think i'm just missing something small i setup openwrt with wireguard VPN everything works great except i can't access my starlink app on my phone sitting at (192.168.1.1)..
I can ping it from the router via ssh but no clients can ping it..
#from Router#
root@XXXXXX:~# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=1.607 ms
64 bytes from 192.168.1.1: seq=1 ttl=64 time=1.`Preformatted text`161 ms
here is my routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default * 0.0.0.0 U 0 0 0 VPN
10.14.0.0 * 255.255.0.0 U 0 0 0 VPN
10.xx.xx.xx * 255.255.255.0 U 0 0 0 br-lan
37.19.211.130 192.168.1.1 255.255.255.255 UGH 0 0 0 wan
192.168.1.0 * 255.255.255.0 U 0 0 0 wan
from Client#
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 10.xx.xx.xx Destination port unreachable.
Reply from 10.xx.xx.xx: Destination port unreachable.
i added the static route on the WAN interface 192.168.1.0/24 GW 0.0.0.0 but i'm assuming i need to add something similar to the interface of the VPN or a custom rule somewhere
type or paste code here
Thanks
Where does wg live? On the router or on your phone? Where is the other peer? What is the topology of your network?
Sorry I'll be more specific. Wireguard lives on the router acting as a client for all the devices on the network.
here is the output from wg show
interface: VPN
public key: bcvqoKZNLlUdYrsW7FwugJOCBUUo7ecH2TP9/C0W2Rk=
private key: (hidden)
listening port: 51851
peer: W9bzkcL3fiV64vDpB4pbrz8QafNn3y5P9Yc/kQvy4TA=
endpoint: 37.19.211.130:51820
allowed ips: 0.0.0.0/0
latest handshake: 16 seconds ago
transfer: 1.55 GiB received, 119.84 MiB sent
persistent keepalive: every 25 seconds
also adding the network config for said interface
config interface 'VPN'
option proto 'wireguard'
option peerdns '0'
list addresses '10.14.0.2/16'
option private_key 'mPy8xonFEaR94nZKYoJxJmsxiQiAUI923cTqBuHEuWw='
list dns '162.252.172.57'
list dns '149.154.159.92'
option mtu '1350'
option PostUp 'iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE'
option PostDown 'iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE'
config wireguard_VPN
list allowed_ips '0.0.0.0/0'
option endpoint_port '51820'
option persistent_keepalive '25'
option description 'Toronto'
option public_key 'W9bzkcL3fiV64vDpB4pbrz8QafNn3y5P9Yc/kQvy4TA='
option endpoint_host '37.19.211.130'
option route_allowed_ips '1'
also posting my firewall config
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
option log '1'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
option log '1'
list network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'ssfirewall'
option forward 'REJECT'
option input 'REJECT'
option output 'ACCEPT'
option mtu_fix '1'
option masq '1'
list network 'SurfShark'
config forwarding 'lan_wan'
option src 'lan'
option dest 'ssfirewall'
config zone
option name 'wgvpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option log '1'
list network 'VPN'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wgvpn'
Check out policy based routing.
The other method is to exclude the 192.168.1.0/24 network from the tunnel. Basically you do this by specifying all the ranges except for the rfc1918 networks.