Hi OpenWRT, I creating this posting because I am unable to access the my webserver when my wireguard client is connected to my openwrt wireguard server from outside LAN.
My setup:
wireguard server (openwrt - Home router - NOT an external paid VPN)
webserver (LAN - with ports forwarded for HTTP and HTTPS)
wireguard client - laptop/cellphone
Troubleshooting so far:
When Wireguard client is connected to the wireguard server (from within LAN), then the client is able to access internet, other LAN devices and webserver.
When wireguard client is connected to the wireguard server (from outside LAN), then the client is able to access internet and other LAN devices; however, the client NOT able to access the webserver, but instead opens up the luCi page for the router (this does not happen in any other scenarios listed).
When wireguard client is NOT connected to the wireguard server (from outside LAN), then the client is able to access internet and webserver; (obviously) not able to access LAN devices
Not sure if this something that needs to be handled by PBR, but if so can you please provide some help with it? I do not know how to setup PBR for this situation (as i dont completely understand what the issues is).
Please see below for my network setup:
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdbd:9acb:c524::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '192.168.1.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '192.168.1.1'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option name 'wan'
config interface 'wg0'
option proto 'wireguard'
option private_key '<redacted>'
option listen_port '53510'
list addresses '10.16.8.1/32'
option peerdns '0'
list dns '192.168.1.1'
config wireguard_wg0
option description 'iPhone'
option preshared_key '<redacted>'
option public_key '<redacted>'
option private_key'<redacted>'
option persistent_keepalive '25'
option route_allowed_ips '1'
list allowed_ips '10.16.8.2/32'
config wireguard_wg0
option description 'Laptop'
option persistent_keepalive '25'
option route_allowed_ips '1'
list allowed_ips '10.16.8.5/32'
option public_key '<redacted>'
option private_key '<redacted>'
option preshared_key '<redacted>'
See below for my Firewall setup (please note, I installed pbr but I didn't add any new configurations):
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wg0_fw'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wg0'
option masq '1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'https'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.1.4'
option dest_port '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'http'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.1.4'
option dest_port '80'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'sftp'
option src 'wan'
option src_dport '222'
option dest_ip '192.168.1.4'
option dest_port '222'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'postgres'
option src 'wan'
option src_dport '5432'
option dest_ip '192.168.1.4'
option dest_port '5432'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Plex'
option src 'wan'
option src_dport '32400'
option dest_ip '192.168.1.4'
option dest_port '32400'
config rule
option name 'Allow-Wireguard-Inbound'
list proto 'udp'
option target 'ACCEPT'
option src 'wan'
option dest_port '53510'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'wg0_fw'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wg0_fw'
config forwarding
option src 'wg0_fw'
option dest 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'deluge'
option src 'wan'
option src_dport '59314'
option dest_ip '192.168.1.4'
option dest_port '59314'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
I have ad guard installed on the Openwrt router which is why it is listed as the DNS server.
I will try this out.
I was under the impression that it needed to be separate since it is a separate interface and would allow for more fine control of traffic (not that I am any good at fine control of traffic). Also my plan (when I have time) is to setup up a commercial VPN on top of this setup with PBR rules to allow my webserver to access WAN directly. I assumed that having a separate zone will be make that easier.
This did not work, same issue. (note i did update from Luci and saved changes). also ran /etc/init.d/firewall reload just incase and still did not work.
I'm not looking to take the lead on helping but I had a thought to share.
Could it be name resolution related? Are you accessing your web server by name? Is your name server deciding what IP to return based on if the requestor is seen as local or not?
Test by doing name resolution in each of the three connected states you presented above. Be sure to notice what nameserver is being queried.
I am using a nginx webserver with letsencrypt to have a properly SSL cert and using subdomains to access different services using the webserver. I have ddns service installed on the router to make sure my domain is pointing to my WAN IP.
I am not sure how to check for this. I used SWAG out of box setup with subdomain setup. I didnt specific anywhere based on IP and listening on no specific ip:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
# main server block
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
...
I tested with nslookup and host for subdomain.domain.tld and it showed same name and address under Non-authoritative answer: response.
When I access the domain for my webserver, it taking me the router page (luci) and giving me a ssl cert error. So I am thinking that it is taking me to the public ip, but then not routing me to my webserver.
Edited:
OK, so rephrasing your answer to what I hope it means to me:
The name of your web server resolves to the same IP address which is the address on your WAN interface "When wireguard client is connected to the wireguard server (from outside LAN)..."
Try analyzing connections with traceroute (tracert on windows) and tcpdump/wireshark from testing with your laptop.
I was thinking about how could you be getting different results with wireguard when on lan vs the internet. Here are some thoughts:
When your laptop is on the lan but is connected to your wg service, it still has a route for 192.168.1.0/24 via 192.168.1.1 and uses that to connect to your home web server.
When your laptop is on the internet and connected to your wg service, the wg vpn is the active route to 192.168.1.0/24.
Try setting your local dns server (192.168.1.1) for your local web services to point to the real web server (192.168.1.4?) if it isn't or add an entry to the hosts file on your laptop pointing to the web server real ip. and test connectivity. If 192.168.1.4 is the web server, try pointing your browser to https://192.168.1.4/ and see if it connects there, even if it then does a browser redirect. (Browser dev tools and/or packet capture can be useful here)
Without reasons to make it more complicated, I'd set things up so lan clients and wg clients name resolve and connect directly to the local web server and clients on the internet without wg resolve via ddns to the router wan ip and make use for the firewall redirects/port forwards. If this is what you think is in place now then packet captures might show more of what is going on. Logging and debugging options on the firewall might help as well.
To test my idea about the laptop on the lan with wg active, maybe netstat -rn would show what routes are in place and active.