Hello Community!!!. First I wanna thank all the Openwrt developers, users & enthusiasts.
As per title I'm having big headaches configuring access to lan devices from outside my lan.
Everything else works as expected. This is my actual configuration:

(DigitalOcean Wireguard Server)------->Internet-------->Openwrt Wireguard Client------>my lan devices

What works now:
From my computer in the lan I can ping Wireguard server & Client(s)
From Wireguard Server I can ping Clients except Openwrt Client and everything behind it

I tried almost every tutorial and every post on the forum. I'm sure there's some misconfiguration, but I can't solve it.

network.loopback=interface

network.loopback.ifname='lo'

network.loopback.proto='static'

network.loopback.ipaddr='127.0.0.1'

network.loopback.netmask='255.0.0.0'

network.globals=globals

network.globals.ula_prefix='fd9d:6bfa:4278::/48'

network.lan=interface

network.lan.type='bridge'

network.lan.ifname='eth0.1'

network.lan.proto='static'

network.lan.netmask='255.255.255.0'

network.lan.ip6assign='60'

network.lan.ipaddr='192.168.10.1'

network.lan.delegate='0'

network.lan.force_link='0'

network.lan_eth0_1_dev=device

network.lan_eth0_1_dev.name='eth0.1'

network.lan_eth0_1_dev.macaddr='xxxxxxxxxxxx'fake

network.wan=interface

network.wan.ifname='eth0.2'

network.wan.proto='static'

network.wan.ipaddr='192.168.1.172'

network.wan.netmask='255.255.255.0'

network.wan.delegate='0'

network.wan.gateway='192.168.1.254'

network.wan.dns='1.1.1.1' '8.8.8.8'

network.wan.type='bridge'

network.wan_eth0_2_dev=device

network.wan_eth0_2_dev.name='eth0.2'

network.wan_eth0_2_dev.macaddr='xxxxxxxxxxxx' fake

network.wan6=interface

network.wan6.ifname='eth0.2'

network.wan6.proto='dhcpv6'

network.wan6.reqprefix='no'

network.wan6.delegate='0'

network.wan6.auto='0'

network.wan6.reqaddress='none'

network.wan6.type='bridge'

network.switch[0]=switch

network.switch[0].name='switch0'

network.switch[0].reset='1'

network.switch[0].enable_vlan='1'

network.switch_vlan[0]=switch_vlan

network.switch_vlan[0].device='switch0'

network.switch_vlan[0].vlan='1'

network.switch_vlan[0].ports='0 1 2 3 6t'

network.switch_vlan[1]=switch_vlan

network.switch_vlan[1].device='switch0'

network.switch_vlan[1].vlan='2'

network.switch_vlan[1].ports='4 6t'

network.wg0=interface

network.wg0.proto='wireguard'

network.wg0.delegate='0'

network.wg0.addresses='10.8.0.5/24'

network.wg0.private_key='xxxxxxxxxxxxxxxxxx' fake

network.wireguard_wg0[0]=wireguard_wg0

network.wireguard_wg0[0].persistent_keepalive='25'

network.wireguard_wg0[0].route_allowed_ips='1'

network.wireguard_wg0[0].endpoint_port='51820'

network.wireguard_wg0[0].description='openwrt'

network.wireguard_wg0[0].endpoint_host='xxxxxxxxxxxx' fake

network.wireguard_wg0[0].public_key='xxxxxxxxxxxxx'

network.wireguard_wg0[0].preshared_key='xxxxxxxxxx'


network.wireguard_wg0[0].allowed_ips='0.0.0.0/0'

firewall

network.loopback=interface

network.loopback.ifname='lo'

network.loopback.proto='static'

network.loopback.ipaddr='127.0.0.1'

network.loopback.netmask='255.0.0.0'

network.globals=globals

network.globals.ula_prefix='xxxxxxxxxx'

network.lan=interface

network.lan.type='bridge'

network.lan.ifname='eth0.1'

network.lan.proto='static'

network.lan.netmask='255.255.255.0'

network.lan.ip6assign='60'

network.lan.ipaddr='192.168.10.1'

network.lan.delegate='0'

network.lan.force_link='0'

network.lan_eth0_1_dev=device

network.lan_eth0_1_dev.name='eth0.1'

