[Solved] Wireguard works from LAN but not from router

Hi, I have a strange WireGuard situation.

I've installed WireGuard in my OpenWrt router and I can connect perfectly well from my phone, and reach the internal network.
From any device in the local network I can also reach the connected client.

So the VPN seems to work well.

The problem is that the only place where I can not reach any vpn client is from the router itself.

I tried a trace on the firewall but I don´t see any traffic when initiating from local owrt router. Using tcpdump I don't see any packet either.

But both show packets that flow thru the router, from a lan client to a vpn client.

Any ideas?

What exactly are you trying to achieve with respect to connecting to your phone from the router? Most phones don’t have open ports most of the time. How are you testing the connection?

Actually I have a second client which is a remote computer which is where I want to connect. The phone was a just a test.

I can reach the remote pc from any client in my local LAN (thru the owrt router) and ssh into it, but not from the router itself.

I also connected a remote router with owrt to join the two remote networks.
I have the same problem.
Any client in each segment can see the whole remote segment, but the router itself not. The same happens in both sides.
The two routers that are WireGuard peers can't see each other, though the tunel is correctly established and works from LAN thru the routers.

For connecting two routers you can use a site-to-site setup:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/site-to-site

Basically set both sides up as a WireGuard server but with an endpoint on the peers.

But take note that the clients you are connecting will have their own firewall which by default stop traffic coming from your WG server.

If you cannot get it working post your configs (from both sides)

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
wg show

Hi @egc,

I was finally able to solve the problem, and now everithing communicates correctly.

While I was printing your requested output I realized that the allowed_ips that I set up in the owrt config was not really showing up in the wg show output.

I'm not sure why, but probably because I had two peers with the full wg subnet segment allowd 172.25.9.0/24 and it only assigned it to one of the peers.

I updated to only allow the specific wg ip of each peer in the wg subnet, and now everything works fine.

Thanks!

2 Likes

If you'd like us to review your configs, please post them here. We can help identify any other issues or recommendations.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

Otherwise, since it seems that things are working...

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile: