Wireguard: Cannot access LAN devices

Hi,

I tried everything and searched for hours but I cant setup OpenWRT to access my LAN...

My setup:

Internet -> DSL modem/Router (not owrt) -> LAN -> OpenWRT on if "lan".
The OpenWRT is connected to LAN only.

I created all wg configs and set the mobile phone peer to allow 0.0.0.0/0 and set a DNS-IP.

I can ping the OpenWRT with its wg ip (10.0.0.1 but I cant access my LAN 192.168.178.0/24). I tried seperates FW zones with forwarding and adding wg interface to existing lan zone - none is working.

What am I missing? Thanks in advance!

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd5d:5811:ff32::/48'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config interface 'lan'
        option proto 'static'
        option device 'eth0'
        option ipaddr '192.168.178.19'
        option netmask '255.255.255.0'
        option gateway '192.168.178.1'
        option delegate '0'
        list dns '192.168.178.1'

config interface 'lan6'
        option proto 'dhcpv6'
        option device 'eth0'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxxxxxx'
        option listen_port '500'
        list dns '192.168.178.1'
        list addresses '10.0.0.1'

config wireguard_wg0
        option description 'iPhone'
        option public_key 'xxxx'
        option private_key 'xxxx'
        option preshared_key 'xxxxxxx'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'
        option persistent_keepalive '25'
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'lan6'
        list network 'wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Remove dns from here, make the address 10.0.0.1/24

Change the allowed ips to 10.0.0.2/32. Remove the IPv6 allowed ips unless you actually need it (and if so, it needs to be an actual address, not the “all” ips.

You need a static route on your main router

10.0.0.0/24 via 192.168.178.19

If your main router doesn’t support static routes, you need to move the wireguard network into its own zone and then turn on masquerading on the lan zone.

Let’s also see your iPhone configuration.

2 Likes

Both were tests. There was no DNS and the address was /24 initially.

But that would cause to disable all traffic going to the tunnel?

I switched it off for now and continue tomorrow with your hints. I also provide asked infos then.

I believe the main reason the the masquerading/routing. As far as I remember, the tutorial in openwrt docs mentioned masquerading on wg interface, not lan.

Thanks so far!

No, that is what you want for a road warrior since the only IP at the client end is the /32 held by the phone. If you have multiple clients you must define them as unique /32s (within the overall /24 of the server's wireguard interface) since this is how Wireguard decides which tunnel to send an outgoing packet through.

Just for clarification: I want my mobile phone to send everything to wireguard. Internet should be tunneled. I always read (and used in Unraid before) about 0.0.0.0/0 to achieve this. Whats the difference between the /32 and the 0-ip then for the Allowed-IPs field?

On the phone you allow 0.0.0.0/0 since the packets returning to the phone will be responses from web sites which could be anywhere on the Internet. The phone will originate all Internet requests from its tunnel IP 10.0.0.2. On the server, only that one IP should be allowed in.

In other words allowed_ips are the source IPs that this device expects to see from the other side.

1 Like

Damn. I was mixing up the list between OpenWRT and the phone. You are right, I change it on OpenWRT side for the peer „iPhone“.

More infos to come.

Working perfectly now, the missing route was the key.

Last question:

Is there any difference between defining 10.0.0.2 and 10.0.0.2/32 for the peer? Both should end up being a single IP only?

Yes. 10.0.0.2 has an implicit /32 at the end. 10.0.0.2/32 has an explicit /32 at the end. Which one works will depend on the system being configured.

1 Like

So, better to pass /32.

When dealing with anything vaguely computer-related, it's always better to be precise and explicit. Computers can't guess.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.