Routing Home Network Traffic via WireGuard Tunnel

weby · January 28, 2025, 6:29pm

I have been trying for some time to correctly expose my home network with the outside world via a WireGuard tunnel and have ended up with the following cofiguration

Problem:

Clients in my home network, routed through an OpenWrt router using a WireGuard tunnel to a VPS, cannot access most websites, except for a few like Google and YouTube. The router itself has full internet access, including DNS resolution, but the issue persists for connected clients.

Setup:

OpenWrt Router: Acts as the local router in my home network and serves as a WireGuard client.
WWAN: The OpenWrt router connects as a client to an external network. I do not have access to the router of this external network.
VPS: Used as the WireGuard server and for setting up port forwarding.

Current Configuration:

The WireGuard tunnel is active, and all traffic is routed through it (allowed IPs: 0.0.0.0/0).
The OpenWrt router can successfully ping external addresses (e.g., ping 8.8.8.8).
DNS resolution works on the router (e.g., nslookup example.com 8.8.8.8 returns correct results).

Problem:

Clients in the home network cannot access websites outside the network (e.g., curl example.com fails).
However, some sites like Google and YouTube are accessible from the home network.

Additional Details:

Routing table (ip route show):

default dev wireguard scope link
10.0.0.0/24 dev wireguard scope link  src 10.0.0.2
10.1.1.0/24 dev br-lan scope link  src 10.1.1.1
192.168.178.0/24 dev phy0-sta0 scope link  src 192.168.178.85
212.227.64.18 via 192.168.178.1 dev phy0-sta0

Relevant Configuration Files:
- /etc/config/network:

config interface 'loopback'
    option device 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd5c:757a:4a0c::/48'

config device
    option name 'br-lan'
    option type 'bridge'
    list ports 'eth0'

config interface 'lan'
    option device 'br-lan'
    option proto 'static'
    option ipaddr '10.1.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'

config interface 'wwan'
    option proto 'dhcp'
    option peerdns '0'
    list dns '1.1.1.1'
    list dns '8.8.8.8'
    option hostname '*'

config interface 'wireguard'
    option proto 'wireguard'
    option private_key 'xxx'
    list addresses '10.0.0.2/24'
    option peerdns '0'
    list dns '1.1.1.1'
    list dns '8.8.8.8'
    option mtu '1412'

config wireguard_wireguard
    option public_key 'xxx'
    option route_allowed_ips '1'
    option endpoint_host '212.227.64.18'
    option endpoint_port '51820'
    option persistent_keepalive '25'
    option description 'wg-server'
    option preshared_key 'xxx'
    list allowed_ips '0.0.0.0/0'

/etc/config/firewall:

bash

KopierenBearbeiten

config defaults
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'DROP'
    option synflood_protect '1'

config zone 'lan'
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    list network 'lan'

config zone
    option name 'wg'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    list network 'wireguard'
    option masq '1'
    option mtu_fix '1'

config zone 'wan'
    option name 'wan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    list device 'tun+'
    list network 'wwan'

config forwarding
    option src 'lan'
    option dest 'wg'

config forwarding
    option src 'wg'
    option dest 'lan'

egc · January 28, 2025, 9:53pm

This side looks ok it could be the server side.

But what you can try is using a lower MTU.

Try 1280 or even lower

weby · January 29, 2025, 9:28am

I should have realized this earlier, as the other WireGuard clients are experiencing the same issue...

Here is the configuration of my VPS:

sudo iptables -t nat -L -v -n

Chain PREROUTING (policy ACCEPT 917 packets, 98493 bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   160 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3306 to:10.1.1.102:3306
  268 13400 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:10.1.1.107:80
  521 28812 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:10.1.1.107:443
    2    96 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25565 to:10.1.1.105:25565
   20  1200 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:10.1.1.202:143
    9   500 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:10.1.1.202:993
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:10.1.1.202:587
   20  1064 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:10.1.1.202:25
   55  3300 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:10.1.1.202:465
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:10.1.1.202:4190
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:9000:10999 to:10.1.1.121:9000-10999
    3   124 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:5060:5061 to:10.1.1.121:5060-5061
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 to:10.1.1.121:5060
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5090 to:10.1.1.121:5090
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5090 to:10.1.1.121:5090

Chain INPUT (policy ACCEPT 259 packets, 15548 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 77 packets, 6900 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 955 packets, 52577 bytes)
 pkts bytes target     prot opt in     out     source               destination
  679 85292 MASQUERADE  all  --  *      ens6    0.0.0.0/0            0.0.0.0/0
    0     0 MASQUERADE  all  --  *      ens6    0.0.0.0/0            0.0.0.0/0
    0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
    0     0 MASQUERADE  all  --  *      ens6    0.0.0.0/0            0.0.0.0/0

/etc/wireguard/wg0.conf

# This file was generated using wireguard-ui (https://github.com/ngoduykhanh/wireguard-ui)
# Please don't modify it manually, otherwise your change might get replaced.

# Address updated at:     2025-01-18 10:36:22.934726259 +0000 UTC
# Private Key updated at: 2025-01-18 10:04:23.451938311 +0000 UTC
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = xxx 
MTU = 1450
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -A FORWARD -o wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -D FORWARD -o wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Table = auto


# ID:           cu5nukj66f7t55c86660
# Name:         Home-Openwrt
# Email:
# Telegram:
# Created at:   2025-01-18 10:15:46.064266955 +0000 UTC
# Update at:    2025-01-18 10:17:56.145397868 +0000 UTC
[Peer]
PublicKey = xxx 
PresharedKey = xxx 
AllowedIPs = 10.0.0.2/32,10.1.1.0/24
PersistentKeepalive = 15


# ID:           cu5o2u366f7t55c8666g
# Name:         xxx 
# Email:        xxx 
# Telegram:
# Created at:   2025-01-18 10:24:56.969967097 +0000 UTC
# Update at:    2025-01-18 10:24:56.969967097 +0000 UTC
[Peer]
PublicKey = xxx 
PresharedKey = xxx 
AllowedIPs = 10.0.0.3/32
PersistentKeepalive = 15


# ID:           cu5o5qj66f7t55c86670
# Name:         xxx 
# Email:        xxx 
# Telegram:
# Created at:   2025-01-18 10:31:06.679711266 +0000 UTC
# Update at:    2025-01-18 10:32:24.183537306 +0000 UTC
[Peer]
PublicKey = xxx 
PresharedKey = xxx 
AllowedIPs = 10.0.0.4/32
PersistentKeepalive = 15

egc · January 29, 2025, 10:40am

The WAN interface of the VPS seems to be ens6 so change eth0 to ens6, however all traffic seems to be masqueraded so this is not the current problem

I do notice that an INPUT rule is missing

iptables -I INPUT  -i ens6 -p udp --dport 51820  -j ACCEPT

Furthermore if you want to be able to connect to the router itself, if you are connected via WG, you need to add the following rule also:

iptables -I INPUT  -i wg0 -j ACCEPT

Your MTU is way to high, max is 1420 when you have slow or intermittent traffic and can reach some websites but not others, use a lower MTU e.g. 1280 on both sides.

Reboot after changing

Disclaimer I do have a working VPS but am not an expert

Nihilokrat · January 29, 2025, 11:05am

Since you seem to have a Fritzbox as modem, I suggest setting the mtu to 1300, that should suffice.

I had issues with some Fritzboxes in front of an OpenWrt-Router running Wireguard in the past and the 1300 mtu helped in 100% of the cases with the issue of some websites not/slowly loading, videos not playing, etc.

I usually tested for this by connecting to the OpenWrt router via ssh through the Wireguard tunnel and then issuing commands with long output like logread. It would hang up the connection after X lines and I had to reconnect via ssh again.