network.lan_eth0_1_dev.macaddr='xxxxxxxxxx

network.wan=interface

network.wan.ifname='eth0.2'

network.wan.proto='static'

network.wan.ipaddr='192.168.1.172'

network.wan.netmask='255.255.255.0'

network.wan.delegate='0'

network.wan.gateway='192.168.1.254'

network.wan.dns='1.1.1.1' '8.8.8.8'

network.wan.type='bridge'

network.wan_eth0_2_dev=device

network.wan_eth0_2_dev.name='eth0.2'

network.wan_eth0_2_dev.macaddr='xxxxxxxxxxxx'

network.wan6=interface

network.wan6.ifname='eth0.2'

network.wan6.proto='dhcpv6'

network.wan6.reqprefix='no'

network.wan6.delegate='0'

network.wan6.auto='0'

network.wan6.reqaddress='none'

network.wan6.type='bridge'

network.switch[0]=switch

network.switch[0].name='switch0'

network.switch[0].reset='1'

network.switch[0].enable_vlan='1'

network.switch_vlan[0]=switch_vlan

network.switch_vlan[0].device='switch0'

network.switch_vlan[0].vlan='1'

network.switch_vlan[0].ports='0 1 2 3 6t'

network.switch_vlan[1]=switch_vlan

network.switch_vlan[1].device='switch0'

network.switch_vlan[1].vlan='2'

network.switch_vlan[1].ports='4 6t'

network.wg0=interface

network.wg0.proto='wireguard'

network.wg0.delegate='0'

network.wg0.addresses='10.8.0.5/24'

network.wg0.private_key='xxxxxxxxx

network.wireguard_wg0[0]=wireguard_wg0

network.wireguard_wg0[0].persistent_keepalive='25'

network.wireguard_wg0[0].route_allowed_ips='1'

network.wireguard_wg0[0].endpoint_port='51820'

network.wireguard_wg0[0].description='openwrt'

network.wireguard_wg0[0].endpoint_host='xxxxxxxxx
network.wireguard_wg0[0].public_key='xxxxxxxxxxxx
network.wireguard_wg0[0].preshared_key='xxxxxxxxxx

network.wireguard_wg0[0].allowed_ips='0.0.0.0/0'

root@OpenWrt:~# uci show firewall

firewall.defaults[0]=defaults

firewall.defaults[0].input='ACCEPT'

firewall.defaults[0].output='ACCEPT'

firewall.defaults[0].forward='REJECT'

firewall.defaults[0].synflood_protect='1'

firewall.zone[0]=zone

firewall.zone[0].name='lan'

firewall.zone[0].input='ACCEPT'

firewall.zone[0].output='ACCEPT'

firewall.zone[0].forward='ACCEPT'

firewall.zone[0].network='lan'

firewall.zone[1]=zone

firewall.zone[1].name='wan'

firewall.zone[1].output='ACCEPT'

firewall.zone[1].masq='1'

firewall.zone[1].mtu_fix='1'

firewall.zone[1].family='ipv4'

firewall.zone[1].forward='ACCEPT'

firewall.zone[1].input='ACCEPT'

firewall.zone[1].network='wan wg0'

firewall.rule[0]=rule

firewall.rule[0].name='Allow-DHCP-Renew'

firewall.rule[0].src='wan'

firewall.rule[0].proto='udp'

firewall.rule[0].dest_port='68'

firewall.rule[0].target='ACCEPT'

firewall.rule[0].family='ipv4'

firewall.rule[1]=rule

firewall.rule[1].name='Allow-Ping'

firewall.rule[1].src='wan'

firewall.rule[1].proto='icmp'

firewall.rule[1].icmp_type='echo-request'

firewall.rule[1].family='ipv4'

firewall.rule[1].target='ACCEPT'

firewall.rule[2]=rule

firewall.rule[2].name='Allow-IGMP'

firewall.rule[2].src='wan'

firewall.rule[2].proto='igmp'

firewall.rule[2].family='ipv4'

firewall.rule[2].target='ACCEPT'

firewall.rule[3]=rule

firewall.rule[3].name='Allow-DHCPv6'

firewall.rule[3].src='wan'

