Hello Community!!!. First I wanna thank all the Openwrt developers, users & enthusiasts.
As per title I'm having big headaches configuring access to lan devices from outside my lan.
Everything else works as expected. This is my actual configuration:
(DigitalOcean Wireguard Server)------->Internet-------->Openwrt Wireguard Client------>my lan devices
What works now:
From my computer in the lan I can ping Wireguard server & Client(s)
From Wireguard Server I can ping Clients except Openwrt Client and everything behind it
I tried almost every tutorial and every post on the forum. I'm sure there's some misconfiguration, but I can't solve it.
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd9d:6bfa:4278::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.10.1'
network.lan.delegate='0'
network.lan.force_link='0'
network.lan_eth0_1_dev=device
network.lan_eth0_1_dev.name='eth0.1'
network.lan_eth0_1_dev.macaddr='xxxxxxxxxxxx'fake
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='static'
network.wan.ipaddr='192.168.1.172'
network.wan.netmask='255.255.255.0'
network.wan.delegate='0'
network.wan.gateway='192.168.1.254'
network.wan.dns='1.1.1.1' '8.8.8.8'
network.wan.type='bridge'
network.wan_eth0_2_dev=device
network.wan_eth0_2_dev.name='eth0.2'
network.wan_eth0_2_dev.macaddr='xxxxxxxxxxxx' fake
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.wan6.reqprefix='no'
network.wan6.delegate='0'
network.wan6.auto='0'
network.wan6.reqaddress='none'
network.wan6.type='bridge'
network.switch[0]=switch
network.switch[0].name='switch0'
network.switch[0].reset='1'
network.switch[0].enable_vlan='1'
network.switch_vlan[0]=switch_vlan
network.switch_vlan[0].device='switch0'
network.switch_vlan[0].vlan='1'
network.switch_vlan[0].ports='0 1 2 3 6t'
network.switch_vlan[1]=switch_vlan
network.switch_vlan[1].device='switch0'
network.switch_vlan[1].vlan='2'
network.switch_vlan[1].ports='4 6t'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.delegate='0'
network.wg0.addresses='10.8.0.5/24'
network.wg0.private_key='xxxxxxxxxxxxxxxxxx' fake
network.wireguard_wg0[0]=wireguard_wg0
network.wireguard_wg0[0].persistent_keepalive='25'
network.wireguard_wg0[0].route_allowed_ips='1'
network.wireguard_wg0[0].endpoint_port='51820'
network.wireguard_wg0[0].description='openwrt'
network.wireguard_wg0[0].endpoint_host='xxxxxxxxxxxx' fake
network.wireguard_wg0[0].public_key='xxxxxxxxxxxxx'
network.wireguard_wg0[0].preshared_key='xxxxxxxxxx'
network.wireguard_wg0[0].allowed_ips='0.0.0.0/0'
firewall
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='xxxxxxxxxx'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.10.1'
network.lan.delegate='0'
network.lan.force_link='0'
network.lan_eth0_1_dev=device
network.lan_eth0_1_dev.name='eth0.1'
network.lan_eth0_1_dev.macaddr='xxxxxxxxxx
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='static'
network.wan.ipaddr='192.168.1.172'
network.wan.netmask='255.255.255.0'
network.wan.delegate='0'
network.wan.gateway='192.168.1.254'
network.wan.dns='1.1.1.1' '8.8.8.8'
network.wan.type='bridge'
network.wan_eth0_2_dev=device
network.wan_eth0_2_dev.name='eth0.2'
network.wan_eth0_2_dev.macaddr='xxxxxxxxxxxx'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.wan6.reqprefix='no'
network.wan6.delegate='0'
network.wan6.auto='0'
network.wan6.reqaddress='none'
network.wan6.type='bridge'
network.switch[0]=switch
network.switch[0].name='switch0'
network.switch[0].reset='1'
network.switch[0].enable_vlan='1'
network.switch_vlan[0]=switch_vlan
network.switch_vlan[0].device='switch0'
network.switch_vlan[0].vlan='1'
network.switch_vlan[0].ports='0 1 2 3 6t'
network.switch_vlan[1]=switch_vlan
network.switch_vlan[1].device='switch0'
network.switch_vlan[1].vlan='2'
network.switch_vlan[1].ports='4 6t'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.delegate='0'
network.wg0.addresses='10.8.0.5/24'
network.wg0.private_key='xxxxxxxxx
network.wireguard_wg0[0]=wireguard_wg0
