Rpi4 as wireguard client, lan-clients can't browse the web

hi forum,

i ask for help. i already looked at similar topics but couldn't solve my issue.

i was running openwrt on rpi4 for the whole year already without major problems.
mostly on wulfy23's snapshots, currently on stable 21.02.1. but the problem is not build-related.

i recently moved. before i had cable-internet. now fiber.
setup before: cable-modem (fritzbox 6660) > rpi4 wireguard > lan (some avm devices that collect the clients)
setup now: fiber-modem (fritzbox 5530) > rpi4 wireguard > lan (some avm devices that collect the clients)

now the lan clients can't browse the web anymore. browser won't load any webpages. opkg update won't work. so like dns or nat problem. although i can ping ip's and domains (they resolve) from all lan-clients. wireguard is connected and working.

so technically internet works, wireguard is up. ping into wireguard tunnel ip's also answers. wget i.e. is working from lan through wireguard.

i really do not understand.

uci show vpn-policy-routing:

root@vpn_pi:~# uci show vpn-policy-routing
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.enabled='0'
vpn-policy-routing.config.verbosity='2'
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.src_ipset='0'
vpn-policy-routing.config.dest_ipset='0'
vpn-policy-routing.config.resolver_ipset='dnsmasq.ipset'
vpn-policy-routing.config.ipv6_enabled='0'
vpn-policy-routing.config.ignored_interface='vpnserver wgserver'
vpn-policy-routing.config.boot_timeout='30'
vpn-policy-routing.config.iptables_rule_option='append'
vpn-policy-routing.config.procd_reload_delay='1'
vpn-policy-routing.config.webui_enable_column='0'
vpn-policy-routing.config.webui_protocol_column='0'
vpn-policy-routing.config.webui_chain_column='0'
vpn-policy-routing.config.webui_show_ignore_target='0'
vpn-policy-routing.config.webui_sorting='1'
vpn-policy-routing.config.webui_supported_protocol='tcp' 'udp' 'tcp udp' 'icmp' 'all'
vpn-policy-routing.@include[0]=include
vpn-policy-routing.@include[0].path='/etc/vpn-policy-routing.netflix.user'
vpn-policy-routing.@include[0].enabled='0'
vpn-policy-routing.@include[1]=include
vpn-policy-routing.@include[1].path='/etc/vpn-policy-routing.aws.user'
vpn-policy-routing.@include[1].enabled='0'

uci show network:

network.loopback=interface
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.loopback.device='lo'
network.lan=interface
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.delegate='0'
network.lan.defaultroute='0'
network.lan.device='eth0'
network.lan.ipaddr='192.168.177.1'
network.lan_eth0_dev=device
network.lan_eth0_dev.name='eth0'
network.lan_eth0_dev.ipv6='0'
network.wan=interface
network.wan.device='eth1'
network.wan.proto='static'
network.wan.ipaddr='192.168.178.4'
network.wan.netmask='255.255.255.0'
network.wan.gateway='192.168.178.1'
network.wan.hostname='router'
network.wan_eth1_dev=device
network.wan_eth1_dev.name='eth1'
network.wan_eth1_dev.ipv6='0'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.listen_port='51820'
network.wg0.private_key='***'
network.wg0.addresses='xx.xx.xx.xxx/32'
network.wg0.delegate='0'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].route_allowed_ips='1'
network.@wireguard_wg0[0].description='wireguard'
network.@wireguard_wg0[0].allowed_ips='0.0.0.0/0'
network.@wireguard_wg0[0].public_key='***'
network.@wireguard_wg0[0].endpoint_host='xxx.xxx.xxx.xx'
network.@wireguard_wg0[0].endpoint_port='xxxx'
network.@wireguard_wg0[0].persistent_keepalive='25'
network.@device[2]=device
network.@device[2].name='br-lan'
network.@device[2].type='bridge'
network.@device[2].ipv6='0'
network.@device[2].ports='eth0'
network.@device[3]=device
network.@device[3].name='wg0'
network.@device[3].ipv6='0'
network.@device[3].mtu='1420'

uci show firewall

root@vpn_pi:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].drop_invalid='1'
firewall.@zone[0]=zone
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].input='REJECT'
firewall.@zone[0].forward='REJECT'
firewall.@zone[0].masq='1'
firewall.@zone[0].mtu_fix='1'
firewall.@zone[0].name='wg'
firewall.@zone[0].family='ipv4'
firewall.@zone[0].network='wg0'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].family='ipv4'
firewall.@zone[1].network='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[0].enabled='0'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[1].enabled='0'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[2].enabled='0'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].enabled='0'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[4].enabled='0'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[5].enabled='0'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[6].enabled='0'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[7].dest='wg'
firewall.@rule[7].family='ipv4'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[8].dest='wg'
firewall.@rule[8].family='ipv4'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='0'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@include[0].reload='1'
firewall.@zone[2]=zone
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].name='lan'
firewall.@zone[2].family='ipv4'
firewall.@zone[2].network='lan'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wg'

wg show

root@vpn_pi:~# wg show
interface: wg0
  public key: ***
  private key: (hidden)
  listening port: 51820

