I have just installed WireGuard using this guide modifying certain things like the IP address. My Android client is able to connect to the Openwrt WireGuard but unable to reach the Internet and a certain subnet.
My network setup is like this. My OpenWRT Wifi router has wired and wireless interfaces. This wifi router is connected to pfsense firewall which also acts as the gateway to the Internet. However all end points' gateway is the OpenWRT wifi router. I have configured the firewall to allow connection from WAN to connect to WireGuard on the wifi router.
I have firewall zones zonepublic and zonelan. When the client is connected to WireGuard it is able to reach subnet 10.0.0.x on zonepublic but unable to reach subnet 192.168.1.x on zonelan and the Internet. The client subnet is 192.168.76.x. I am not sure whether this is a firewall or routing issue. When I look at the system logs, I cannot find denied traffic from the WireGuard client. I am still using the firewall feature of OpenWRT for internal network but the main firewall is pfsense. Please find below my configs:
Network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd19:458f:37f8::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1' -> wifi router
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.10' -> pfsense
list dns '208.67.220.220'
list dns '208.67.222.222'
option igmp_snooping '1'
option ifname 'eth0.1 eth0.100'
config switch
option name 'switch0'
option reset '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 1'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '100'
option ports '0t 1t 2 3 4'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '1t 5'
option vid '600'
config interface 'public'
option proto 'static'
option _orig_ifname 'wlan0-1'
option _orig_bridge 'false'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
option gateway '192.168.1.10'
option type 'bridge'
list dns '208.67.222.222'
list dns '208.67.220.220'
config interface 'wg0'
option proto 'wireguard'
option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
option listen_port 'xxx'
list addresses '192.168.76.0/24'
config wireguard_wg0
option persistent_keepalive '25'
option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxx'
option route_allowed_ips '1'
list allowed_ips '192.168.76.5/24'
option description 'xxxxx'
Firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'zonelan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option conntrack '1'
option log '1'
option network 'lan'
config include
option path '/etc/firewall.user'
config zone
option name 'zonepublic'
option network 'public'
option log '1'
option input 'REJECT'
option forward 'ACCEPT'
option output 'ACCEPT'
config rule
option target 'ACCEPT'
option name 'Allow DHCP request'
option proto 'udp'
option src_port '67-68'
option src 'zonepublic'
config rule
option target 'ACCEPT'
option name 'Allow DNS Queries'
option dest_port '53'
option src 'zonepublic'
config rule
option name 'Deny public to lan'
option src 'zonepublic'
option dest 'zonelan'
option proto 'all'
option target 'DROP'
list dest_ip '192.168.1.0/24'
option extra '-m state --state NEW'
config forwarding
option dest 'zonelan'
option src 'zonepublic'
config forwarding
option dest 'zonepublic'
option src 'zonelan'
config zone
option input 'ACCEPT'
option network 'WireGuard wg0'
option output 'ACCEPT'
option name 'ZoneWiGuard'
option forward 'ACCEPT'
Thanks