VPN (WireGuard) clients can only access the OpenVPN Device itself

bruno_l · July 18, 2022, 1:20pm

I have a Netgear R7800 running OpenWRT 21.02 which is configured as a Dumb AP at "192.168.0.3". I installed and configured WireGuard Server (192.168.1.1) with one peer (192.168.1.2). The connection seems to work, but the online device I can reach using VPN is the OpenWRT device itself at "192.168.0.3" I cannot reach any other device on the network (e.g. NAS drive at 192.168.0.10).

lleachii · July 18, 2022, 1:27pm

You encrypted your LAN with Wireguard?

If this is for test, you will have to attempt your connection from the network you'll actually use in real life with Wireguard (e.g. the Internet/WAN).

Where is the 192.168.0.0/24 network?
Where is the 192.168.1.0/24 network?
Can we see the WG config (omitting the keys, of course)?
Do you get a handshake?

bruno_l · July 18, 2022, 1:56pm

Thank you for you qick response. Maybe a diagram illustrates better what I want to achieve:
Untitled Diagram.drawio
I had already used the "old" setup. The home server is a Debian server which is part of my network. I had a WireGuard server running on this server (192.168.0.2) with port forwarding on the Cable Modem to 192.168.0.2 enabled. With this setup I had access to my home network (192.168.0.0).
As the home server is not always on I wanted to transfer the WireGuard Server to the OpenWrt AP. But as mentioned before, while WireGuard is able to connect, I do not have access to the whole network.

The setup I used on the debian server was similar to the guide for OpenWRT, but there was some additional configuation which seems to set up the routing.

sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(ip r l 0/0 | mawk '{print $5;exit}').forwarding=1
iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o $(ip r l 0/0 | mawk '{print $5;exit}') -j MASQUERADE

lleachii · July 18, 2022, 2:01pm

If I understand, and if firewalls are OK, your OpenWrt will just need to masquerade WG traffic destined to your LAN using 192.168.0.3.

bruno_l · July 21, 2022, 5:56am

Masquerading would be the best solution if the OpenWRT device was the only one I can configure. As I can also configure the Cable Modem the best solution for me was to
...set a static route on the Cable Modem

Dest 192.168.1.0 Subnet 255.255.255.0 Gateway 192.168.0.3

...configure the firewall zone

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    list network 'lan'
    list network 'vpn'
    option forward 'ACCEPT'