[Solved] No internet access with Wireguard

Hi,

I have configured Wireguard successfully with the help of this forum yesterday as described here:

I tested the connection successfully with 1 android phone and 1 linux computer.

It worked only briefly unfortunately because this morning I noticed that I have no internet access again when I'm connected with Wireguard. I can reach local LAN devices though.

In the Peer config I have set a DNS server and it is the same DNS server that still worked yesterday.

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'abcd::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.201.1'

config interface 'wan'
	option device 'eth1'
	option proto 'static'
	option ipaddr '192.168.100.35'
	option netmask '255.255.255.0'
	option gateway '192.168.100.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'privatekey'
	option listen_port '51820'
	list addresses '192.168.202.1/24'

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'Wireguard'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg0'

config forwarding
	option src 'Wireguard'
	option dest 'lan'

config forwarding
	option src 'wan'
	option dest 'Wireguard'

config forwarding
	option src 'Wireguard'
	option dest 'wan'

config rule
	option name 'wan-local-wireguard'
	list proto 'udp'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'

As for the peers I have the following settings:
interface addressses:
peer1: 192.168.202.10/32
peer2: 192.168.202.11/32

dns server:
192.168.201.1 (which is the openwrt router)
allowed ip:
0.0.0.0/0

keep alive:
25 seconds

I had to set the following option in /etc/config/dhcp to make DNS work properly via Wireguard:

config dnsmasq
	option localservice '0'

I thinks this is needed because there is no DHCP section for the Wireguard interface, limiting the allowed IP ranges to your LAN zone.

If that works, you could probably also add a section for the Wireguard interface and set option ignore '1' to /etc/config/dhcp instead, leaving option localservice '1' for dnsmasq. This is untested, I have option localservice '0' in my dnsmasq section as mentioned above.

It tried both your suggestions, setting option localservice '1' for dnsmasq, and adding a section for wg0 with option ignore '1'. Unfortunately it did not help.

To rule out a DNS problem set on your clients wg interface as DNS server: 9.9.9.9

I see that you don’t have dns defined, and you’ve also turned off masquerading on the wan.

Starting with dns - add a dns server to the wan interface stanza. This could be the main router (192.168.100.1) or a public one like 8.8.8.8. Dns is required, in large part because ntp won’t work without them (and time sync is critical for wireguard).

Next… masquerading:

Does your main router (192.168.100.1) hav3 static routes configured? If not, two options.

• Add static routes for these two networks:
  • 192.168.201.0/24 via 192.168.100.35
  • 192.168.202.0/24 via 192.168.100.35

Or

• Enable masquerading on your wan firewall zone.

If that doesn’t resolve the problem…
Have you redacted the peer config stanzas? Pleas show those.

And let’s also see the config files from the peers themselves.

You have to set it to 0, not to 1. 1 is the default. But before that, you need to fix the issues pointed out in @psherman's reply.

I have tried setting DNS server 9.9.9.9 for the wg interface, but it did not help unfortunately.

Yes, I have static routes configured already in the WAN (192.168.100.1).

image1264×129 10.8 KB

The computer:

image727×809 55 KB

The phone:

image733×804 55.4 KB

The computer:

image680×770 48.3 KB

image544×586 28 KB

The phone:

image392×584 50.8 KB

Ok, I will try it again afterwards.

This is expected. The only dns that matters in the interface configs is the upstream one.

Have you added dns to the wan interface? You’ll also need to reboot the router after doing this to get everything syncing.

The allowed ips in the peer config stanzas (on the openwrt side) are incorrect. They should be 192.168.202.11/32 and 192.168.202.10/32 for the computer and phone respectively. (Not 0.0.0.0/0)

Also the endpoint host and endpoint port entries should be removed from the same peer config stanzas on the openwrt side.

Ok, it's working!

I have added a DNS server to WAN interface under custom DNS servers. And I have updated the peer config stanzas accordingly. Then I have rebooted the router.

Thank you, @psherman , @andyboeh, @egc !

I will mark the topic as solved.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.