Static route to LAN Network

Hello, I would like to ask one thing. Now I am using Openwrt installed router for wireguard VPN connection. It is totally okay, but I can not reach to the local network anymore. It is because of the VPN but now I need to connect to a server in the local network. I tried with a static route on Openwrt but can't reach to the server. Server IP address is in the same network of default gateway. Pls give me some ideas.

We need to see the topology -- where is the OpenWrt router in relation to the other network? Please provide a diagram complete with IP addresses.


Thank brother. I want to reach to the local server 192.168.100.251 from the vpn user network. I added a static route in the openwrt router but can't reach.

Your wg subnet is not right. You should be using rfc1918 addresses.

But otherwise, no static routes are required on openwrt. You may want to add static routes on the main router, but it is not mandatory.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

And please show the config from the remote peer.

{
        "kernel": "6.1.82",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Xiaomi Redmi Router AX6000",
        "board_name": "xiaomi,redmi-router-ax6000-ubootmod",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "1004",
                "version": "23.05.3",
                "revision": "03.29.2024",
                "target": "mediatek/filogic",
                "description": "OpenWrt 03.29.2024 by Kiddin'"
        }
}

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix ''
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option promisc '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr ''

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'VPN'
        option proto 'wireguard'
        option private_key '                                                                                                                              kuTMF0s0Q='
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        list addresses '10.66.66.3/32'

config wireguard_VPN
        option description 'Imported peer configuration'
        option public_key ''
        option preshared_key ''
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option endpoint_host ''
        option endpoint_port ''
        option route_allowed_ips '1'
        option persistent_keepalive '25'


config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'passwall'
        option type 'script'
        option path '/var/etc/passwall.include'
        option reload '1'

config include 'passwall_server'
        option type 'script'
        option path '/var/etc/passwall_server.include'
        option reload '1'

config zone
        option name 'VPN'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'VPN'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'VPN'

interface: VPN
  public key: 
  private key: (hidden)
  listening port: 49403

peer: 
  preshared key: (hidden)
  endpoint: 
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 50 seconds ago
  transfer: 142.30 MiB received, 15.64 MiB sent
  persistent keepalive: every 25 seconds

Pls check brother.

This is not from the official openwrt project.

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

Thank brother. I am not sure about the firmware because I am not the one who installed. I will ask to the one who installed. But Is there any way to reach the server? like static route. Pls check my routing status.

Aside from the mod noting this isn't official OpenWrt. There is a generic suggestion.

  1. Have you allowed VPN to LAN (or WAN) traffic in the firewall?

A route should already exist on the OpenWrt if WAN is 192.168.100.0/24. You didn't provide enough information to determine that.

On official OpenWrt, you can see this in the LuCI web GUI at:

Status > Routing > IPv4 Routing

On command line: ip -4 route

Thank brother. I already allowed. Pls check the conversation above.

No, you haven't:

screen771

Allow VPN to WAN (or LAN, as applicable).

Otherwise, you should inquire with Kiddin.

1 Like

Thanks. I will try.

1 Like