I created a X86_64 build of 24.10.1 for my buddy. I installed both OpenVPN & Wireguard so I would have a safeguard in to manage it remotely even though I only setup various user accounts to use Wireguard & the only OpenVPN connection is for me. I deployed off my site & at his home today. When I got home I tried to connect via Wireguard & the handshake went well & I am connected but can't ping the router or open the management url. If I disconnect Wireguard & connect with OpenVPN I can ping & access the management page. If I then reconnect Wireguard & disconnect OpenVPN I still have access. The only thing I can think of is that there must be some sort of routing issued that would need to be resolved but I'm not sure how to approach it.
and you expect us to do this for you by creating an "it doesn't work" thread, with no info ? 
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
For me the fact that I have to first enable & disable my OpenVPN connection in order for it to route & ping over the Wireguard account wouldn
root@DJC-OpenWrt:~# ubus call system board
{
"kernel": "6.6.86",
"hostname": "DJC-OpenWrt",
"system": "Pentium(R) Dual-Core CPU E5800 @ 3.20GHz",
"model": "HP-Pavilion NY428AA-ABA p6110f",
"board_name": "hp-pavilion-ny428aa-aba-p6110f",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "24.10.1",
"revision": "r28597-0425664679",
"target": "x86/64",
"description": "OpenWrt 24.10.1 r28597-0425664679",
"builddate": "1744562312"
}
}
root@DJC-OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd2:d1c0:d795::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth1'
list ports 'eth2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth3'
option proto 'static'
option ipaddr 'XX.XXX.XX.XXX'
option netmask '255.255.255.128'
option gateway 'XX.XXX.XX.XXX'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wan6'
option device 'eth3'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
option ip6assign '64'
config interface 'WireGuard'
option proto 'wireguard'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option listen_port '51820'
list addresses '192.168.10.1/24'
list dns '1.1.1.1'
list dns '1.0.0.1'
config wireguard_WireGuard
option description 'Admin'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.2'
config wireguard_WireGuard
option description 'David'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.10'
config wireguard_WireGuard
option description 'HPOmenDavid'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.14'
config wireguard_WireGuard
option description 'HPOmenRowdy'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.18'
config wireguard_WireGuard
option description 'RowdyEnvyBackup'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.22'
config wireguard_WireGuard
option description 'Midnight'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.26'
config wireguard_WireGuard
option description 'Charlie'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.30'
config wireguard_WireGuard
option description 'Sunny'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.34'
config wireguard_WireGuard
option description 'Lucky'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.38'
config wireguard_WireGuard
option description 'Romeo'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.42'
config wireguard_WireGuard
option description 'Milo'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.46'
config wireguard_WireGuard
option description 'Juliet'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.50'
config wireguard_WireGuard
option description 'Chris'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.54'
config wireguard_WireGuard
option description 'Otis'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.58'
config wireguard_WireGuard
option description 'HPEnvy2'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.62'
config wireguard_WireGuard
option description 'Sparky'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.66'
config wireguard_WireGuard
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.70'
option description 'PhotoBMU'
config wireguard_WireGuard
option description 'PhotoBTD'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.74'
config wireguard_WireGuard
option description 'Toshiba15'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.78'
config wireguard_WireGuard
option description 'Pavilion15'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.82'
config wireguard_WireGuard
option description 'Denver'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.86'
config wireguard_WireGuard
option description 'Echo'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '192.168.10.90'
*No Wireless
root@DJC-OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
list server '127.0.0.1#5054'
list server '/mask.icloud.com/'
list server '/mask-h2.icloud.com/'
list server '/use-application-dns.net/'
list server '127.0.0.1#5053'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'wan6'
option interface 'wan6'
option ignore '1'
option dhcpv6 'relay'
root@DJC-OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option dest_port '1194'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'Wireguard'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'WireGuard'
list network 'lan'
config forwarding
option src 'Wireguard'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'Wireguard'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Wireguard'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.10.1'
option dest_port '51820'
Here's another piece of information that might help resolve the issue. Besides the PC I also have the Admin account on my phone and while connected to my WiFi at home I can make the Wireguard handshake but Safari does not load the remote OpenWrt config page. If I disconnect from WiFi & use my cellular network it connects fine so now I'm wondering if it is something on my end. My PC in question directly connects to a box without WiFi running OpenWrt 23.05.2 r23630-842932a63d. For WiFi on my phone I have a commercial router that piggybacks off of the main one running OpenWrt 21.02.3 r16554-1d4dea6d4f / LuCI openwrt-21.02 branch git-23.093.57360-e98243e.
I also just noticed that unlike the PC, OpenVPN will not connect from the phone either if I'm on my WiFi but connects fine via cellular.
If your home network is the same subnet as the remote one, VPNs will not work. Try accessing the remote router as 192.168.10.1 instead of 192.168.1.1
You have lan in two firewall zones which is wrong. Results will be undefined. Each network or device can only be in one firewall zone.
2 Likes
On my phone while connected to my home WiFi I can access 192.168.10.1 with OpenVPN but not with Wireguard. I booted up the PC and this time right off the bat I was able to connect to 192.168.1.2 & 192.168.10.1 with Wireguard without first connecting via OpenVPN.
I have my main router as 192.168.1.120 & my secondary with WiFi as 192.168.1.130. As you were mentioning different subnets, would it make more sense to reconfigure my buddy's network as 192.168.2.X? Would it even be possible considering that his ISP is forcing him to use an ONT with a built in router that is configured on their end as 192.168.1.1 hence the reason that I assigned his OpenWrt one to 192.168.1.2?
Inside a phone connected to your LAN, the phone's routing table will include an entry of 192.168.1.0/24 via wifi. This will override attempts to reach your friend's LAN at the same range via VPN.
What are the OpenVPN tunnel IPs? They can't be 192.168.10.0 or anything else that overlaps any other network.
The advice was already given but for the record remove list network 'lan':
Also remove the option masq that should not be needed on a server side.
Furthermore on the firewall you have to add forwarding from wireGuard to lan so add:
config forwarding
option src 'Wireguard'
option dest 'lan'
Remove the following redirect rule:
and replace it with a simple traffic rule:
config rule
option name 'allow-51820'
list proto 'udp'
option src 'wan'
option dest_port '51820'
option target 'ACCEPT'
About subnets:
Check all involved subnets
As WireGuard is a routed solution all three involved subnets have to be different. So the routers subnet, the WireGuard subnet and the Clients subnet all have to be different.
As you often cannot choose the subnet of the WireGuard client, it is best to avoid using frequently used subnets for your router e.g. 192.168.1.1/24 or 192.168.0.1/24 but if you cannot easily change the routers subnet then leave it and hope for the best.
All this information is from my notes how to setup WireGuard:
I finally made it back over there and seemed to have resolved the issue by changing the subnet to 192,168.2.X. I'm now able to connect via Wireguard & OpenVPN remotely whether on local lan or cellular.