WireGuard and access to LAN devices

Hi, I cannot access to LAN connected devices when I connect to the VPN


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdad:3f37:477e::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.10.1'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username 'abcd'
	option password '1234'
	option ipv6 'auto'
	option keepalive '5 60'

config interface 'VPN'
	option proto 'wireguard'
	option private_key 'blablabla'
	option listen_port '31878'
	list addresses '10.12.10.1/24'

config wireguard_VPN
	option description 'smartphone'
	option public_key 'blablabla'
	option route_allowed_ips '1'
        list allowed_ips '10.12.10.2/32'

If I add list allowed_ips '192.168.10.0/24' on peer configuration I can no longer access to the router and internet.

I think the problem is in the firewall configuration:

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn0'
	list network 'VPN'

Is it correct to have the VPN interface together with the LAN?

It must be added in the peer configuration on the smartphone, not on OpenWrt.

Firewall looks fine.

It is fine, as long as you trust the VPN as much as your lan.
If vpn0 though is a client vpn, then it is probably not correctly located there.

3 Likes

Thanks for your reply :slight_smile:
I'm using android app and I hadn't thought about adding the comma and 192.168.10.0/24 after 10.12.10.2/32

Now I can explore all my LAN from remote!

I thought it was a server setting for security reasons and instead it is the client who decides.

You actually can restrict access server side as well (by putting the wireguard interface into its own firewall zone (instead of adding to lan) and defining inter-zone filtering according to your needs), the client can just decide from the menu on offer (to accomplish split-horizon tunneling and similar things).

2 Likes

I will do so, thanks for the advice.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.