_empty '1'
        option igmp_snooping '1'
        list ports 'eth0.3'
        list ports 'wg1'
        list ports 'wlan0-1'

config interface 'VPNLAN'
        option proto 'static'
        option device 'br-tun0'
        list ipaddr '10.0.4.1/24'
        option delegate '0'
        option force_link '0'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '3'
        option ports '0t 5'

config interface 'wg1'
        option proto 'wireguard'
        option delegate '0'
        option private_key '<private key>'
        list addresses '172.16.0.3/24'
        option peerdns '0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '<private key>'
        list addresses '192.168.10.3/32'
        option delegate '0'

config wireguard_wg0
        option description 'Server'
        option public_key '<public key>'
        option endpoint_host '<ip address>'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '192.168.10.0/24'
        list allowed_ips '0.0.0.0/0'

config device
        option name 'wg0'
        option ipv6 '0'

config device
        option name 'wg1'
        option ipv6 '0'

config wireguard_wg1
        option description 'Wireguard'
        option endpoint_host '<ip address>'
        option persistent_keepalive '25'
        option endpoint_port '51821'
        option public_key '<public key>'
        list allowed_ips '0.0.0.0/0'

config rule
        option in 'VPNLAN'
        option lookup '1742'

config route
        option interface 'wg1'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option table '1742'

config route
        option interface 'wg0'
        option target '0.0.0.0'
        option netmask '0.0.0.0'

cat /etc/config/network - results

dylanteague18 · April 26, 2023, 6:33am

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpnlan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'VPNLAN'

config zone
        option name 'vpnwan'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option forward 'REJECT'
        list network 'wg1'
        option mtu_fix '1'

config forwarding
        option src 'vpnlan'
        option dest 'vpnwan'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Force DNS'
        option src 'wan'
        option src_dport '53'

config zone
        option name 'smartvpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'wg0'
        option masq '1'
        option mtu_fix '1'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'smartvpn'

cat /etc/config/firewall - results

egc · April 26, 2023, 7:43am

@psherman also asked if the subnet of the server side is different from the client side.

WireGuard is a routed solution and it needs three different subnets, the client side which seems 192.168.1.1, WG subnet which seems 192.168.10.0/24 and the servers subnet but what is it?

If it is one of the already mentioned something has to give.

For a site-to-site setup, as you are wanting to make, you have to put the subnet of the other side in the allowed IP's, besides the WG subnet, disable Masquerading and make sure the Clients firewall allows incoming traffic.

dylanteague18 · April 26, 2023, 3:54pm

root@racknerd-40ea50:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet <ip address>  netmask 255.255.255.224  broadcast <ip address>
        inet6 <ip6 address> prefixlen 64  scopeid 0x20<link>
        ether <ether>  txqueuelen 1000  (Ethernet)
        RX packets 1158702  bytes 141179090 (141.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 627672  bytes 108757457 (108.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 80  bytes 5920 (5.9 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 80  bytes 5920 (5.9 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 192.168.10.1  netmask 255.255.255.255  destination 192.168.10.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000                                                                      (UNSPEC)
        RX packets 590375  bytes 75275964 (75.2 MB)
        RX errors 905  dropped 0  overruns 0  frame 905
        TX packets 590340  bytes 75288720 (75.2 MB)
        TX errors 46  dropped 0 overruns 0  carrier 0  collisions 0

So you're saying I need to change the 192.168.10.1 on the server from this to a different subnet?
I basically followed this guide:

Remote LAN access with WireGuard (laroberto.com)

Which has the subnets all the same

Here's the server wireguard config:


# Server
[Interface]
Address = 192.168.10.1/32
ListenPort = 51820
#DNS = 8.8.8.8, 8.4.4.8, 1.1.1.1, 1.0.0.1
PrivateKey = <private key>
#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE


# Router LAN
[Peer]
PublicKey = <public key>
AllowedIPs = 192.168.10.0/24, 192.168.1.0/24

# Client
[Peer]
PublicKey = <public key>
AllowedIPs = 192.168.10.2/32

mk24 · April 26, 2023, 4:18pm

I'm assuming the client is a single endpoint such as a phone or a laptop, also known as a road warrior, and not a router with its own LAN behind it.

As an aside note when you connect the road warrior to someone else's network, it is likely to have an IP inside 192.168.1.0/24 on its WAN from that network, and this will cause routing problems. Your home network LAN should be something obscure to reduce the chance of that happening.

Each machine on the wireguard tunnel network needs a unique IP, in the same subnet.

server VPS 192.168.10.1/24
home router 192.168.10.2/24
client road warrior 192.168.10.3/24.

In the main wireguard interface, the IP should be specified as /24. This automatically installs a route to all 192.168.10.0 via the wireguard tunnel, which is what you want. The route_allowed_ips should be enabled on both the server and all clients.

The allowed_ips are not so simple. A machine with multiple connections to the same wireguard interface (the server) uses allowed_ips for routing within wireguard. If on the same wireguard interface, two remote peer configurations contain allowed_ips that overlap with each other, Wireguard cannot work. (This can only happen on the server since it is the only one with multiple peers on the same interface.)

On the server:

Each client's allowed_ips set includes that client's tunnel IP /32 and any remote LANs on the client's side.
Both of these need to be unique among all the clients.

On a client:

the only peer is the server.
allowed_ips need to at least include the tunnel /24 in order to accept all other clients.
If any of the other clients are routers, their LANs need to be allowed.
If this client is a router, all of its LANs must not overlap the tunnel or any remote LANs.
0.0.0.0/0 can be used if it is desired to tunnel all Internet usage via the server VPS. The server must be set up to forward and NAT from wireguard to the Internet. Installing 0.0.0.0/0 as an allowed_ip also allows any tunnel or LAN, making it unnecessary to configure other more specific allowed_ips.

egc · April 26, 2023, 4:34pm

You do not need the change the WireGuard address although I would choose a netmask of /24

I am talking about the subnet (ip address) of the server itself.

Your clients subnet/LAN ip address is 192.168.1.1/24

The server side also has a subnet/LAN ip address and that cannot be 192.168.1.1/24 and not 192.168.10.1/24
There need to be three different subnets/IP addresses

mk24 · April 26, 2023, 4:36pm

Configuring the VPS (unless it is running OpenWrt) is outside the scope of this forum, but generally a VPS set up for this purpose will not have a LAN. Its only two interfaces (besides loopback) will be one facing outside with a public IP, and the wireguard tunnel.

dylanteague18 · April 27, 2023, 2:10am

Solution:

#PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

I needed to include this in my OpenWRT router, and I was assuming that the firewall routes included this.

That was not the case and I needed to create the following:

config rule
    option name 'Allow-Forward-WireGuard-In'
    option src 'smartvpn'
    option dest 'lan'
    option target 'ACCEPT'
    option proto 'all'

config rule
    option name 'Allow-Forward-WireGuard-Out'
    option src 'lan'
    option dest 'smartvpn'
    option target 'ACCEPT'
    option proto 'all'

config nat
    option name 'MASQUERADE-WireGuard'
    option src 'smartvpn'
    option dest 'wan'
    option target 'MASQUERADE'

bigsmile · April 27, 2023, 5:34am

Could the VPS "bounce server" also be an x86 instance of OpenWRT ?

system · May 7, 2023, 5:34am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.