Wan doesnt work after adding wireguard interface

"ping 8.8.8.8" works from OpwnWRT router via wan, but when I add below sections of wireguard config, "ping 8.8.8.8" doesn't work

config interface 'wg_0'
    option  proto  'wireguard'
    option  private_key  'XXXXXXXXXXX'
    list  addresses  '10.20.30.2/24'
                             
                           
config wireguard_wg_0 'wgserver'
    option  public_key  'XXXXXXXXXXX'
    option  endpoint_host  '192.168.122.194'
    option  endpoint_port  '30001'
    option  route_allowed_ips  '1'
    option  persistent_keepalive  '25'
    list  allowed_ips  '0.0.0.0/0'
    list allowed_ips '::/0'

What I'm doing wrong?

Is this a valid wireguard server? The endpoint_host IP is private.
You are tunneling all traffic to that wg server, so if it isn't meant to connect you to the internet, you are blackholing yourself.

1 Like

192.168.122.194 is a valid local wireguard server.
my wan interface is "eth1". Without wireguard sections, I'm able to do "ping -I eth1 8.8.8.8". And when I add add wireguard sections, "ping -I eth1 8.8.8.8" fails.

I suppose you do not have a route for 8.8.8.8 or 0.0.0.0/0 via eth1 when you bring up wireguard, right?

Yes.

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 wg_0
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 br-lan1
10.20.30.0      0.0.0.0         255.255.255.0   U     0      0        0 wg_0
172.22.2.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1
172.22.2.1      0.0.0.0         255.255.255.255 UH    0      0        0 eth1
192.168.122.194 172.22.2.1      255.255.255.255 UGH   0      0        0 eth1

Then it's not strange it doesn't know where to send it.
If you really need to ping google dns from eth1 when wg is up, add a static route for it via eth1.

Thanks, the below rules worked for me.

ip route del 0.0.0.0/0 via 0.0.0.0 dev wg_0
ip route add 0.0.0.0/0 via 172.22.2.1 dev eth1

You would have the same result if you removed the route allowed ips from peer configuration.

3 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.