Hi everybody,
I'm trying to understand how to access to my lan 172.16.1.0 from outside via wireguard using a dedicated openWrt device. This last point is expecially important: infact I do not want to use my main router to do this, but another openWrt one only connect via its WAN port. So, this device should not route the package from the tunnel to the lan it has onboard (that is unused/disconnected), but to the lan it belongs to, the one managed by the main router. This config seems a little different to the ones I found online, which described how config a wireguard tunnel on the main router.
Let explain, hopefully, better, with an image.
Now, I've already config an easy 10.0.0.0/24 tunnel between this device and an outside VPS and everything work (I added the created wireguard interfaces to the , I can reach the device and also if I ping its lan ip - no the wireguard one - it answers. Please note that at this point, no firewall rule has been config.
Now, I've tried to add the whole home lan subnet into the allowedIPs section but doing this something goes wrong and I can access via luci and via ssh I have to remove the list allowed_ips '172.16.1.0/24' from the /etc/config/network.
Now, I have a couple of questions:
how config both routing aspects and firewall ones (eventually) of the device to allow me to access to other hosts in the home 172.16.1.0/24 subnet?
(Or should I study a different approach, for example changing wan to lan port? Or, I may connect the lan port to the switch that connects the home lan manage by the other router? Or, I can connect the WAN port of the device directly to the fiber router of the ISP and the lan port to the switch? The only things I cannot directly connect its the device to the router)
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
added to the firewall and then done uci commit firewall and service firewall restart, the remote peer correctly tried to route to device, but the ping result is:
PING 172.16.1.18 (172.16.1.18) 56(84) bytes of data.
From device_tunnel_ip icmp_seq=1 Destination Port Unreachable
From device_tunnel_ip icmp_seq=2 Destination Port Unreachable
From device_tunnel_ip icmp_seq=3 Destination Port Unreachable
I "solved" adding a zone... reallystrange this concept to me, I create a zone and it added two linee in the recap on luci, by the way this is the firewall config...suggestion to make it better?!?
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'ACCEPT'
list network 'wan'
list network 'wan6'
list network 'wg_backup'
config forwarding
option dest 'wan'
option src 'lan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest 'lan'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'lan'
config include
option path '/etc/firewall.user'
config zone
option name 'wg_backup'
option input 'ACCEPT'
option forward 'ACCEPT'
list network 'wan'
list network 'wg_backup'
option output 'ACCEPT'
config forwarding
option dest 'wan'
option src 'wg_backup'
config forwarding
option dest 'wg_backup'
option src 'wan'
this is th code added, via luci:
config zone
option name 'wg_backup'
option input 'ACCEPT'
option forward 'ACCEPT'
list network 'wan'
list network 'wg_backup'
option output 'ACCEPT'
config forwarding
option dest 'wan'
option src 'wg_backup'
config forwarding
option dest 'wg_backup'
option src 'wan'
I would start with the VPN client being a LAN device, and use the LAN network and zone for its connection to the house network. You trust the other side of the VPN to be part of the LAN, that's really how you want it to work. The OpenWrt VPN client will have two networks, lan and vpn. These can both be in the lan zone if you don't want to block anything.
When the VPN client is not the main router, the network needs to be set up so the route back to the VPN is known. Otherwise the LAN machines will try to return the packets from 10.0.0.X to the main router, and they are lost. The gateway from the house to 10.0.0.0 is through the VPN client's IP on the LAN, not the main router. This is usually done with a route installed in the main router: 10.0.0.0/24 via 172.16.1.X where X is the VPN client's IP on the house LAN.