network.wireguard_wg0[0].persistent_keepalive='25'
network.wireguard_wg0[0].route_allowed_ips='1'
network.wireguard_wg0[0].endpoint_port='51820'
network.wireguard_wg0[0].description='openwrt'
network.wireguard_wg0[0].endpoint_host='xxxxxxxxx
network.wireguard_wg0[0].public_key='xxxxxxxxxxxx
network.wireguard_wg0[0].preshared_key='xxxxxxxxxx
network.wireguard_wg0[0].allowed_ips='0.0.0.0/0'
root@OpenWrt:~# uci show firewall
firewall.defaults[0]=defaults
firewall.defaults[0].input='ACCEPT'
firewall.defaults[0].output='ACCEPT'
firewall.defaults[0].forward='REJECT'
firewall.defaults[0].synflood_protect='1'
firewall.zone[0]=zone
firewall.zone[0].name='lan'
firewall.zone[0].input='ACCEPT'
firewall.zone[0].output='ACCEPT'
firewall.zone[0].forward='ACCEPT'
firewall.zone[0].network='lan'
firewall.zone[1]=zone
firewall.zone[1].name='wan'
firewall.zone[1].output='ACCEPT'
firewall.zone[1].masq='1'
firewall.zone[1].mtu_fix='1'
firewall.zone[1].family='ipv4'
firewall.zone[1].forward='ACCEPT'
firewall.zone[1].input='ACCEPT'
firewall.zone[1].network='wan wg0'
firewall.rule[0]=rule
firewall.rule[0].name='Allow-DHCP-Renew'
firewall.rule[0].src='wan'
firewall.rule[0].proto='udp'
firewall.rule[0].dest_port='68'
firewall.rule[0].target='ACCEPT'
firewall.rule[0].family='ipv4'
firewall.rule[1]=rule
firewall.rule[1].name='Allow-Ping'
firewall.rule[1].src='wan'
firewall.rule[1].proto='icmp'
firewall.rule[1].icmp_type='echo-request'
firewall.rule[1].family='ipv4'
firewall.rule[1].target='ACCEPT'
firewall.rule[2]=rule
firewall.rule[2].name='Allow-IGMP'
firewall.rule[2].src='wan'
firewall.rule[2].proto='igmp'
firewall.rule[2].family='ipv4'
firewall.rule[2].target='ACCEPT'
firewall.rule[3]=rule
firewall.rule[3].name='Allow-DHCPv6'
firewall.rule[3].src='wan'
firewall.rule[3].proto='udp'
firewall.rule[3].src_ip='fc00::/6'
firewall.rule[3].dest_ip='fc00::/6'
firewall.rule[3].dest_port='546'
firewall.rule[3].family='ipv6'
firewall.rule[3].target='ACCEPT'
firewall.rule[4]=rule
firewall.rule[4].name='Allow-MLD'
firewall.rule[4].src='wan'
firewall.rule[4].proto='icmp'
firewall.rule[4].src_ip='fe80::/10'
firewall.rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.rule[4].family='ipv6'
firewall.rule[4].target='ACCEPT'
firewall.rule[5]=rule
firewall.rule[5].name='Allow-ICMPv6-Input'
firewall.rule[5].src='wan'
firewall.rule[5].proto='icmp'
firewall.rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.rule[5].limit='1000/sec'
firewall.rule[5].family='ipv6'
firewall.rule[5].target='ACCEPT'
firewall.rule[6]=rule
firewall.rule[6].name='Allow-ICMPv6-Forward'
firewall.rule[6].src='wan'
firewall.rule[6].dest='*'
firewall.rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.rule[6].limit='1000/sec'
firewall.rule[6].family='ipv6'
firewall.rule[6].target='ACCEPT'
firewall.rule[7]=rule
firewall.rule[7].name='Allow-IPSec-ESP'
firewall.rule[7].src='wan'
firewall.rule[7].dest='lan'
firewall.rule[7].proto='esp'
firewall.rule[7].target='ACCEPT'
firewall.rule[8]=rule
firewall.rule[8].name='Allow-ISAKMP'
firewall.rule[8].src='wan'
firewall.rule[8].dest='lan'
firewall.rule[8].dest_port='500'
firewall.rule[8].proto='udp'
firewall.rule[8].target='ACCEPT'
firewall.include[0]=include
firewall.include[0].path='/etc/firewall.user'
firewall.rule[9]=rule
firewall.rule[9].src='*'
firewall.rule[9].target='ACCEPT'
firewall.rule[9].proto='udp'
firewall.rule[9].dest_port='“51820”'
firewall.rule[9].name='Allow-Wireguard-Inbound'
firewall.forwarding[0]=forwarding
firewall.forwarding[0].dest='wan'
firewall.forwarding[0].src='lan'
firewall.zone[2]=zone
firewall.zone[2].device='wg0'
firewall.zone[2].name='wired'
firewall.zone[2].mtu_fix='1'
firewall.zone[2].input='ACCEPT'
firewall.zone[2].forward='ACCEPT'
firewall.zone[2].masq='1'
firewall.zone[2].output='ACCEPT'
firewall.zone[2].family='ipv4'
firewall.forwarding[1]=forwarding
firewall.forwarding[1].dest='wired'
firewall.forwarding[1].src='wan'
Thnx in advance for your help!!!!!