[Solved] OpenWRT + Wireguard Client + Wireguard Server Issues

Hi everyone, im having a hard time trying to make this setup work. I have a wireguard client setup on the router which works fine, but when i try to setup a server i cant connect to it no matter what. Ive tried forwarding ports, creating traffic rules, tried PBR without luck.

Heres my current config..

/etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd91:a274:0f4d::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'

config device
	option name 'wan'
	option macaddr '62:38:e0:d6:7f:68'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option hostname '*'
	option peerdns '0'
	list dns '45.90.28.29'
	list dns '45.90.30.29'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'wgclient'
	option proto 'wireguard'
	option private_key '(private key here)
	list addresses '10.2.0.2/32'
	list dns '10.2.0.1'

config wireguard_wg
	option description 'VPN-Client'
	option public_key '(public key here)'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '(endpoint here)'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option route_allowed_ips '1'

config interface 'wg_server'
	option proto 'wireguard'
	option private_key '(private key here)'
	option listen_port '51820'
	list addresses '10.3.0.1/24'

config wireguard_wg_server
	option description 'User1'
	option public_key '(public key here)'
	option private_key '(private key here)'
	option preshared_key '(preshared key here)'
	option route_allowed_ips '1'
	list allowed_ips '10.3.0.2/32'

/etc/config/firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg_server'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option masq '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'wg_VPN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'wgclient'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-wg_server'
	list proto 'udp'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wg_VPN

/etc/config/pbr:

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config policy
	option name 'VPN Strict Devices'
	option src_addr '192.168.0.134'
	option interface 'wgclient'

config policy
	option name 'VPN Exclude Devices'
	option src_addr '192.168.0.216'
	option interface 'wan'

For some reason i can see RX and TX packets on the wg_server interface, but on the peer i can only see TX packets, so it seems like the server is receiving packets but cant communicate back to the peer. Ive noticed i cant ping each other for some reason. The OpenWRT router is on a passthrough setup. The other router has the firewall disabled.

The server can not communicate back because the outgoing traffic is going via the WG client.

PBR is the way to go to free op the WAN or the server port from the WG client.

You can use the regular PBR packet see: https://docs.openwrt.melmac.net/pbr/
which has a paragraph dedicate to this.
Alternatively you can use a script like I am doing see:
https://github.com/egc112/OpenWRT-egc-add-on/tree/main/pbr-via-wan

To give some pointers when you use the PBR package,
Set option route_allowed_ips '0'

option route_allowed_ips '0'

Then set all the lan clients you want (can be your whole subnet) to use the WG client.
You can have a DNS leak as the router itself will use the WAN, my script which only routes the WG server port via the WAN will not result in a DNS leak.

Hey, thanks for the quick reply, I was checking your script, what interface should i write on MYINTERFACE variable? server or client?

Nvm, i figured it out, let me try first with the route_allowed_ips '0' option first, if i got leaks ill try the script.

Thanks, this solved the issue, I set route_allowed_ips to 0, then used the PBR. I indeed have DNS leaks but that's but I'm using nextdns so I don't think that's a huge issue, I have some questions tho.
If I leave the configuration as I have it and add the router IP in the PBR to go through wan, would this work? Also, how can i add all the other lan clients without including the router itself in the PBR? I tried 192.168.0.1/24 and then added the router in another PBR rule but this made me have issues.

You can use 192.168.0.0/24 to cover all your lan clients.
As that is a prerouting rule it will not include the router itself.

You cannot include the router or your problem will return.

One way out is to enable route allowed ips again and use my script but as you already have the PBR package installed you can use a user defined script:

Add the following script to
/usr/share/pbr/pbr.user.wgserver

#!/bin/sh
ip rule del sport 51820 table pbr_wan >/dev/null 2>&1
ip rule add sport 51820 table pbr_wan

Then under /etc/config/pbr add:

config include
	option path '/usr/share/pbr/pbr.user.wgserver'
	option enabled '1'

You can also do this from the GUI

Reboot the router

Thank you so much, this had me going in circles for some time. I got it working using the PBR script and enabling route_allowed_ips, currently testing it but its good so far.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.