[Solved] Wireguard - no access to router's lan

bitrut94 · May 25, 2020, 6:55pm

Hello guys,

I'm struggling with OpenWrt and Wireguard config and some help with fresh look would be welcome.

I've got 2 routers in my home network: one with internet connection (from my internet provider) and second with OpenWrt (configured as dumb ap). I'm trying to setup Wireguard on OpenWrt router so I'll be able to reach PCs in my home network.

I've managed to configure connection, so I'm able to reach OpenWrt router (on 10.150.149.3 and 10.150.150.1), but I can't see any other device from the home network (10.150.149.0/24). If someone could take a look and point me what is done wrong or what else should be done I would releally appreciate.

Pasting configs below:

/etc/config/network

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ifname 'eth0 eth0.1 eth0.2'
        option ipaddr '10.150.149.3'
        option gateway '10.150.149.1'
        option broadcast '10.150.149.255'
        option dns '10.150.149.1 1.1.1.1'

config interface 'wg0'
        option proto 'wireguard'
        option private_key (hidden)
        option listen_port (hidden)
        list addresses '10.150.150.1/24'

config wireguard_wg0
        option public_key (hidden)
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option description 'notebook'
        list allowed_ips '10.150.150.3'

/etc/config/firewall

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'wireguard'
        option network 'wg0'
        option forward 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option name 'allow-lan-to-wireguard'
        option dest 'wireguard'

config rule
        option target 'ACCEPT'
        option src 'wireguard'
        option name 'allow-wireguard-to-lan'
        option dest 'lan'

config forwarding
        option dest 'wireguard'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'wireguard'

client config

[Interface]
PrivateKey = (hidden)
Address = 10.150.150.3/32
DNS = 1.1.1.1

[Peer]
PublicKey = (hidden)
Endpoint = (hidden)
AllowedIPs = 10.150.149.0/24, 10.150.150.0/24
PersistentKeepalive = 25

mikma · May 25, 2020, 7:02pm

Have you added a static route to 10.150.150.0/24 via 10.150.149.3 on your main router? If you don't use masquerading on your OpenWrt router's lan interface then you need to also set up routing in the reverse direction.

krazeh · May 25, 2020, 7:07pm

bitrut94:

config rule
        option target 'ACCEPT'
        option src 'lan'
        option name 'allow-lan-to-wireguard'
        option dest 'wireguard'

config rule
        option target 'ACCEPT'
        option src 'wireguard'
        option name 'allow-wireguard-to-lan'
        option dest 'lan'

You don't need these rules. The forwarding you have set up does that. But if you're just using wireguard to allow your own devices to access your LAN remotely then you can just add the wireguard interface into the LAN zone rather than having it in a separate zone.

~~Having option route_allowed_ips '1' in the peer config should take care of that.~~ However, just in case, can you post the output of ip -4 addr ; ip -4 ro li tab all ; ip -4 ru. Remember to redact any public IP addresses.

bitrut94 · May 25, 2020, 7:17pm

Ok, I'll cleanup the rules and add Wireguard to LAN zone.

In the meantime there is the output of ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.150.149.3/24 brd 10.150.149.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.150.150.1/24 brd 10.150.150.255 scope global wg0
       valid_lft forever preferred_lft forever
default via 10.150.149.1 dev br-lan proto static
10.150.149.0/24 dev br-lan proto kernel scope link src 10.150.149.3
10.150.150.0/24 dev wg0 proto kernel scope link src 10.150.150.1
10.150.150.2 dev wg0 proto static scope link
10.150.150.3 dev wg0 proto static scope link
10.150.150.12 dev wg0 proto static scope link
broadcast 10.150.149.0 dev br-lan table local proto kernel scope link src 10.150.149.3
local 10.150.149.3 dev br-lan table local proto kernel scope host src 10.150.149.3
broadcast 10.150.149.255 dev br-lan table local proto kernel scope link src 10.150.149.3
broadcast 10.150.150.0 dev wg0 table local proto kernel scope link src 10.150.150.1
local 10.150.150.1 dev wg0 table local proto kernel scope host src 10.150.150.1
broadcast 10.150.150.255 dev wg0 table local proto kernel scope link src 10.150.150.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

bitrut94 · May 25, 2020, 7:18pm

No, I hadn't. I will check that tomorrow as right now I'm not able to connect to the main router.

krazeh · May 25, 2020, 7:26pm

~~You don't need a static route. Wireguard has already set up the routes for you.~~ Although, as you've given the WG interface a /24 subnet and are using addresses from that subnet for remote peers then you can don't need "option route_allowed_ips '1'" in the peer configs. Take it out for now to check that isn't causing an issue.

Are you testing from outside your LAN? If so, then given you can ping the IP address for both the LAN and WG interfaces on your router but nothing in the LAN despite the correct routes appearing to be in the routing table, I would suspect it may be the firewall.

As Mikma has correctly pointed out, if wireguard isn't running on your main router and it doesn't have a route to the subnet then it ain't going to work.

mikma · May 25, 2020, 7:34pm

How are devices in the home lan able to send packets to 10.150.150.0/24 if the main router doesn't have a static route to that subnet, unless you enable masquerading on the lan zone on the OpenWrt as a work-around?

krazeh · May 25, 2020, 7:36pm

Actually, my bad, misread the first post. The non-openwrt router will probably need a route.

bitrut94 · May 25, 2020, 7:47pm

Yeah, I'm outside the LAN network, got SSH connection to my router. Removing "option route_allowed_ips '1'" and rebooting the router got no effect.

I'm able to ping devices on 10.150.149.0/24 and 10.150.150.0/24 from router and only 10.150.150.0/24 from the outside.

bitrut94 · May 25, 2020, 7:54pm

Reached main router with ssh forwarding. Static route on main router fixed the issue! Than you very much guys!

system · June 4, 2020, 7:54pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.