Remotely access IP Camera behind OpenWrt router

I just subconsciously setup it as I think the camera needs internet for it to work, guess I will try disable the internet and see if it works.

Apart from link you provided, I also followed this tutorial on youtube, the purpose is so client connected to the network cannot access router pages or ssh to router. I just added it for security countermeasure.

I have added 192.168.0.0/16 on Network>Interfaces>WG0>Peers>Edit>Allowed IPs but I still cannot ping the camera IP Address be it from vps and my device (in wireguard tunnel), can you help identify what's wrong with it ?

It might, it might not. Give it a shot, and if it doesn't require internet, you can remove the cctv > wan forwarding rule.

That rule is not necessary. I have not watched the tutorial, but there are many people making videos who do not fully understand the firewall and will add unnecessary rules (or worse, rules that cause problems). You can delete that rule.

No, that should be removed. It was the configuration on the remote peer itself that I was referring to, not the OpenWrt peer config. In other words, the VPS. Let's see the configuration you have on the VPS.

cat /etc/wireguard/wg0.conf (on vps)

# Do not alter the commented lines
# They are used by wireguard-install
# ENDPOINT 103.x.x.x

[Interface]
Address = 10.7.0.1/24, fddd:2c4:2c4:2c4::1/64
PrivateKey = (redacted)
ListenPort = 8920

# BEGIN_PEER liso
[Peer]
PublicKey = (redacted)
PresharedKey = (redacted)
AllowedIPs = 10.7.0.2/32, fddd:2c4:2c4:2c4::2/128                                                                                                                                             
# END_PEER liso                                                                                                                                                                               
# BEGIN_PEER finix                                                                                                                                                                            
[Peer]                                                                                                                                                                                        
PublicKey = (redacted)                                                                                                                                     
PresharedKey = (redacted)                                                                                                                                   
AllowedIPs = 10.7.0.3/32, fddd:2c4:2c4:2c4::3/128                                                                                                                                             
# END_PEER finix                                                                                                                                                                              
# BEGIN_PEER router1                                                                                                                                                                          
[Peer]                                                                                                                                                                                        
PublicKey = (redacted)                                                                                                                                      
PresharedKey = (redacted)                                                                                                                                   
AllowedIPs = 10.7.0.4/32, fddd:2c4:2c4:2c4::4/128                                                                                                                                             
# END_PEER router1
  • router1 is OpenWrt peers
  • finix is my phone
  • liso is my laptop I used now

Wireguard is installed using nyr wireguard road warrior installer β†’ https://github.com/Nyr/wireguard-install

Add 192.168.16.0/24 to the allowed IPs above.

Now the router1 peers look like this.

# BEGIN_PEER router1
[Peer]
PublicKey = (redacted)
PresharedKey = (redacted)
AllowedIPs = 10.7.0.4/32, 192.168.16.0/24, fddd:2c4:2c4:2c4::4/128
# END_PEER router1

But neither the vps nor my device can ping the camera, i have unchecked isolated client on wireless setting to see if that any help, but apparently it still doesnt work.

This is result of ip -c a on vps.

root@japati:~# ip -c a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default 
    link/void 
    inet 127.0.0.1/32 scope host venet0
       valid_lft forever preferred_lft forever
    inet 10.x.x.x/24 brd 10.37.200.255 scope global venet0:0
       valid_lft forever preferred_lft forever
    inet6 (redacted) scope global 
       valid_lft forever preferred_lft forever
5: wg0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1420 qdisc mq state UNKNOWN group default qlen 500
    link/none 
    inet 10.7.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever
    inet6 fddd:2c4:2c4:2c4::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 (redacted)/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

What does a ping look like from the VPS > camera?

Please also verify that from the main lan on the OpenWrt router, you can ping the camera.

The camera doesn't have public IP, so I just ping the internal IP (192.168.20.106), I expect after configured it using OpenWrt and wireguard, I can access it remotely:

root@japati:~# ping 192.168.20.106
PING 192.168.20.106 (192.168.20.106) 56(84) bytes of data.

It would hang, I think the vps cannot reach 192.168.20.0/24.

I connected my pc to openwrt router by ethernet cable, it assigned me 192.168.16.129 address (the lan gateway is 192.168.16.1), the Camera is connected to guest wifi with 192.168.20.1 gateway (different subnet).

I tried pinging 192.168.20.106 (camera IP address).

$ ping 192.168.20.106
PING 192.168.20.106 (192.168.20.106) 56(84) bytes of data.
From 192.168.16.1 icmp_seq=1 Destination Port Unreachable
From 192.168.16.1 icmp_seq=2 Destination Port Unreachable
From 192.168.16.1 icmp_seq=3 Destination Port Unreachable
From 192.168.16.1 icmp_seq=4 Destination Port Unreachable
From 192.168.16.1 icmp_seq=5 Destination Port Unreachable
From 192.168.16.1 icmp_seq=6 Destination Port Unreachable
From 192.168.16.1 icmp_seq=7 Destination Port Unreachable
From 192.168.16.1 icmp_seq=8 Destination Port Unreachable

The fact that the pings to the camera aren't working when you test locally means it's not a surprise you can't reach it from the remote peer.

Let's see the OpenWrt network, firewall, and wireless files.

Do you mean the file under /etc/config ?