firewall.rule[3].proto='udp'

firewall.rule[3].src_ip='fc00::/6'

firewall.rule[3].dest_ip='fc00::/6'

firewall.rule[3].dest_port='546'

firewall.rule[3].family='ipv6'

firewall.rule[3].target='ACCEPT'

firewall.rule[4]=rule

firewall.rule[4].name='Allow-MLD'

firewall.rule[4].src='wan'

firewall.rule[4].proto='icmp'

firewall.rule[4].src_ip='fe80::/10'

firewall.rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'

firewall.rule[4].family='ipv6'

firewall.rule[4].target='ACCEPT'

firewall.rule[5]=rule

firewall.rule[5].name='Allow-ICMPv6-Input'

firewall.rule[5].src='wan'

firewall.rule[5].proto='icmp'

firewall.rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'

firewall.rule[5].limit='1000/sec'

firewall.rule[5].family='ipv6'

firewall.rule[5].target='ACCEPT'

firewall.rule[6]=rule

firewall.rule[6].name='Allow-ICMPv6-Forward'

firewall.rule[6].src='wan'

firewall.rule[6].dest='*'

firewall.rule[6].proto='icmp'

firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'

firewall.rule[6].limit='1000/sec'

firewall.rule[6].family='ipv6'

firewall.rule[6].target='ACCEPT'

firewall.rule[7]=rule

firewall.rule[7].name='Allow-IPSec-ESP'

firewall.rule[7].src='wan'

firewall.rule[7].dest='lan'

firewall.rule[7].proto='esp'

firewall.rule[7].target='ACCEPT'

firewall.rule[8]=rule

firewall.rule[8].name='Allow-ISAKMP'

firewall.rule[8].src='wan'

firewall.rule[8].dest='lan'

firewall.rule[8].dest_port='500'

firewall.rule[8].proto='udp'

firewall.rule[8].target='ACCEPT'

firewall.include[0]=include

firewall.include[0].path='/etc/firewall.user'

firewall.rule[9]=rule

firewall.rule[9].src='*'

firewall.rule[9].target='ACCEPT'

firewall.rule[9].proto='udp'

firewall.rule[9].dest_port='“51820”'

firewall.rule[9].name='Allow-Wireguard-Inbound'

firewall.forwarding[0]=forwarding

firewall.forwarding[0].dest='wan'

firewall.forwarding[0].src='lan'

firewall.zone[2]=zone

firewall.zone[2].device='wg0'

firewall.zone[2].name='wired'

firewall.zone[2].mtu_fix='1'

firewall.zone[2].input='ACCEPT'

firewall.zone[2].forward='ACCEPT'

firewall.zone[2].masq='1'

firewall.zone[2].output='ACCEPT'

firewall.zone[2].family='ipv4'

firewall.forwarding[1]=forwarding

firewall.forwarding[1].dest='wired'

firewall.forwarding[1].src='wan'

Thnx in advance for your help!!!!!

• Add the OpenWrt LAN to the allowed IPs on the WG server.
• Assign the WG interface to the LAN firewall zone on OpenWrt.

thanks for your quick answer!!!!!

this is my server configuration for Openwrt client. is it correct?

opnwrt

[Interface]

Address = 10.8.0.5/24,fd42:42:42::5/64

DNS = 10.8.0.1,fd42:42:42::1

ListenPort = 59452

MTU = 1280

PrivateKey = xxxxxxxx

[Peer]

AllowedIPs = 0.0.0.0/0,::/0,192.168.10.1/32

Endpoint = xxxxxxxxxx:51820

PersistentKeepalive = 25

PresharedKey = xxxxxxxx
PublicKey = xxxxxxx

Schermata 2021-01-29 alle 21.08.221774×1112 246 KB

should I mark the wg interface with the arrow?

Fix firewall config on OpenWrt:

uci -q delete firewall.@zone[0].device
uci -q delete firewall.@zone[0].network
uci add_list firewall.@zone[0].network="lan"
uci add_list firewall.@zone[0].network="wg0"
uci -q delete firewall.@zone[1].device
uci -q delete firewall.@zone[1].network
uci add_list firewall.@zone[1].network="wan"
uci add_list firewall.@zone[1].network="wan6"
uci -q delete firewall.@zone[2].device
uci -q delete firewall.@zone[2].network
uci commit firewall
/etc/init.d/firewall restart

Post from both server and OpenWrt client:

wg show

with this new configuration I can't reach internet. Handshake is ok but no connection with wireguard

openwrt wg0

interface: wg0
  public key: xxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 33356

peer: xxxxxxxxxxx
  preshared key: (hidden)
  endpoint: xxxxxxxxxx:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 23 seconds ago
  transfer: 18.11 KiB received, 246.74 KiB sent
  persistent keepalive: every 25 seconds

wg0 server

peer: xxxxxxxxxx
  preshared key: (hidden)
  endpoint: xxxxxxxxx:33356
  allowed ips: 10.8.0.5/32, fd42:42:42::5/128
  latest handshake: 6 minutes, 11 seconds ago
  transfer: 130.07 MiB received, 4.59 GiB sent

• Add 192.168.10.0/24 to the WG peer's allowed IPs on the server.
• Add a route to 192.168.10.0/24 via 10.8.0.5 on the server.

Done

I'm not sure about this, is it something like: this command?
add route 192.168.10.0/24. ?

The runtime command looks like this:

sudo ip route add 192.168.10.0/24 via 10.8.0.5 dev wg0

The persistent config depends on your network management service.

no matter what I do to any configuration the situation is still the same. at one point after your kind suggestions I had 2 lan firewall zones after I did the firewall steps you wrote above. I had to restore a backup to go back to a working configuration. it all looks simple from tutorials and videos I don't know why the steps suggested don't work in my environment.

The tutorials are typically limited to particular use cases and rely on specific configuration defaults which may not match exactly your use case and customized settings.

To proceed with troubleshooting, requires to analyze the runtime configs, so collect the output from both server and client and post it to pastebin.com:

ip address show; ip route show table all; ip rule show; \
iptables-save; sysctl net 2> /dev/null | grep -e forward; wg show

my server runtime configuration:
https://pastebin.com/smLjgY5h

my OpenWrt client configuration
https://pastebin.com/iaicKA31

When you added

It looks like you added a new peer when you did this.

peer: xxxxxxxxx
  preshared key: (hidden)
  allowed ips: 10.8.0.6/32, fd42:42:42::6/128, 192.168.10.0/24

Get rid of this and add 192.168.10.0/24 to the allowed ips list for the peer to your openwrt device, i.e. add to allowed ips: 10.8.0.5/32, fd42:42:42::5/128

although that client was already there I got rid of it deleting it.

this is my wg show on server:
(as you can see I can ping the other client but I can't ping OpenWrt)
https://pastebin.com/EJxmzr7b

this is my wg0.conf on server:
https://pastebin.com/u6TaHsMh

this is my OpenWrt.conf(client) on server:
https://pastebin.com/nANnVTNz

Take 192.168.10.0/24 out of the phone peer.

Done but still nothing. From server I can ping the other client but not OpenWrt
from OpenWrt I can only ping server but not the other client(which is a phone connected by 4g cellular data with wireguard client installed).......still clueless.....

• Remove the ListenPort from the WG client configs.
• Disable bridging on the OpenWrt WAN interface.
• Disable banIP for the time being.
• The firewall config is still confusing, so try to apply the fix once again.

Something is moving in the right direction......

ok done!

This is for sure one of the cause(s).... if it is enabled I can't reach OpenWrt from outside. if it is Disabled I can reach the OpenWrt web interface so for now I will disable it.

I didn't do it 'cause creates for sure 2 lan config and I had to restore a previous configuration. for some reason messes things up

now the original purpose of my post was reaching my server in my lan at 192.168.10.xxx, it has a web interface and I can't reach it....

thnx for your efforts really appreciated......

• Remove the wired firewall zone and attach the wg0 network to the lan zone.
• Also change the WAN interface metric to preserve its gateway.

Guys you are simply AWESOME!!!!

This did the trick for sure......

this one helped too. I had to restart wan after disconnecting from wireguard...not anymore

thank you very very much for your time, knowledge and efforts. you guys rock!!!!
I'll modify post as SOLVED...

This topic was automatically closed 0 minutes after the last reply. New replies are no longer allowed.