Some issues with routes or firewall settings lede-17.01 + wireguard

Hi guys, I hope someone is able to help me to solve my problem. I was trying to build my own VPN proxy, based on lede-17.01 + wireguard and as a client, I try to use android app wireguard. Actually, I am almost gene my result, a connection between a server and Android app is UP but unfortunately, I can't find why I can't to get access to the internet via this VPN, the only ping to a remote server is work's well. Thank you guys for any help! And for your patience in solving my issue.

Network config

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf4:8dbe:2b48::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option _orig_ifname 'eth0 radio0.network1 radio1.network1'
	option _orig_bridge 'true'
	option ifname 'eth0'

config interface 'wan'
	option ifname 'eth1'
	option _orig_ifname 'eth1'
	option _orig_bridge 'false'
	option proto 'static'
	option ipaddr '109.202.**.***'
	option netmask '255.255.255.128'
	option gateway '109.202.**.***'
	option dns '89.107.115.1 80.78.115.1'
	option macaddr '94:DE:80:09:4F:FA'
	option delegate '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '***'
	option listen_port '51820'
	list addresses '192.168.1.1/32'

config wireguard_wg0
	option public_key '***'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '192.168.1.3/32'

Firewall config

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'ACCEPT'
	option network 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config rule
	option target 'ACCEPT'
	option name 'internet'
	option dest '*'
	option family 'ipv4'
	option src '*'
	option proto 'udp'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '51820'
	option dest_ip '192.168.1.1'
	option name 'wg'
	option reflection '0'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option network 'wg0'
	option name 'WG0'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'WG0'

config forwarding
	option dest 'wan'
	option src 'WG0'

config forwarding
	option dest 'WG0'
	option src 'lan'

QIP Shot - Screen 004.png1170×681 23.1 KB

First change that into something bigger, like /24
Second you have IP conflict with LAN interface.
Change the wg0 IP to 192.168.2.1/24

No need to route the allowed ip here.

config zone
	option name 'wan'
	option input 'ACCEPT'

You may want to change the input to Reject.

config rule
	option target 'ACCEPT'
	option name 'internet'
	option dest '*'
	option family 'ipv4'
	option src '*'
	option proto 'udp'

Nope...

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '51820'
	option dest_ip '192.168.1.1'
	option name 'wg'
	option reflection '0'

Nope...
Instead use this

config rule
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '51820'
        option name 'Wireguard Roadwarrior'
        option family 'ipv4'
        option src 'wan'

Remove WG0 firewall zone all together and add wg0 interface to LAN zone.
Finally make sure that in the Android app the IP address is 192.168.2.3/24 and that the allowed_ips are 0.0.0.0/0 and routed.
Udachi!

Thank's a lot, "it is alive". Your advice was a help to understand that something wrong with the wireguard config too and I was making some changes based on wireguard support doc also.
Special at this moment was the main mistake in my android app config.

Finally, make sure that in the Android app the IP address is 192.168.2.3/24 and that the allowed_ips are 0.0.0.0/0 and routed.

Thank you for your pressures time! You are really helped with my issue.
Spasibo, horoshego dnay, gibkih deadlines and, and careful users

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.