Routing not working with simple setup (just lan and vpn)

Hi,

I set up Openwrt (22.03.5) with a simple setup: Just br-lan (not touched after installation) and one upstream wireguard interface (default route). After ssh into openwrt ping and traceroute to every host in the internet works fine through wireguard. But I can't reach any host in the internet from the lan. Even the tunnel endpoint of the vpn from lan is not reachable (ping time out).

# ip rule
0:      from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default 
# ip ro 
default dev WG0 scope link 
192.168.1.0/24 dev wlan0 scope link  src 192.168.1.224 
192.168.173.0/24 dev br-lan scope link  src 192.168.173.1 
<ip vpn peer> via 192.168.1.1 dev wlan0
# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan' 'wan6' 'wwan_wlan'
[...]
rules for allowing icmp not touched since installation
[...]
firewall.@zone[2]=zone
firewall.@zone[2].name='wireguard'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='WG0'
firewall.@zone[2].forward='REJECT'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wireguard'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='wireguard'
firewall.@forwarding[1].dest='lan'
#

Does someone have a hint for me?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
uci set firewall.@zone[2].masq="1"
uci set firewall.@zone[2].mtu_fix="1"
uci commit firewall
/etc/init.d/firewall restart
2 Likes
# ubus call system board
{
	"kernel": "5.10.176",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7628AN ver:1 eco:2",
	"model": "TP-Link TL-WR902AC v3",
	"board_name": "tplink,tl-wr902ac-v3",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.5",
		"revision": "r20134-5f15225c1e",
		"target": "ramips/mt76x8",
		"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
	}
}
# cat /etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '<prefix>'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.173.1'
	list dns '<dns-ip>'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '4 6t'

config interface 'wwan_wlan'
	option proto 'dhcp'

config interface 'WG0'
	option proto 'wireguard'
	option private_key '<key>'
	list addresses '192.168.120.39/32'

config wireguard_WG0
	option public_key '<key>'
	option preshared_key '<key>'
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'
	option endpoint_host '<ip>'
	option endpoint_port '<port>'
	option description '<description>'
	option route_allowed_ips '1'


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/10300000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'sta'
	option network 'wwan_wlan'
	option ssid 'wlan'
	option encryption 'sae'
	option key '<key>'
# cat /etc/config/dhcp
config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
# cat /etc/config/firewall
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan_wlan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'wireguard'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'WG0'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wireguard'

config forwarding
	option src 'wireguard'
	option dest 'lan'

Thank you for the suggestion, but I don't want to use NAT.

This is only possible if you own the VPN server.

  • Add the LAN subnet to the allowed IPs on the server.
  • Add a route to the LAN subnet on the server VPN interface.

Yes, your are right. Please excuse me, I forgot to mention, that I own the wireguard server. And yes, I have to add the LAN subent to the allowed IPs on the server. But this sadly does not help. Here is the output of ip rule and ip ro...:

# ip rule
0:      from all lookup local 
[...]
10000:  from 192.168.120.1 lookup WG0 
10000:  from 192.168.173.0 lookup WG0
[...]
20000:  from all to 192.168.120.1/24 lookup WG0 
20000:  from all to 192.168.173.0/24 lookup WG0 
32766:  from all lookup main
[...]

# ip ro show table WG0
192.168.120.0/24 dev WG0 scope link 
192.168.173.0/24 dev WG0 scope link
# ip ro
[...]
192.168.120.0/24 dev WG0 scope link 
192.168.173.0/24 dev WG0 scope link
[...]

Here is the output of tcpump on openwrt:

21:27:48.117692 IP 192.168.120.39 > 192.168.120.1: ICMP echo request, id 2834, seq 0, length 64
21:27:48.182567 IP 192.168.120.1 > 192.168.120.39: ICMP echo reply, id 2834, seq 0, length 64

21:30:20.791775 IP 192.168.173.188 > 192.168.120.1: ICMP echo request, id 2666, seq 1, length 64
21:30:39.503387 IP 192.168.120.39 > 192.168.120.1: ICMP 192.168.120.39 udp port 43594 unreachable, length 101

The first two lines result from a ping from openwrt, the second two lines from a ping from the lan. In the first case I can see the packet immediately on the wireguard server:

# tcpdump -i WG0 icmp
[...]
22:16:05.686071 IP 192.168.120.39 > 192.168.120.1: ICMP echo request, id 2878, seq 0, length 64
22:16:05.686424 IP 192.168.120.1 > 192.168.120.39: ICMP echo reply, id 2878, seq 0, length 64

But when I ping from lan I can see this on the server with a big delay:

22:17:00.517359 IP 192.168.120.39 > 192.168.120.1: ICMP 192.168.120.39 udp port 36649 unreachable, length 101
22:18:07.479700 IP 192.168.120.39 > 192.168.120.1: ICMP 192.168.120.39 udp port 55982 unreachable, length 101
22:20:10.433510 IP 192.168.120.39 > 192.168.120.1: ICMP 192.168.120.39 udp port 42095 unreachable, length 101

I would be thankfull for some further hints.

On the interface, the netmask needs to be large enough to cover both peers, typically /24.

Did you create a separate wg0 table or is this something that wireguard-tools does now? Previously a route_allowed_ips to 0.0.0.0/0 would make default entries in the main routing table.

Check this way:

# VPN server
sudo tcpdump -evnni any icmp

# LAN client
ping 8.8.8.8

Thanks for the hint. I tested with 192.168.120.39/24, but this did not change anything.

No, this is not done by the wireguard-tools. I use also openvpn and I created the separate table. You can read about the background in this thread.

I did (with 136.144.57.121 instead of 8.8.8.8, because there are other clients in the network trying to ping 8.8.8.8). tcpdump doesn't show anything on the VPN server within 10 seconds after pinging from lan while I get this on openwrt (wireguard client):

07:34:40.726168  In <mac> ethertype 802.1Q (0x8100), length 104: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 61253, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.173.188 > 136.144.57.121: ICMP echo request, id 11735, seq 1, length 64
07:34:40.726168  In <mac> ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 61253, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.173.188 > 136.144.57.121: ICMP echo request, id 11735, seq 1, length 64
07:34:40.726168  In <mac> ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 64, id 61253, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.173.188 > 136.144.57.121: ICMP echo request, id 11735, seq 1, length 64
07:34:40.726395 Out ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 63, id 61253, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.173.188 > 136.144.57.121: ICMP echo request, id 11735, seq 1, length 64
07:35:05.841986 Out ethertype IPv4 (0x0800), length 129: (tos 0xc0, ttl 64, id 2536, offset 0, flags [none], proto ICMP (1), length 113)
    192.168.120.39 > 192.168.120.1: ICMP 192.168.120.39 udp port 34964 unreachable, length 93

Any other idea how to debug?

Is that your VPN server or router?

It looks wrong because the address ends with a zero.
A subnet-specific rule requires a netmask.

Perhaps the LAN client traffic is rejected by the server peer.
Or maybe it is not even routed over the VPN tunnel.
Check from both VPN server and router:

wg show

This is on the VPN server.

Yes, you are right (again). My fault! I put the LAN subnet on the server to the ip-addresses of the interface and not to the allowed IPs of the peer (VPN client/router). Now I can ping from the LAN to the Internet through the wireguard tunnel! Thank you!

Nevertheless: I think I found a bug:

config route
        option target '192.168.173.0/24'
        option gateway '192.168.120.39'
        option interface 'WG0'
        option table 'main'

Does not produce a route in the main-table. Instead it produces a rule in the WG0-table. As a workaround I created another table (id 266) and a rule for that table. Then openwrt puts the configured route in the right table (266) and not into WG0-table. Nevertheless openwrt should write the rule to the main-table if configured like that. Is this a bug which I should report or am I missing something?

Somehow a "simple setup just lan and vpn" is actually two different VPNs and manually-created multiple routing tables. If you already have another thread about the same problem it is bad form to create a new thread rather than extending the existing one.

If you are manually installing routes you probably should not set route_allowed_ips.

Yes, you are right. But you have to know that this is the same problem, right? When I started this thread I did not expect or even think about the fact, that this problem could be caused by the vpn server.

And in fact: I'm sure, that there was also a problem on the router, because I could use the internet from the router itself and I could not ping the endpoint on the other side of the vpn tunnel.

In the end you always know more. If I had known or suspected that the problem was related to my old problem, then I wouldn't have started a new thread.

Ah, ok! In this case no extra table for the interface would be created?

But the configured route for the main-table should not fail silent nevertheless. And on the other side I don't see why the route in the main-table shouldn't be created although openwrt creates an extra table for this interface.

Yes, it looks like a bug, although it becomes irrelevant if you change the perspective by managing only routing rules and completely abstracting from the contents of routing tables.

That's ironic and reminds me of a recent topic about "simple" port forwarding with IPsec+PBR+VM, but in this case the output with custom tables and rules comes from the server side.

To be fair, the OP's previous topic was about OpenVPN, which has its own specifics unrelated to WireGuard, so it's reasonable to open a new one.

This is necessary for netifd to create the routes automatically in separate tables if the OP enables PBR on the router.