peer: ***
  endpoint: xxx.xxx.xxx.xx:xxxx
  allowed ips: 0.0.0.0/0
  latest handshake: 11 seconds ago
  transfer: 12.32 MiB received, 1.63 MiB sent
  persistent keepalive: every 25 seconds

ifconfig wg0

root@vpn_pi:~# ifconfig wg0
wg0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:xx.xx.xx.xxx  P-t-P:xx.xx.xx.xxx  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:15919 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26365 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:12926300 (12.3 MiB)  TX bytes:1732696 (1.6 MiB)

ip route list table all | grep wg

root@vpn_pi:~# ip route list table all | grep wg
default dev wg0 proto static scope link 
local xx.xx.xx.xxx dev wg0 table local proto kernel scope host src xx.xx.xx.xxx

on the old cable-connection i got an real public ip.
new fiber-connection serves a 'lan'-address, i.e. 100.96.12.43 to my fiber-box. public-ip from isp is different than the ip my fiber-box gets assigned from isp.

where are your dns servers set? uci show dhcp | grep -v ipset and ipconfig /all from a client

i see wan ip is hardcoded so this likely will mean you've set the upstream servers via dhcp as forwarders or client options (for client dns resolution)

the router itself will need;

network.wan.dns='192.168.178.1'

or similar for opkg to work

1 Like

thanks for you help.

my dns-server for lan-clients is within the wireguard-tunnel. it is reachable (for all clients) and working (tested with local wireguard software client installed with identical settings as in rpi4).

network.wan.dns is set now. no difference.

uci show network | grep wan

root@vpn_pi /40# uci show network | grep wan
network.wan=interface
network.wan.device='eth1'
network.wan.proto='static'
network.wan.ipaddr='192.168.178.4'
network.wan.netmask='255.255.255.0'
network.wan.gateway='192.168.178.1'
network.wan.hostname='router'
network.wan.dns='192.168.178.1'
network.wan_eth1_dev=device
network.wan_eth1_dev.name='eth1'
network.wan_eth1_dev.ipv6='0'

uci show dhcp | grep -v ipset

root@vpn_pi /39# uci show dhcp | grep -v ipset
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.@dnsmasq[0].confdir='/tmp/dnsmasq.d'
dhcp.@dnsmasq[0].dnsforwardmax='2300'
dhcp.@dnsmasq[0].min_cache_ttl='270'
dhcp.@dnsmasq[0].cachesize='5000'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].serversfile='/var/run/simple-adblock.servers'
dhcp.@dnsmasq[0].server='100.64.0.3'
dhcp.@dnsmasq[0].address='/router/192.168.177.1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.leasetime='12h'
dhcp.lan.start='20'
dhcp.lan.limit='50'
dhcp.lan.force='1'
dhcp.lan.dhcp_option='6,100.64.0.3'
dhcp.lan.ra_flags='none'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.wan.start='100'
dhcp.wan.limit='150'
dhcp.wan.leasetime='12h'
dhcp.wan.ra_flags='none'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'

ifconfig -a from a client

@thinkmint:~$ ifconfig -a
enx60a4b7b32645: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.177.26  netmask 255.255.255.0  broadcast 192.168.177.255
        inet6 xxxx::xxxx:xxxx:xxxx:xxxx  prefixlen 64  scopeid 0x20<link>
        ether xx:xx:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 8436  bytes 4962258 (4.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6525  bytes 822876 (822.8 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Lokale Schleife)
        RX packets 1154  bytes 97095 (97.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1154  bytes 97095 (97.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp2s0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether xx:xx:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 2509  bytes 2433006 (2.4 MB)
        RX errors 0  dropped 260  overruns 0  frame 0
        TX packets 1266  bytes 180254 (180.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

nmcli dev show from a client

@thinkmint:~$ nmcli dev show
GENERAL.DEVICE:                         enx60a4b7b32645
GENERAL.TYPE:                           ethernet
GENERAL.HWADDR:                         xx:xx:xx:xx:xx:xx
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (verbunden)
GENERAL.CONNECTION:                     lan
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveCo
WIRED-PROPERTIES.CARRIER:               an
IP4.ADDRESS[1]:                         192.168.177.26/24
IP4.GATEWAY:                            192.168.177.1
IP4.ROUTE[1]:                           dst = 0.0.0.0/0, nh = 192.168.177.1, mt 
IP4.ROUTE[2]:                           dst = 192.168.177.0/24, nh = 0.0.0.0, mt
IP4.ROUTE[3]:                           dst = 169.254.0.0/16, nh = 0.0.0.0, mt =
IP4.DNS[1]:                             100.64.0.3
IP4.DOMAIN[1]:                          lan
IP6.ADDRESS[1]:                         xxxx::xxxx:xxxx:xxxx:xxxx/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 256
IP6.ROUTE[2]:                           dst = fe80::/64, nh = ::, mt = 100

GENERAL.DEVICE:                         wlp2s0
GENERAL.TYPE:                           wifi
GENERAL.HWADDR:                         xx:xx:xx:xx:xx:xx

fixed it. -.-

i had to lower the mtu of wireguard interface to as low as 1280.

now all is working again.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.