Wireguard can't access external IPs from Apple devices

Installing and Using OpenWrt Network and Wireless Configuration
1

Following my previous topic here, I was able to set up wireguard on my phone and can access my internal IPs while connected. However, I can't access any external websites at all while connected to the router via wireugard. I run unbound and adblock-fast on my router and want to make use of that on my phone by always being connected to my router via wireguard when not on my home network.

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '[REDACTED]'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'sfp2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'br-wan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'wan'

config device
        option name 'eth1'
        option macaddr '[REDACTED]'

config device
        option name 'wan'
        option macaddr '[REDACTED]'

config interface 'wan'
        option device 'br-wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'br-wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '[REDACTED]'
        option listen_port '51820'
        list addresses '10.0.0.1/24'

config wireguard_wg0
        option public_key '[REDACTED]'
        list allowed_ips '10.0.0.2/32'
        option preshared_key '[REDACTED]'
        option description 'phone'
        option route_allowed_ips '1'

cat /etc/config/firewall


config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Drop-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'DROP'
        list icmp_type 'echo-request'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-Wireguard'
        list proto 'udp'
        option src 'wan'
        option dest_port '51820'
        option target 'ACCEPT'

Wireguard interface:

Protocol: Wireguard VPN
Generated a new key pair
Listen port: 51820
IP Addresses: 10.0.0.1/24
Firewall-zone: lan

Phone wireguard config generated via the QR code option:

Private key: matches what I generated for the iPhone peer on the server
Public key: matches what I generated for the iPhone peer on the server
Addresses: 10.0.0.2/32
Listen port: Empty aka Automatic
MTU: Empty aka Automatic
DNS servers: 192.168.2.1, which is the IP for my OpenWRT router's lan
Public key: matches what I generated for the server
Preshared key: matches what I generated for the server
Endpoint: <public_ip>:51820
Allowed IPs: 0.0.0.0/0, ::/0
Exclude private IPs: disabled
Persistent keepalive: Empty aka Off

cat /etc/config/unbound

config unbound 'ub_main'
        option dhcp_link 'dnsmasq'
        option dns64 '0'
        option domain 'lan'
        option edns_size '1232'
        option extended_stats '0'
        option hide_binddata '1'
        option interface_auto '1'
        option listen_port '53'
        option localservice '1'
        option manual_conf '0'
        option num_threads '1'
        option protocol 'default'
        option rate_limit '0'
        option rebind_localhost '0'
        option rebind_protection '1'
        option recursion 'default'
        option resource 'default'
        option root_age '9'
        option ttl_min '120'
        option ttl_neg_max '1000'
        option unbound_control '1'
        option validator '1'
        option verbosity '1'
        option enabled '1'
        option validator_ntp '1'
        list iface_lan 'lan'
        list iface_lan 'wan'
        list iface_lan 'wan6'
        list iface_wan 'wan'
        list iface_wan 'wan6'
        list iface_trig 'lan'
        list iface_trig 'wan'

cat /etc/config/adblock-fast

config adblock-fast 'config'
        option enabled '1'
        option allow_non_ascii '0'
        option canary_domains_icloud '0'
        option canary_domains_mozilla '0'
        option compressed_cache '1'
        option compressed_cache_dir '/etc'
        option config_update_enabled '0'
        option config_update_url 'https://cdn.jsdelivr.net/gh/openwrt/packages/net/adblock-fast/files/adblock-fast.config.update'
        option curl_max_file_size '30000000'
        option curl_retry '3'
        option debug '0'
        option dns 'unbound.adb_list'
        list dnsmasq_instance '*'
        option download_timeout '10'
        option force_dns '1'
        list force_dns_port '53'
        list force_dns_port '853'
        option parallel_downloads '1'
        option pause_timeout '20'
        option procd_trigger_wan6 '0'
        option procd_boot_delay '0'
        option procd_boot_wan_timeout '60'
        option verbosity '1'
2

wg0 should be a separate subnet.
then you create fw rules allowing it to communicate with your lan and what not.

3

Pardon my ignorance, but how do I create a separate subnet? Is that being accomplished with a router IP of 192.168.2.1 and a Wireguard interface IP of 10.0.0.1/24?

And then I would need a traffic rule for IPs in the 10.0.0.1/24 subnet to access lan?

4

yes, that's a good example.

correct

5

I tried adding this traffic rule to my firewall, but I still can't access any external website. Does it look correct?

config rule
        option src 'wan'
        list src_ip '10.0.0.1/24'
        option target 'ACCEPT'
        option name 'Allow-Wireguard-Devices-To-Access-External-IPs'
        option dest 'lan'
6

that's not the name of the wg interface ?

not sure if allowing lan is enough...

7

Ahh yes the interface is named wg0 and is attached to the lan firewall zone. So the source zone could be updated to lan I suppose, but that's where I'm confused and don't really know what I'm doing.

8

You shouldn't need any traffic rules or port forwards. The wireguard interface is already in the lan zone so the firewall shouldn't be interfering. It's more likely that unbound isn't set up to respond to addresses in the WG subnet.

9

To rule out a DNS problem from your phone do:
ping 8.8.8.8

I use an app called fing on my android phone (the free version) to troubleshoot connection problems

10

Ok so I got out my laptop and connected to my phone's mobile hotspot and then the wireguard config to my router. With it, I was able to ping 8.8.8.8, load google.com, and connect to my internal IPs. So the issue appears to be isolated to my iPhone (and iPad), and I have no clue why that would be...

11

I can think of two things, you have ::/0 as allowed IPs that means IPv6 is also routed via the tunnel but you have not setup IPv6 so if your phone is trying to use IPv6 it will not work.

Second maybe it is using Apples private DNS not sure if that will work (it actually should but who knows) so try to ping 8.8.8.8 from your phone

12

Fixed it! Went into the unbound settings and under Advanced, I set Filter Private Rebind to No Filter. Now my apple devices connect.

Thanks to everyone for the help and pointing me in the right direction.

13

Your VPN is a "LAN" network. Unbound sees it as an upstream route. Local rebind attacks are when nefarious DNS servers are used to serve you a self-host-address as part of helping a hijack program. You can use some forward-zone settings to allow VPN DNS server to give private address ranges. This would allow you to keep rebind protection on. LuCI/UCI can help with this, but to understand what unbound is doing, you will want to read its original documentation (nlnetlabs.nl)

14

Thanks for the info. I was unaware that's what it's doing. Would you mind helping me set up that forward-zone setting? Where would that be set? In unbound itself?

15

Forget forward-zone: that is more complex than I think you need.

private-domain:

You will need to manually add this to your /etc/unbound/unbound_srv.conf file. It has no mapping in UCI.

16

Well the weird things is I enabled Filter Localhost Rebind and set Filter Private Rebind to Filter Private Address, and my iPhone and iPad continue to be able to access external IPs when connected through wireguard despite them previously not working until I disabled those. I'm a bit stumped why it's now working. I'll look into setting private-domain. Thanks!