I'm trying to setup wireguard on my openwrt router in my home so that I can access my home local network remotely.
I have wireguard installed on my openwrt router and also on my windows laptop.
They are completing the handshake and I can ping successfully from my laptop to the openwrt when I ping to 192.168.9.1.
The problem though is that I cannot reach any devices outside of the wg vpn interface 192.168.9.X
ie I can't reach anything on my home network 192.168.1.X or the internet.
After much google & forum searching, I still can't find the solution.
Below are the configs I'm using. Any help is much appreciated !
Openwrt Server uci config
root@OpenWrt:~#tp-link: uci show network
network.globals.ula_prefix='XXXXXXXXXXXXXXXXX' # removed the ip6 address - not sure if it is sensitive
network.@switch_vlan.ports='2 3 4 5 0t'
network.vpn.private_key='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' #private key for Openwrt server
network.vpn.addresses='192.168.9.1/24' 'XXXXXXXXXXXXXXXXX' # removed the ip6 address - not sure if it is sensitive
network.@wireguard_vpn.public_key='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' #public key for laptop
network.@wireguard_vpn.private_key='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' #private key for laptop
network.@wireguard_vpn.preshared_key='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' #preshared key for laptop
Actually, in this case, I think that the OP has a lan-lan connection between an upstream router and the OpenWrt device running Wireguard. This means:
a static route in the main router may be useful here unless either the upstream router doesn't support it.
setting masquerading on the lan zone will obviate the need to use the static route above, and tends to simplify the setup for most users. That said, if masquerading is used, the Wireguard network needs to be in its own firewall zone.
My home internet connection route doesn't seem to support static routes.
So, I made the changes you suggested to the firewall zones.
I can now ping ip addresses on the internet and also view web pages in a browser
I can't though ping internet addresses by name or ping or access any devices on my lan.
Thanks again for your help!
Ping request could not find host www.google.co.uk. Please check the name and try again.
Pinging 188.8.131.52 with 32 bytes of data:
Reply from 184.108.40.206: bytes=32 time=98ms TTL=60
Pinging 192.168.0.99 with 32 bytes of data:
For the domain name issues...
Add DNS to your WG config like this (from your laptop config -- see the DNS added, assumed 192.168.0.1 is your router/DNS server, but adapt as desired or use a public DNS server):
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX #laptop private key
Address = 192.168.9.3/32
DNS = 192.168.0.1
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX #Openwrt router public key
PresharedKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX #preshared key for laptop
AllowedIPs = 0.0.0.0/0
Endpoint = XXXXXXXXXXX:51820 #home external IP address
How are you testing this below? Is your laptop on the same local network (i.e. your own home network) or are you on a remote network such as cellular/cafe/friend/work/scool/etc.? This may fail when you're testing from the same network.
An addition ....
I managed to solve the problem that when my (Windows 10) laptop reconnected to my home wifi and the wireguard vpn was still active, I would lose access to my home network devices.
The solution is to explicitly add the local domain (in my case 192.168.0.0/24) as an allowed range in the laptop client wg config.