So for config interface wireguard in your network config, set the option mtu '1300'

weby · January 29, 2025, 11:52am

Thanks for the responses! I’ve applied the suggested changes, but unfortunately, the issue persists (both with an MTU of 1300 and 1280)

Here’s the updated firewall configuration of my VPS:

Chain PREROUTING (policy ACCEPT 712 packets, 106K bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3306 to:10.1.1.102:3306
  209 10268 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:10.1.1.107:80
  619 35540 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:10.1.1.107:443
    5   240 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25565 to:10.1.1.105:25565
    2   104 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:10.1.1.202:143
    9   508 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:10.1.1.202:993
    1    60 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:10.1.1.202:587
   12   624 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:10.1.1.202:25
   34  2040 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:10.1.1.202:465
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:10.1.1.202:4190
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:9000:10999 to:10.1.1.121:9000-10999
    1    52 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:5060:5061 to:10.1.1.121:5060-5061
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 to:10.1.1.121:5060
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5090 to:10.1.1.121:5090
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5090 to:10.1.1.121:5090

Chain INPUT (policy ACCEPT 30 packets, 1780 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   352 ACCEPT     udp  --  ens6   *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820
   21  1133 ACCEPT     all  --  wg0    *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 8 packets, 1300 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 903 packets, 50119 bytes)
 pkts bytes target     prot opt in     out     source               destination
  177 23074 MASQUERADE  all  --  *      ens6    0.0.0.0/0            0.0.0.0/0
    0     0 MASQUERADE  all  --  *      ens6    0.0.0.0/0            0.0.0.0/0
    0     0 MASQUERADE  all  --  *      ens6    0.0.0.0/0            0.0.0.0/0

egc · January 29, 2025, 11:57am

Start by debugging, run from the client side:

ping 8.8.8.8
ping openwrt.org
traceroute 8.8.8.8
traceroute openwrt.org

Next step is to run tcpdump on the server

pavelgl · January 29, 2025, 12:05pm

weby:

209 10268 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:10.1.1.107:80
619 35540 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:10.1.1.107:443

What are these rules for?
They redirect all http/https traffic coming in from all interfaces to 10.1.1.107 (whatever that is).

weby · January 29, 2025, 12:13pm

the final and working firewall:

Chain PREROUTING (policy ACCEPT 80 packets, 9940 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  ens6   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3306 to:10.1.1.102:3306
    3   132 DNAT       tcp  --  ens6   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:10.1.1.107:80
    0     0 DNAT       tcp  --  ens6   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:10.1.1.107:443
    0     0 DNAT       tcp  --  ens6   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25565 to:10.1.1.105:25565
    0     0 DNAT       tcp  --  ens6   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:10.1.1.202:143
    0     0 DNAT       tcp  --  ens6   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:10.1.1.202:993
    0     0 DNAT       tcp  --  ens6   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:10.1.1.202:587
    0     0 DNAT       tcp  --  ens6   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:10.1.1.202:25
    1    60 DNAT       tcp  --  ens6   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:10.1.1.202:465
    0     0 DNAT       tcp  --  ens6   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:10.1.1.202:4190
    0     0 DNAT       udp  --  ens6   *       0.0.0.0/0            0.0.0.0/0            udp dpts:9000:10999 to:10.1.1.121:9000-10999
    0     0 DNAT       tcp  --  ens6   *       0.0.0.0/0            0.0.0.0/0            tcp dpts:5060:5061 to:10.1.1.121:5060-5061
    0     0 DNAT       udp  --  ens6   *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060 to:10.1.1.121:5060
    0     0 DNAT       tcp  --  ens6   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5090 to:10.1.1.121:5090
    0     0 DNAT       udp  --  ens6   *       0.0.0.0/0            0.0.0.0/0            udp dpt:5090 to:10.1.1.121:5090

Chain INPUT (policy ACCEPT 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  ens6   *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820
    0     0 ACCEPT     all  --  wg0    *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 4 packets, 192 bytes)
 pkts bytes target     prot opt in     out     source               destination
   79  9880 MASQUERADE  all  --  *      ens6    0.0.0.0/0            0.0.0.0/0
    0     0 MASQUERADE  all  --  *      ens6    0.0.0.0/0            0.0.0.0/0
    0     0 MASQUERADE  all  --  *      ens6    0.0.0.0/0            0.0.0.0/0

_bernd · January 29, 2025, 1:47pm

You can use trace path and trace route to test the pipe for how big a packet can be. I don't have the option on top of my mind but you can specifi it and see if you really need 1280 or if you could go slightly bigger.

system · February 8, 2025, 1:48pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.