[Solved] Wireguard vpn setup

Hi,
I'm trying to setup wireguard on my openwrt router in my home so that I can access my home local network remotely.
I have wireguard installed on my openwrt router and also on my windows laptop.
They are completing the handshake and I can ping successfully from my laptop to the openwrt when I ping to 192.168.9.1.
The problem though is that I cannot reach any devices outside of the wg vpn interface 192.168.9.X
ie I can't reach anything on my home network 192.168.1.X or the internet.
After much google & forum searching, I still can't find the solution.

Below are the configs I'm using. Any help is much appreciated !

Thanks,
Dave

============================================
Openwrt Server uci config

root@OpenWrt:~#tp-link: uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='XXXXXXXXXXXXXXXXX'  # removed the ip6 address - not sure if it is sensitive
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth0.1'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='dhcp'
network.wan=interface
network.wan.device='eth0.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.device='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 0t'
network.vpn=interface
network.vpn.proto='wireguard'
network.vpn.private_key='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' #private key for Openwrt server
network.vpn.listen_port='51820'
network.vpn.addresses='192.168.9.1/24' 'XXXXXXXXXXXXXXXXX'  # removed the ip6 address - not sure if it is sensitive
network.@wireguard_vpn[1]=wireguard_vpn
network.@wireguard_vpn[1].description='DClaptop'
network.@wireguard_vpn[1].public_key='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' #public key for laptop
network.@wireguard_vpn[1].private_key='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' #private key for laptop
network.@wireguard_vpn[1].preshared_key='XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' #preshared key for laptop
network.@wireguard_vpn[1].route_allowed_ips='1'
network.@wireguard_vpn[1].allowed_ips='192.168.9.3/32' 

===============================================
Laptop config

[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  #laptop private key
Address = 192.168.9.3/32

[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX   #Openwrt router public key
PresharedKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  #preshared key for laptop
AllowedIPs = 0.0.0.0/0
Endpoint = XXXXXXXXXXX:51820  #home external IP address

Let's see your firewall file:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/firewall

For this use case, where you trust the road warrior laptop the same as other devices on the home lan, the simplest firewall configuration is to add list network vpn to the lan firewall zone.

Also you need route_allowed_ips 1 in the laptop configuration, so that use of networks other than the VPN tunnel itself is routed into the tunnel.

Actually, in this case, I think that the OP has a lan-lan connection between an upstream router and the OpenWrt device running Wireguard. This means:

• a static route in the main router may be useful here unless either the upstream router doesn't support it.
• setting masquerading on the lan zone will obviate the need to use the static route above, and tends to simplify the setup for most users. That said, if masquerading is used, the Wireguard network needs to be in its own firewall zone.

thanks for the super fast replies everyone. Here is the firewall setup.

root@OpenWrt:~#tp-link: cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

So, as I was referring to earlier... does your main router support static routes?

If so, you'll need to set a route that will be 192.168.9.0/24 via <ip.address.of.openwrtvpn>

Otherwise, remove the vpn from the lan zone and add masquerading to the lan zone, create a new zone for the vpn, then allow forwarding from lan > vpn zones. It will look like this in the end.

config zone 'lan'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone 'vpn'
        option name 'vpn'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'vpn'
        option dest 'lan'

thank you.
My home internet connection route doesn't seem to support static routes.
So, I made the changes you suggested to the firewall zones.

I can now ping ip addresses on the internet and also view web pages in a browser
I can't though ping internet addresses by name or ping or access any devices on my lan.
Examples below.

Thanks again for your help!

Dave

C:\>ping www.google.co.uk
Ping request could not find host www.google.co.uk. Please check the name and try again.

C:\>nslookup www.google.co.uk
Server:  cache1.service.virginmedia.net
Address:  194.168.4.100

Non-authoritative answer:
Name:    www.google.co.uk
Addresses:  2a00:1450:4009:821::2003
          172.217.16.227


C:\>ping 194.168.4.100

Pinging 194.168.4.100 with 32 bytes of data:
Reply from 194.168.4.100: bytes=32 time=98ms TTL=60

C:\>ping 192.168.0.99

Pinging 192.168.0.99 with 32 bytes of data:
General failure.

For the domain name issues...
Add DNS to your WG config like this (from your laptop config -- see the DNS added, assumed 192.168.0.1 is your router/DNS server, but adapt as desired or use a public DNS server):

[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  #laptop private key
Address = 192.168.9.3/32
DNS = 192.168.0.1

[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX   #Openwrt router public key
PresharedKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  #preshared key for laptop
AllowedIPs = 0.0.0.0/0
Endpoint = XXXXXXXXXXX:51820  #home external IP address

How are you testing this below? Is your laptop on the same local network (i.e. your own home network) or are you on a remote network such as cellular/cafe/friend/work/scool/etc.? This may fail when you're testing from the same network.

Thanks so much !

DNS is now working.
You're right, I was on the same network & when I connect via cellular it works perfectly !

Is there anyway to have it still work while connected directly to the home network? It would allow me to just leave the vpn always on.

Dave

I think that this is a windows thing... not sure how to fix it. I don't have that problem with mac/linux/chromeOS/iOS.

Glad it is working!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Solution summary.

1. Separate lan and vpn to separate firewall zones and setup forwarding between them:

config zone 'lan'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone 'vpn'
        option name 'vpn'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'vpn'
        option dest 'lan'

2. Add DNS IP to laptop config:

[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  #laptop private key
Address = 192.168.9.3/32
DNS = 192.168.0.1

An addition ....
I managed to solve the problem that when my (Windows 10) laptop reconnected to my home wifi and the wireguard vpn was still active, I would lose access to my home network devices.
The solution is to explicitly add the local domain (in my case 192.168.0.0/24) as an allowed range in the laptop client wg config.

[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PresharedKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 0.0.0.0/0, 192.168.0.0/24
Endpoint = XX.XX.XX.XX:51820

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.