Wireguard, cannot access LAN devices

ANOS · November 23, 2023, 3:46pm

Hello everyone,
I spent quite a time to setup my Wireguard server. I would like simply access to my LAN devices from outside my home. I have a peer for my mobile phone and one for my PC Debian.
I can connect to the WG server from my Android, I see packet send but almost nothing back to it. I see in OpenWRT that my peer has done Handshake successfully.

I enabled the fowarding in /etc/sysctl.d/10-default.conf:

net.ipv4.conf.all.proxy_arp=1
net.ipv4.ip_forward=1

Here my conf:
/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'ula_prefix'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr 'MAC'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'private_key'
	option listen_port '51820'
	list addresses '192.168.2.1/24'
	list addresses '::ffff:c0a8:201/64'

config wireguard_wg0
	option public_key 'public_key'
	option private_key 'private_key'
	option preshared_key 'preshared_key'
	option route_allowed_ips '1'
	option description 'Mobile'
	list allowed_ips '0.0.0.0/0'

config wireguard_wg0
	option public_key 'public_key'
	option description 'Debian'
	option private_key 'private_key'
	option preshared_key 'preshared_key'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'
	option masq '1'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest_port '80'
	option src 'wan'
	option src_dport '80'
	option dest 'lan'
	option target 'DNAT'
	option dest_ip '192.168.1.102'
	option name 'Allow HTTP Inbound'

config redirect
	option dest_port '443'
	option src 'wan'
	option src_dport '443'
	option dest 'lan'
	option target 'DNAT'
	option dest_ip '192.168.1.102'
	option name 'Allow HTTPS Inbound'

config rule 'wg'
	option src 'wan'
	option proto 'udp'
	option target 'ACCEPT'
	option dest_port '51820'
	option name 'Allow-WireGuard-Inbound'

My routes are here:

default via <external_IP> dev wan  src <external_IP> 
<external_IP>.0/24 dev wan scope link  src <external_IP> 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.2.0/24 dev wg0 scope link  src 192.168.2.1

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         <external_IP>.254   0.0.0.0         UG    0      0        0 wan
<external_IP>.0      0.0.0.0         255.255.255.0   U     0      0        0 wan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 wg0

I think it is just a firewalling problem but I cannot see where.

Thank you for your help.

trendy · November 23, 2023, 4:05pm

Remove the private key from the peers.

Change the allowed IPs to the IPs from the 192.168.2.X and IPv6 range that is assigned to the peers.

Remove this.

Remove masquerade from lan firewall zone.

ANOS · November 23, 2023, 6:42pm

Hello @trendy,
Thank you for your quick reply.
I did your recommendations and now my peer can go to Internet though WG (IP address from home in whatismyipaddress.com). But I still cannot reach my LAN network.

trendy · November 24, 2023, 8:56am

Most likely the hosts in the lan don't allow connections from outside their local network.
This is the default in Windows. You can verify that by re-enabling the masquerade in lan firewall zone. You can add a firewall rule on the lan hosts, because masquerade is limiting visibility and adding extra load to manipulate the packet.

ANOS · November 24, 2023, 9:08am

My test was made from my android phone.
I enable masquerade on LAN and it works!

Thank you very much @trendy. I can now go to my interview and show them my work from there.

system · December 4, 2023, 9:08am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.