I seem to be able to connect, because I can see my Android device in Lucis Wireguard Interface, when I am connected.
But when I ping the Wireguard interfaces IP, Android and my Router seem to have the same IP and the ping answers from my Router seem to fast over UMTS. Also DNS resolution does not work
When I try to access the Internet with VPN from my Android phone, I only get I have no internet connection.
Do I need to use my VPN local ip for the router as DNS Server or the normal local IP of my Router?
I have a Doubble-NAT with my ISPs Router. But Port-forwards work. I can connect to my OpenVPN Server on my NAS for example.
Hello! Please post the contents of the following files: /etc/config/network, /etc/config/firewall , and run these commands ip -4 addr ; ip -4 ro ; ip -4 ru ; cat /tmp/resolv.* and paste here the output.
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '5001'
option dest_ip '192.168.2.101'
option dest_port '5001'
option name 'DSM_218p'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '5022'
option dest_ip '192.168.2.101'
option dest_port '22'
option name 'SSH_218p'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '5006'
option dest_ip '192.168.2.101'
option dest_port '5006'
option name 'WebDAV_218p'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '1195'
option dest_ip '192.168.2.101'
option dest_port '1194'
option name 'OVPN_218p'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '6001'
option dest_ip '192.168.2.103'
option dest_port '5001'
option name 'DSM_213j'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '6022'
option dest_ip '192.168.2.103'
option dest_port '22'
option name 'SSH_213j'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '443'
option dest_ip '192.168.2.1'
option dest_port '443'
option name 'Luci_OpenWRT'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '192.168.2.1'
option dest_port '22'
option name 'SSH_OpenWRT'
option src_dport '1122'
config redirect
option target 'DNAT'
option src 'wan'
option proto 'udp'
option src_dport '1234'
option dest_ip '192.168.2.1'
option dest_port '1234'
option name 'WireGuard_OpenWRT'
option dest 'lan'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '5003'
option dest_port '5001'
option name 'DockerDSM_218p'
option dest_ip '192.168.2.109'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '5002'
option dest_ip '192.168.2.102'
option dest_port '5001'
option name 'DSM_218p_VM'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '2200'
option name 'ssh-test'
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src '*'
option proto 'udp'
option dest_port '1194'
config rule
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'tcp udp'
option target 'ACCEPT'
config zone
option name 'newzone'
option input 'ACCEPT'
option forward 'REJECT'
option network ' '
option output 'ACCEPT'
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '1234'
option name 'Allow-Wireguard-Inbound'
config zone
option name 'wg'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option network 'wg0'
config forwarding
option src 'wg'
option dest 'wan'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wg'
config forwarding
option src 'wan'
option dest 'wg'
Commands:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
valid_lft forever preferred_lft forever
7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1
inet 192.168.10.1/24 brd 192.168.10.255 scope global wg0
valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0.2
valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0.2 proto static
192.168.1.0/24 dev eth0.2 proto kernel scope link src 192.168.1.2
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1
192.168.10.0/24 dev wg0 proto kernel scope link src 192.168.10.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
search lan
nameserver 127.0.0.1
# Interface lan
nameserver 9.9.9.9
# Interface wan
nameserver 9.9.9.9
U mean in /etc/config/network :
config interface 'lan'
?
I can not remove the gateway, then I would have no more Internet access... 192.168.1.2 is the gateway to my ISPs Router (192.168.1.1)..
And why should I remove the Broardcast address?
I will try the other things later, when I have some more time.
Thanks!
You have already defined the gateway to the router of your ISP in the WAN interface. This IP (192.168.1.2) is assigned to the WAN interface of Openwrt, so there is no point to use it as default gateway in the LAN. Moreover you cannot use gateway that belongs to different subnet.
The broadcast is calculated from the IP and the MASK, so it is not necessary.
Yes to all!
Don't forget to restart the services after you finish editing, e.g /etc/init.d/network restart
However there is a catch when editing directly. There is no rollback from a change that renders the router unusable, like there is in Luci.
root@OpenWrt:~# cat /etc/config/firewall
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '5001'
option dest_ip '192.168.2.101'
option dest_port '5001'
option name 'DSM_218p'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '5022'
option dest_ip '192.168.2.101'
option dest_port '22'
option name 'SSH_218p'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '5006'
option dest_ip '192.168.2.101'
option dest_port '5006'
option name 'WebDAV_218p'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '1195'
option dest_ip '192.168.2.101'
option dest_port '1194'
option name 'OVPN_218p'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '6001'
option dest_ip '192.168.2.103'
option dest_port '5001'
option name 'DSM_213j'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '6022'
option dest_ip '192.168.2.103'
option dest_port '22'
option name 'SSH_213j'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '443'
option dest_ip '192.168.2.1'
option dest_port '443'
option name 'Luci_OpenWRT'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '192.168.2.1'
option dest_port '22'
option name 'SSH_OpenWRT'
option src_dport '1122'
config redirect
option target 'DNAT'
option src 'wan'
option proto 'udp'
option src_dport '1234'
option dest_ip '192.168.2.1'
option dest_port '1234'
option name 'WireGuard_OpenWRT'
option dest 'lan'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '5003'
option dest_port '5001'
option name 'DockerDSM_218p'
option dest_ip '192.168.2.109'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '5002'
option dest_ip '192.168.2.102'
option dest_port '5001'
option name 'DSM_218p_VM'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '2200'
option name 'ssh-test'
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src '*'
option proto 'udp'
option dest_port '1194'
config rule
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'tcp udp'
option target 'ACCEPT'
config zone
option name 'newzone'
option input 'ACCEPT'
option forward 'REJECT'
option network ' '
option output 'ACCEPT'
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '1234'
option name 'Allow-Wireguard-Inbound'
config zone
option name 'wg'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wg0'
config forwarding
option src 'wg'
option dest 'wan'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wg'
#config forwarding
# option src 'wan'
# option dest 'wg'
ip:
root@OpenWrt:~# ip -4 addr ; ip -4 ro ; ip -4 ru ; cat /tmp/resolv.*
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
valid_lft forever preferred_lft forever
7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1
inet 192.168.10.1/24 brd 192.168.10.255 scope global wg0
valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0.2
valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0.2 proto static
192.168.1.0/24 dev eth0.2 proto kernel scope link src 192.168.1.2
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1
192.168.10.0/24 dev wg0 proto kernel scope link src 192.168.10.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
search lan
nameserver 127.0.0.1
# Interface lan
nameserver 9.9.9.9
# Interface wan
nameserver 9.9.9.9
Maybe it helps, if I also post the config on my Smartphone?
Is the destination in firewallcfg correct?
config redirect
option target 'DNAT'
option src 'wan'
option proto 'udp'
option src_dport '1234'
option dest_ip '192.168.2.1'
option dest_port '1234'
option name 'WireGuard_OpenWRT'
option dest 'lan'
option dest 'lan' is correct, or should there be my wireguard interface?
Also can I remove this?
config zone
option name 'newzone'
option input 'ACCEPT'
option forward 'REJECT'
option network ' '
option output 'ACCEPT'
If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).