WG peer has lan access but no public internet access

Hi,

Recently I came across a topic to run both a Wireguard server and a client at the same time on an OpenWRT router.

I had the same issue as in that topic; all outgoing traffic goes via NordVPN but when I connect my phone to my lan using the WireGuard server, the phone cannot reach anything, not the public internet and not my local network.

I played around with PBR and I ended up creating two rules and somehow it works partially now (even though I'm not sure if it's configured correctly).

When I connect with my phone using WG, I do now have access to my local network while the NordVPN connection for outgoing lan traffic is active so that looks a lot better.
But at the same time, my phone has no public internet access anymore while the WG connection is up.
Also I have pi-hole running and I would like that my phone uses the pi-hole as dns server to block ads etc.

So how can I get my phone (and other WG peers) to access the internet with a WG connection active?
And will that public internet traffic then go through the WG tunnel (so all traffic) or is it split traffic?
Plus how can I get the WG peers to use my pi-hole as dns when connected?

Thanks in advance for any assistance.

ubus call system board

{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT3200ACM",
        "board_name": "linksys,wrt3200acm",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdcd:ff87:def1::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'

config device
        option name 'wan'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option hostname '*'
        option metric '0'

config interface 'NordLynx'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxxxxx'
        list addresses '10.5.0.2'
        option mtu '1500'
        option metric '1'

config wireguard_NordLynx
        option public_key 'xxxxxxxxxxxxxxxxxxxx'
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        option endpoint_host 'xxx.xxx.xxx.xxx'

config device
        option name 'wlan0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxxxxx'
        option listen_port '1234'
        list addresses '10.14.0.1/24'
        option defaultroute '0'
        option peerdns '0'
        list dns '192.168.1.3'

config wireguard_wg0
        option description 'Laptop'
        option public_key 'xxxxxxxxxxxxxxxxxxxx'
        list allowed_ips '10.14.0.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg0
        option description 'iPhone'
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        option public_key 'xxxxxxxxxxxxxxxxxxxx'
        list allowed_ips '10.14.0.4/32'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'NordLynx'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'WireGuard'
        list proto 'udp'
        option src 'wan'
        option src_dport '1234'
        option dest_ip '192.168.1.1'
        option dest_port '1234'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

ip route show

default via xxx.xxx.xxx.xxx dev wan proto static src xxx.xxx.xxx.xxx
default dev NordLynx proto static scope link metric 1
10.5.0.2 dev NordLynx proto static scope link metric 1
10.14.0.0/24 dev wg0 proto kernel scope link src 10.14.0.1
10.14.0.3 dev wg0 proto static scope link
10.14.0.4 dev wg0 proto static scope link
xxx.xxx.xxx.xxx/24 dev wan proto kernel scope link src xxx.xxx.xxx.xxx
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
xxx.xxx.xxx.xxx via xxx.xxx.xxx.xxx dev wan proto static

ip route show table all

default via xxx.xxx.xxx.xxx dev wan table pbr_wan
192.168.1.0/24 dev br-lan table pbr_wan proto kernel scope link src 192.168.1.1
default via 10.5.0.2 dev NordLynx table pbr_NordLynx
192.168.1.0/24 dev br-lan table pbr_NordLynx proto kernel scope link src 192.168.1.1
default via xxx.xxx.xxx.xxx dev wan proto static src xxx.xxx.xxx.xxx
default dev NordLynx proto static scope link metric 1
10.5.0.2 dev NordLynx proto static scope link metric 1
10.14.0.0/24 dev wg0 proto kernel scope link src 10.14.0.1
10.14.0.3 dev wg0 proto static scope link
10.14.0.4 dev wg0 proto static scope link
xxx.xxx.xxx.xxx/24 dev wan proto kernel scope link src xxx.xxx.xxx.xxx
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
xxx.xxx.xxx.xxx via xxx.xxx.xxx.xxx dev wan proto static
local 10.5.0.2 dev NordLynx table local proto kernel scope host src 10.5.0.2
local 10.14.0.1 dev wg0 table local proto kernel scope host src 10.14.0.1
broadcast 10.14.0.255 dev wg0 table local proto kernel scope link src 10.14.0.1
local xxx.xxx.xxx.xxx dev wan table local proto kernel scope host src xxx.xxx.xxx.xxx
broadcast xxx.xxx.xxx.xxx dev wan table local proto kernel scope link src xxx.xxx.xxx.xxx
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
fdcd:ff87:def1::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdcd:ff87:def1::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev phy1-ap0 proto kernel metric 256 pref medium
fe80::/64 dev phy0-ap0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fdcd:ff87:def1:: dev br-lan table local proto kernel metric 0 pref medium
local fdcd:ff87:def1::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wan table local proto kernel metric 0 pref medium
anycast fe80:: dev phy1-ap0 table local proto kernel metric 0 pref medium
anycast fe80:: dev phy0-ap0 table local proto kernel metric 0 pref medium
local fe80::24f5:a2ff:fec4:2e90 dev wan table local proto kernel metric 0 pref medium
local fe80::26f5:a2ff:fec4:2e90 dev eth0 table local proto kernel metric 0 pref medium
local fe80::26f5:a2ff:fec4:2e90 dev br-lan table local proto kernel metric 0 pref medium
local fe80::26f5:a2ff:fec4:2e91 dev phy1-ap0 table local proto kernel metric 0 pref medium
local fe80::26f5:a2ff:fec4:2e92 dev phy0-ap0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev phy1-ap0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev phy0-ap0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev NordLynx table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wg0 table local proto kernel metric 256 pref medium

ip rule show

0:      from all lookup local
29998:  from all fwmark 0x20000/0xff0000 lookup pbr_NordLynx
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766:  from all lookup main
32767:  from all lookup default

wg show

interface: NordLynx
  public key: xxxxxxxxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 36045

peer: xxxxxxxxxxxxxxxxxxxx
  endpoint: xxx.xxx.xxx.xxx:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 13 seconds ago
  transfer: 38.38 MiB received, 11.13 MiB sent
  persistent keepalive: every 25 seconds

interface: wg0
  public key: xxxxxxxxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 1234

peer: xxxxxxxxxxxxxxxxxxxx
  allowed ips: 10.14.0.3/32
  persistent keepalive: every 25 seconds

peer: xxxxxxxxxxxxxxxxxxxx
  allowed ips: 10.14.0.4/32
  persistent keepalive: every 25 seconds

Recent WireGuard versions automatically make an exempt for the WireGuard server.
You do not state which version you have but I would recommend using the latest: 1.1.8.-r4
Upgrade instructions: https://docs.openwrt.melmac.net/

First a little sanitizing:
Delete this:

Then replace 51820 with your WG server listen port 1234 so that in the end it will look like:

That takes care of the opening of the listen port of the WG server.

Regarding your DNS question, the WG clients can set a DNS server in their own WG client interface at the clients device, you can simply point that to your Pi, but the Pi has to allow DNS request from non local sources e.g. also from 10.14.0.0/24 (the WG servers subnet).

I do not see any reason you should not have internet access with your WG servers clients, be sure to test from outside e.g. with your phone/laptop on cellular.

Is your intent to route all traffic via NordVPN including clients connected via the WG server?

Hi,

I did the config modifications as suggested.

The WG server is the kmod version and is up to date (5.15.167-1); no updates packages available.

As for not having public internet access on my phone while WG was connected, that was most likely because of dns.
I had put my Pi as only dns server but you were right that pihole was not accepting these dns requests from the WG client. So after that was fixed my phone (on cellular) could access my lan and public internet when WG was connected.
So that is oké now and it uses the adblocker this way.

Thanks for your assistance.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.