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'redacted'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config device
        option name 'eth0.1'
        option macaddr 'redacted'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.16.1'
        option delegate '0'

config device
        option name 'eth0.2'
        option macaddr 'redacted'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'wwan'
        option proto 'dhcp'

config interface 'WG0'
        option proto 'wireguard'
        option private_key 'redacted'
        list addresses '10.7.0.4/24'
        option delegate '0'

config wireguard_WG0
        option description 'WGConnect'
        option public_key 'redacted'
        option preshared_key 'redacted'
        option route_allowed_ips '1'
        option endpoint_host '103.x.x.x'
        option endpoint_port '8920'
        option persistent_keepalive '25'
        list allowed_ips '10.7.0.0/24'

config interface 'cctv'
        option proto 'static'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'
        list dns '1.1.1.1'

cat /etc/network/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'cctv'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'cctv'
        option input 'REJECT'

config forwarding
        option src 'cctv'
        option dest 'wan'

config rule
        option name 'cctv-dhcp'
        list proto 'udp'
        option src 'cctv'
        option target 'ACCEPT'
        option dest_port '67'

config rule
        option name 'cctv-dns'
        option src 'cctv'
        option dest_port '53'
        option target 'ACCEPT'

config zone
        option name 'wireguard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'WG0'

config forwarding
        option src 'wireguard'
        option dest 'cctv'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/10180000.wmac'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'
        option country 'ID'
        option channel '1'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'sta'
        option network 'wwan'
        option ssid 'japatiHiber1'
        option encryption 'psk2'
        option key 'redacted'
        option disabled '1'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'hiber-tv'
        option encryption 'psk2'
        option key 'redacted'
        option network 'cctv'

Ok... I didn't realize we didn't allow forwarding from lan > cctv, so the earlier result was expected. But, add this so that we can verify the camera will respond across subnets:

Add this to your firewall:

config forwarding
        option src 'lan'
        option dest 'cctv'

Restart and then ping the camera again from the lan.

Looks promising, I've added those line to /etc/config/firewall on openwrt and reboot the router. I see this new additions on Network>firewall

Pinging camera IP still doesn't work, this is taken from OpenWrt ssh. Ping still stuck

root@OpenWrt:~# ping 192.168.20.106
PING 192.168.20.106 (192.168.20.106): 56 data bytes

it seems you're pinging from OpenWrt... that should return even if the camera doesn't like communicating across subnets.

If you connect a computer (or phone) to the same wifi network as the camera, can you ping it then?

Sure, the ping works when I connect to hiber-tv ssid.

[~]$ ip -c a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether d8:bb:c1:b2:a8:f9 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ac:74:b1:46:15:6d brd ff:ff:ff:ff:ff:ff
    inet 192.168.20.100/24 brd 192.168.20.255 scope global dynamic noprefixroute wlan0
       valid_lft 43156sec preferred_lft 43156sec
    inet6 (redacted)/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
[~]$ ping 192.168.20.106
PING 192.168.20.106 (192.168.20.106) 56(84) bytes of data.
64 bytes from 192.168.20.106: icmp_seq=1 ttl=64 time=9.94 ms
64 bytes from 192.168.20.106: icmp_seq=2 ttl=64 time=20.7 ms
^C
--- 192.168.20.106 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 9.941/15.305/20.670/5.364 ms
[~]$

The camera also connected to hiber-tv, this wireless connection is guest network.

With that in mind, go back to the main lan and test the pings again. If it fails (which I suspect it will), that suggests that this camera doesn't work across subnets. In some cases that is related to the security design of a device/firewall. In other cases, they don't understand how to deal with routed traffic.

Hey, sorry I just replied, I have restarted the router, and now I can ping across subnet. So here I am on lan connection.

[~]$ ping 192.168.20.106
PING 192.168.20.106 (192.168.20.106) 56(84) bytes of data.
64 bytes from 192.168.20.106: icmp_seq=1 ttl=63 time=3.72 ms
64 bytes from 192.168.20.106: icmp_seq=2 ttl=63 time=6.95 ms
64 bytes from 192.168.20.106: icmp_seq=3 ttl=63 time=7.09 ms

I can also ping from main router.

[~]$ s wrt
X11 forwarding request failed on channel 0


BusyBox v1.35.0 (2023-04-27 20:28:15 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 22.03.5, r20134-5f15225c1e
 -----------------------------------------------------
root@OpenWrt:~# ping 192.168.20.106
PING 192.168.20.106 (192.168.20.106): 56 data bytes
64 bytes from 192.168.20.106: seq=0 ttl=64 time=2.780 ms
64 bytes from 192.168.20.106: seq=1 ttl=64 time=2.460 ms
^C
--- 192.168.20.106 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 2.460/2.620/2.780 ms

But pinging from vps to ip camera doesn't work.

Ok... so your VPS may need to have an explicit route added:

192.168.20.0/24 via 10.7.0.4

I see one of your answer to other thread, similar case with me β†’ How to access LAN devices over Wireguard client on my OpenWrt Router? - #16 by psherman, I executed this command, but still the ping doesn't work.

root@japati:~# ip route add 192.168.20.0/24 via 10.7.0.4 dev wg0
root@japati:~# ping 192.168.20.106
PING 192.168.20.106 (192.168.20.106) 56(84) bytes of data.

try traceroute to the camera from the VPS -- what does that show?

Also, while you're at it, make sure you can reach the router itself... which of these respond:

  • 192.168.16.1
  • 192.168.20.1
  • 10.7.0.4

traceroute

root@japati:~# traceroute 192.168.20.106
traceroute to 192.168.20.106 (192.168.20.106), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

ping result:

  • 192.168.16.1 (fail)
  • 192.168.20.1 (fail)
  • 10.7.0.4 (success)

The ping results show that the tunnel is up, but the VPS doesn’t have the appropriate routes.