WireGuard client network issue

I have just installed WireGuard using this guide modifying certain things like the IP address. My Android client is able to connect to the Openwrt WireGuard but unable to reach the Internet and a certain subnet.

My network setup is like this. My OpenWRT Wifi router has wired and wireless interfaces. This wifi router is connected to pfsense firewall which also acts as the gateway to the Internet. However all end points' gateway is the OpenWRT wifi router. I have configured the firewall to allow connection from WAN to connect to WireGuard on the wifi router.

I have firewall zones zonepublic and zonelan. When the client is connected to WireGuard it is able to reach subnet 10.0.0.x on zonepublic but unable to reach subnet 192.168.1.x on zonelan and the Internet. The client subnet is 192.168.76.x. I am not sure whether this is a firewall or routing issue. When I look at the system logs, I cannot find denied traffic from the WireGuard client. I am still using the firewall feature of OpenWRT for internal network but the main firewall is pfsense. Please find below my configs:

Network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd19:458f:37f8::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1' -> wifi router
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.10' -> pfsense
        list dns '208.67.220.220'
        list dns '208.67.222.222'
        option igmp_snooping '1'
        option ifname 'eth0.1 eth0.100'

config switch
        option name 'switch0'
        option reset '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '100'
        option ports '0t 1t 2 3 4'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '1t 5'
        option vid '600'

config interface 'public'
        option proto 'static'
        option _orig_ifname 'wlan0-1'
        option _orig_bridge 'false'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option gateway '192.168.1.10'
        option type 'bridge'
        list dns '208.67.222.222'
        list dns '208.67.220.220'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        option listen_port 'xxx'
        list addresses '192.168.76.0/24'

config wireguard_wg0
        option persistent_keepalive '25'
        option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxx'
        option route_allowed_ips '1'
        list allowed_ips '192.168.76.5/24'
        option description 'xxxxx'

Firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'zonelan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option conntrack '1'
        option log '1'
        option network 'lan'

config include
        option path '/etc/firewall.user'

config zone
        option name 'zonepublic'
        option network 'public'
        option log '1'
        option input 'REJECT'
        option forward 'ACCEPT'
        option output 'ACCEPT'

config rule
        option target 'ACCEPT'
        option name 'Allow DHCP request'
        option proto 'udp'
        option src_port '67-68'
        option src 'zonepublic'

config rule
        option target 'ACCEPT'
        option name 'Allow DNS Queries'
        option dest_port '53'
        option src 'zonepublic'

config rule
        option name 'Deny public to lan'
        option src 'zonepublic'
        option dest 'zonelan'
        option proto 'all'
        option target 'DROP'
        list dest_ip '192.168.1.0/24'
        option extra '-m state --state NEW'

config forwarding
        option dest 'zonelan'
        option src 'zonepublic'

config forwarding
        option dest 'zonepublic'
        option src 'zonelan'

config zone
        option input 'ACCEPT'
        option network 'WireGuard wg0'
        option output 'ACCEPT'
        option name 'ZoneWiGuard'
        option forward 'ACCEPT'

Thanks

In interface public remove

option gateway '192.168.1.10'
        list dns '208.67.222.222'
        list dns '208.67.220.220'

In interface wg0 fix the address to 192.168.76.1/24
In the wireguard peer configuration fix allowed IP to 192.168.76.5/32 , remove the route_allowed_ips and the persistent_keepalive (it needs to be configured on the Android though)
Zone ZoneWiGuard doesn't have any forwarding. Add one to zonelan, or add wg0 interface in zonelan.
Finally pfsense needs to have static routes to the networks in OpenWrt.

1 Like

Thank you Sir, I have followed your recommendations and it is working now. However I needed to also add a static route from WireGuard interface to the Internet with 192.168.1.1 as the gateway on the OpenWRT wifi router as shown in the attached screenshot.

Thank you very much again.

Why do you need to do that? You already have a route to the 0/0 from the lan interface.

Yes, you are right. It is not needed. I have removed it.
By the way, do you see any other unnecessary configs below?:

Firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'zonelan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option conntrack '1'
        option log '1'
        option network 'lan wg0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'zonepublic'
        option network 'public'
        option log '1'
        option input 'REJECT'
        option forward 'ACCEPT'
        option output 'ACCEPT'

config rule
        option target 'ACCEPT'
        option name 'Allow DHCP request'
        option proto 'udp'
        option src_port '67-68'
        option src 'zonepublic'

config rule
        option target 'ACCEPT'
        option name 'Allow DNS Queries'
        option dest_port '53'
        option src 'zonepublic'

config rule
        option name 'Deny public to lan'
        option dest 'zonelan'
        option proto 'all'
        option target 'DROP'
        list dest_ip '192.168.1.0/24'
        option src 'zonepublic'

config forwarding
        option dest 'zonelan'
        option src 'zonepublic'

config forwarding
        option dest 'zonepublic'
        option src 'zonelan'

Network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd19:478f:xxxx::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.10'
        list dns '208.67.220.220'
        list dns '208.67.222.222'
        option igmp_snooping '1'
        option ifname 'eth0.1 eth0.100'

config switch
        option name 'switch0'
        option reset '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '100'
        option ports '0t 1t 2 3 4'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '1t 5'
        option vid '600'

config interface 'public'
        option proto 'static'
        option _orig_ifname 'wlan0-1'
        option _orig_bridge 'false'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option type 'bridge'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        option listen_port 'xxxxx'
        list addresses '192.168.76.1/24'

config wireguard_wg0
        option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        option description 'xxxxxxx'
        option persistent_keepalive '0'
        list allowed_ips '192.168.76.5/32'

Zone zonelan, either keep the conntrack and remove the lan->public forwarding, or vice versa. Log is not needed.

Zone zonepublic, not needed

Remove this if you keep the conntrack in the beginning.

Other than that it looks fine!

Thank you again. Sorry for the late reply.

I am not really sure what you meant by "not needed" here. You meant remove "option log '1'"? or just change ACCEPT to REJECT?

Yes, the log option is not needed, unless you are troubleshooting something.
And change the forward ACCEPT into REJECT in the same zone.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.