Wireguard connects, but LAN not reachable

Dear all,

I have openwrt 22.03.2 (x86) running in a ProxMox LXC. LAN and WAN are in the same subnet.

Once configured Wireguard server and added my peer, it is able to connect and ping the server, but not any other LAN IP.

I already searched in forum, reviewed firewall, enabled "allow 0.0.0.0/0", enabled "route allowed IPs"... all seems working fine during connection, but not more...

I am lost, I don't know where to enable/find more/any detailed logs in order to find the root cause.

network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.67'
network.lan.netmask='255.255.255.0'
network.lan.gateway='192.168.1.68'
network.wan=interface
network.wan.device='br-wan'
network.wan.proto='static'
network.wan.ipaddr='192.168.1.68'
network.wan.netmask='255.255.255.0'
network.wan.gateway='192.168.1.1'
network.wan.dns='1.1.1.1' '1.0.0.1'
network.wan.peerdns='0'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
network.wg0.listen_port='51821'
network.wg0.addresses='192.168.29.1/24'
network.wgclient=wireguard_wg0
network.wgclient.public_key='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
network.wgclient.preshared_key='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
network.wgclient.route_allowed_ips='1'
network.wgclient.allowed_ips='192.168.29.0/24' '0.0.0.0/0'

firewall.wg=rule
firewall.wg.name='Allow-WireGuard'
firewall.wg.src='wan'
firewall.wg.dest_port='51821'
firewall.wg.proto='udp'
firewall.wg.target='ACCEPT'

That will not work. There are two ways to set it up.

• Conventional routing where the lan, wan and wireguard tunnel are all different subnets.
• Make the wireguard server a LAN device. There it would not have a wan network. The network's main router needs to forward port 58121 UDP (encrypted packets from a client) from the Internet to the wireguard server.

Assuming the client is a road warrior (a single laptop or phone, not a router with a network behind it) the allowed ips on the server is only the road warrior's tunnel IP. On the client set allowed IPs to be the home LAN if you want lan access, or to 0.0.0.0/0 if you want all client Internet usage to go through the tunnel and access the Internet from the home router's ISP.

mk24,

Maybe I omitted some information. Currently main router already have UDP port forwarded.

Maybe the key is to delete wan interface in openwrt... (really not used). I will try

Thanks.

It appears your goal is to setup a VPN endpoint (server) at your home so that you can connect remotely to use your home network resources and/or the internet through your home connection. Further, the OpenWrt router that will have the VPN endpoint running sits behind another router which is responsible for your main LAN. If that is a correct interpretation, there are two ways to accomplish this goal:

1. if your main router supports adding static routes, you can setup your OpenWrt router such that you're using a LAN-LAN connection (no WAN needed on the OpenWrt side). You'll add a static route from the main router so that it is aware of the WireGuard network and how to send traffic back through that tunnel.
2. If your main router does not support static routes, you'll need to use NAT Masquerading on the OpenWrt router's upstream connection (i.e. the one that goes to your main router's LAN). This is the default configuration with the OpenWrt WAN, so typically LAN-WAN the easiest method (although there are nuances here, we can still use a LAN-LAN connection if you want).

Please check your main router to see if it supports the ability for you to add static routes. That will inform how we approach your configuration.

Hi psherman,

You are right! it is the NAT...

I also have a debian LXC with wireguard-ui (working fine, but resource hungry) and I didn't configure any NAT (it was configured by default during installation). That's because I didn't realize.

My current ISP router seems very limited without an admin password that I don't know. It is not possible to set static routes.

Taking in consideration that currently my openwrt is not acting as a router, what configuration do you recommend? LAN-LAN as now? or simply LAN?

For wireguard to work as I expected I suppose I have to create a new firewall zone, and allow forwarding from it to lan. Also activate masquerading. Am I missing any other config?

Thanks in advance.

The lan-wan configuration (from a default installation) would actually be pretty close. But fundamentally, you can do this with a lan-lan setup, too.

If we do the lan-lan:

• your OpenWrt router needs to have the DHCP server disabled
• It must have an IP on the same subnet as your normal LAN, and must also have the subnet size/mask specified, as well as the gateway and DNS (all of this in the lan interface definition if static, otherwise you can change that to DHCP client and it will get all that from the upstream DHCP server).
• the WG network needs to be in a separate firewall zone relative to your lan
• the lan firewall zone must have masquerading enabled.
• the upstream router must forward the Wireguard port to the IP address of the OpenWrt router.

Once all of those things are in place, it should work as you expect (provided the WG config is correct).

Feel free to post your configs and we can review.

I was trying to do it by myself, but I am missing something, and after some hours of different configs here you have my "best approach" (not working = connected OK but not LAN access):

network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdf7:223e:8659::/48'
network.brlan=device
network.brlan.name='br-lan'
network.brlan.type='bridge'
network.brlan.ports='eth0'
network.brwan=device
network.brwan.name='br-wan'
network.brwan.type='bridge'
network.brwan.ports='eth1'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.67'
network.lan.netmask='255.255.255.0'
network.lan.gateway='192.168.1.68'
network.wan=interface
network.wan.device='br-wan'
network.wan.proto='static'
network.wan.ipaddr='192.168.1.68'
network.wan.netmask='255.255.255.0'
network.wan.gateway='192.168.1.1'
network.wan.dns='1.1.1.1' '1.0.0.1'
network.wan.peerdns='0'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='xxxxxx'
network.wg0.listen_port='51821'
network.wg0.addresses='192.168.29.1/24'
network.wgclient=wireguard_wg0
network.wgclient.public_key='xxxxxxxxx'
network.wgclient.preshared_key='xxxxx'
network.wgclient.allowed_ips='192.168.29.0/24'
network.wgclient.route_allowed_ips='1'

firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.network='lan'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.network='wan' 'wan6'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.lan_wan=forwarding
firewall.lan_wan.src='lan'
firewall.lan_wan.dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.wg=rule
firewall.wg.name='Allow-WireGuard'
firewall.wg.src='wan'
firewall.wg.dest_port='51821'
firewall.wg.proto='udp'
firewall.wg.target='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='wg'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='wg0'
firewall.@zone[2].masq='1'
firewall.@zone[2].forward='ACCEPT'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='wg'
firewall.@forwarding[1].dest='lan'

Can I trouble you to provide the configs in a different format... I find it much easier to read in the config file format (vs the UCI dump).

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Of course

root@owrt902:/# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf7:223e:8659::/48'

config device 'brlan'
        option name 'br-lan'
        option type 'bridge'
        option ports 'eth0'

config device 'brwan'
        option name 'br-wan'
        option type 'bridge'
        option ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.67'
        option netmask '255.255.255.0'
        option gateway '192.168.1.68'

config interface 'wan'
        option device 'br-wan'
        option proto 'static'
        option ipaddr '192.168.1.68'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option peerdns '0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxx='
        option listen_port '51821'
        list addresses '192.168.29.1/24'

config wireguard_wg0 'wgclient'
        option public_key 'xxx='
        option preshared_key 'xxx='
        list allowed_ips '192.168.29.0/24'
        option route_allowed_ips '1'




root@owrt902:/# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option domain 'goi'
        option local '/goi/'
        list server '1.1.1.1'
        list server '1.0.0.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'



root@owrt902:/# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51821'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'wg'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'wg0'
        option masq '1'
        option forward 'ACCEPT'

config forwarding
        option src 'wg'
        option dest 'lan'

Ok... I see a few things going on...

First, I'd recommend removing the top level names for these two bridge devices (just in case it causes any conflict) - you have a name explicitly defined, so no need to have a second name.

make the above look like this:

config device
        option name 'br-lan'
        option type 'bridge'
        option ports 'eth0'

Next, the wan doesn't really need a bridge... I'd actually remove that entirely.

Moving on to the networks... you have a conflict here between the lan and the wan.

What is the physical connection here? Are you using the lan or the wan port (physically)?

If lan, let's do the following:

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.68'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

next, on the wg config, the peer allowed IPs is wrong:

Your peer should really be more like this:
list allowed_ips '192.168.29.2/32'
(and your remote peer config must match... we'll get to that)

If you're connecting to the lan port (as we've been working towards, the DHCP server must be disabled for the lan or it will mess things up for your main network.

this should just be like this:

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'

In the firewall, you need to enable masquerading on the lan zone.

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

Then this is unnecessary, just delete it:

remove the masquerading from the wg zone:

config zone
        option name 'wg'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'wg0'
        option forward 'ACCEPT'

And then things should be right for everything that we can verify here.

The next question is going to be the Wireguard connection itself -- is it working (correct key config, etc.)

Hi psherman,

Too many suggested changes to do and I don't understand some of them... I am trying to simplify the configuration removing wan.

There is not physical connections because it is a LXC (proxmox container). I assigned 2 interfaces, but I deleted one of them.

The result is mainly the same. Port forwarding from ISP and wireguard config should be ok because it connects.

wg show
interface: wg0
  public key: xxx=
  private key: (hidden)
  listening port: 51821

peer: xxx=
  preshared key: (hidden)
  endpoint: xxx:xxx
  allowed ips: 192.168.29.0/24
  latest handshake: 1 minute, 24 seconds ago
  transfer: 55.04 KiB received, 9.16 KiB sent

My config now:

#### /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc4:4e8e:295d::/48'

config device 'brlan'
        option name 'br-lan'
        option type 'bridge'
        option ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.67'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'yNz51sqsKuPMGgUbLm2NQMJhBHZPv/g1ZQjXe63gxVk='
        option listen_port '51821'
        list addresses '192.168.29.1/24'

config wireguard_wg0 'wgclient'
        option public_key 'DCr895wDJxzoe93ejFVX6UVEM9+wjekYbv2BE/yB1zE='
        option preshared_key 'CwYdTA/vQ6VIMj6Xsw7m8b5gwa/zeSlKwSfJFIYL5WA='
        list allowed_ips '192.168.29.0/24'

#### /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option domain 'goi'
        option local '/goi/'
        list server '1.1.1.1'
        list server '1.0.0.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

#### /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wg'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'wg0'
        option forward 'ACCEPT'
        option masq '1'

config forwarding
        option src 'wg'
        option dest 'lan'

Many thanks in advance and have a happy days

Set masquerade on the destination zone, which is LAN. This makes connections coming from a road warrior at 192.168.29.X appear to come from 192.168.1.67, which the rest of your LAN network understands.

mk24, that is the solution!

It start working as expected just after setting masquerading in lan zone.

I need to say that in my thoughts masquerading should be enabled from wg->lan, but it is working as you said.

Thank you, and thanks to psherman too. My best wishes for the new year.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.