I'm struggling with OpenWrt and Wireguard config and some help with fresh look would be welcome.
I've got 2 routers in my home network: one with internet connection (from my internet provider) and second with OpenWrt (configured as dumb ap). I'm trying to setup Wireguard on OpenWrt router so I'll be able to reach PCs in my home network.
I've managed to configure connection, so I'm able to reach OpenWrt router (on 10.150.149.3 and 10.150.150.1), but I can't see any other device from the home network (10.150.149.0/24). If someone could take a look and point me what is done wrong or what else should be done I would releally appreciate.
Have you added a static route to 10.150.150.0/24 via 10.150.149.3 on your main router? If you don't use masquerading on your OpenWrt router's lan interface then you need to also set up routing in the reverse direction.
You don't need these rules. The forwarding you have set up does that. But if you're just using wireguard to allow your own devices to access your LAN remotely then you can just add the wireguard interface into the LAN zone rather than having it in a separate zone.
Having option route_allowed_ips '1' in the peer config should take care of that. However, just in case, can you post the output of ip -4 addr ; ip -4 ro li tab all ; ip -4 ru. Remember to redact any public IP addresses.
Ok, I'll cleanup the rules and add Wireguard to LAN zone.
In the meantime there is the output of ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 10.150.149.3/24 brd 10.150.149.255 scope global br-lan
valid_lft forever preferred_lft forever
8: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.150.150.1/24 brd 10.150.150.255 scope global wg0
valid_lft forever preferred_lft forever
default via 10.150.149.1 dev br-lan proto static
10.150.149.0/24 dev br-lan proto kernel scope link src 10.150.149.3
10.150.150.0/24 dev wg0 proto kernel scope link src 10.150.150.1
10.150.150.2 dev wg0 proto static scope link
10.150.150.3 dev wg0 proto static scope link
10.150.150.12 dev wg0 proto static scope link
broadcast 10.150.149.0 dev br-lan table local proto kernel scope link src 10.150.149.3
local 10.150.149.3 dev br-lan table local proto kernel scope host src 10.150.149.3
broadcast 10.150.149.255 dev br-lan table local proto kernel scope link src 10.150.149.3
broadcast 10.150.150.0 dev wg0 table local proto kernel scope link src 10.150.150.1
local 10.150.150.1 dev wg0 table local proto kernel scope host src 10.150.150.1
broadcast 10.150.150.255 dev wg0 table local proto kernel scope link src 10.150.150.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
You don't need a static route. Wireguard has already set up the routes for you. Although, as you've given the WG interface a /24 subnet and are using addresses from that subnet for remote peers then you can don't need "option route_allowed_ips '1'" in the peer configs. Take it out for now to check that isn't causing an issue.
Are you testing from outside your LAN? If so, then given you can ping the IP address for both the LAN and WG interfaces on your router but nothing in the LAN despite the correct routes appearing to be in the routing table, I would suspect it may be the firewall.
As Mikma has correctly pointed out, if wireguard isn't running on your main router and it doesn't have a route to the subnet then it ain't going to work.
How are devices in the home lan able to send packets to 10.150.150.0/24 if the main router doesn't have a static route to that subnet, unless you enable masquerading on the lan zone on the OpenWrt as a work-around?