Wireguard connects, but no traffic goes anywhere (firewall/NAT problem)

frazzmatazz · March 14, 2025, 2:40pm

Hi, I'm stuck trying to get what is essentially a road warrior set up working. The wireguard link connects, but traffic won't go anywhere.

I have OpenWRT at home. I want to connect to it while away using a GL.iNet AR300M16 mini router (currently has stock firmware) and send all traffic through the wireguard tunnel to appear like it's part of the LAN at home, with access to the internet from there.

I ran the commands on OpenWRT server setup: https://openwrt.org/docs/guide-user/services/vpn/wireguard/server
And got the GL.iNet set up as a client after a lot of mucking about with this config, it connects successfully:
[Interface]
Address = 192.168.9.1/24
PrivateKey = NOT-REALlkhslkjsfljkhgkjhgdgddd=
DNS = 192.168.1.1
MTU = 1420

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 123.123.123.123:51820
PersistentKeepalive = 25
PublicKey = not-realNOT-REAL-notrealkjhlkjh=
PresharedKey = AlsoNOTREALlkhasdlkjhaslkjh=

And I can ping 192.168.9.1 which is the wireguard link. But anything else fails with no route to host.

The client GL.iNet AR300M16 luci firewall looks like this, I havne't made any changes:

And the OpenWRT at home looks like this. I tried to mirror the lan -> wan settings: [had to remove the picture due to new user limits]

Any ideas how to fix the routing/firewall? I tried making the VPN interface part of LAN routing group but that didn't work either.
Thanks!

frazzmatazz · March 14, 2025, 2:42pm

This is home OpenWRT routing zones:

Dante · March 14, 2025, 2:44pm

If you're running a forked OpenWrt on your router, you should probably ask on the manufacturer's forums. As we don't know what kind of changes were made to the firmware, kernel or Wireguard.

The config that you provided, looks like a wg-quick one and not what OpenWrt uses for Wireguard.

frazzmatazz · March 14, 2025, 2:45pm

I think I'll flash the GL.iNet with OpenWRT since it's supported and will make this easier!

egc · March 14, 2025, 4:28pm

I would indeed do that.

I have some notes how to setup WireGuard maybe they are helpful, but the wiki you followed should also do, see:

frazzmatazz · March 16, 2025, 11:18am

Thanks egc. That guide is good. I think I was missing the "Now the most important part which is often overlooked:
Route Allowed IPs: Enable (tick)" in the wireguard peers section.

Is there an easy way to turn off the VPN when not required? Disable it and change the firewall rules I guess?

egc · March 16, 2025, 11:31am

Great you solved it

You can simply disable the interface.
But you have to restart the network to get the default route back. service network restart

One way to solve the necessity for a network restart is to use as Allowed IPs instead of 0.0.0.0/0:

0.0.0.0/1
128.0.0.0/1

This assumes you did not implement the killswitch, if you did than you have to allow forward from lan to wan again.

frazzmatazz · March 16, 2025, 11:35am

Cool, I'll try that.
Yeah, no kill switch. I essentially want to access normal services (work email, abc iview etc) which are geoblocked while I'm away overseas. Wireguard is very fast, but my home network upload speed is only 10MBit which is a little slow for full time use.

system · March 26, 2025, 11:36am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.