[Solved] Wireguard client connecting, but no access to Internet or the LAN

Hi,

I've been trying to configure the Wireguard server, following this guide.

My OpenWRT is used as an Access Point behind my ISP router, connected to the router on a LAN port. I've redirected the Wireguard port from my public IP/ISP router to the OpenWRT router.

The VPN network is 192.168.9.0/24, and my LAN is 192.168.1.0/24.

My Wireguard client (on Android) can connect to the server, is seen by the server, but can't access anything, even with AllowedClients as 0.0.0.0/0.

Here are some screenshots of my configuration : https://imgur.com/a/W8XKhCU

Could someone help me ?
Thanks

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

Hi,
Thanks for your answer

Here are the outputs :

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.32",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Xiaomi Mi Router AX3000T (OpenWrt U-Boot layout)",
        "board_name": "xiaomi,mi-router-ax3000t-ubootmod",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r26592-83311b7470",
                "target": "mediatek/filogic",
                "description": "OpenWrt SNAPSHOT r26592-83311b7470"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd80:86f9:aa6::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.1.2'
        list dns '192.168.1.254'

config device
        option name 'wan'
        option macaddr 'xxxxx' 

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config route
        option interface 'lan'
        option target '0.0.0.0/0'
        option gateway '192.168.1.254'

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'xxxxx'
        option listen_port '51821'
        list addresses '192.168.9.1/24'
        list addresses 'fd00:9::1/64'
        option defaultroute '0'

config wireguard_vpn 'wgclient'
        option public_key 's/xxxxx'
        option preshared_key 'xxxxx'
        list allowed_ips '192.168.9.2/32'
        list allowed_ips 'fd00:9::2/128'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '192.168.1.2/24'
        list allowed_ips '192.168.1.254/24'

config route
        option interface 'vpn'
        option target '0.0.0.0/0'
        option gateway '192.168.1.254'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51821'
        option proto 'udp'
        option target 'ACCEPT'

root@OpenWrt:~# wg show
interface: vpn
  public key: ro66XbJJxxxxx
  private key: (hidden)
  listening port: 51821

peer: s/pTUO5vyvkuuxxxxxxx
  preshared key: (hidden)
  endpoint: x.x.x.x:48730
  allowed ips: 192.168.9.2/32, fd00:9::2/128
  latest handshake: 5 seconds ago
  transfer: 1.52 MiB received, 1.24 MiB sent

Add the gateway like this:

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option gateway '192.168.1.254'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.1.2'
        list dns '192.168.1.254'

Delete this:

Delete all the allowed ips below 192.168.9.2/32 and then add option route_allowed_ips ‘1’

Delete this:

Remove the vpn from the lan zone and enable masquerading:

Create a new zone for the vpn, and allow forwarding from vpn to lan:

config zone 'vpn'
        option name 'vpn'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'vpn'
        option dest 'lan'

Then reboot and try again.

2 Likes

It worked ! Thanks a lot, your explanation were perfect ! Thank you :slight_smile:

You're welcome.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.