WireGuard, Firewall Configuration

That's not necessary. Just add the WireGuard interface to the existing LAN zone.

1 Like

So just bridge it to LAN? All traffic will be routed over that, not WAN?

Thanks!

Bridging usually refers to interfaces. They will all remain separate, but by putting the LAN and WG interfaces in the same firewall zone (the existing lan zone) traffic will be able to pass back and forth between the two networks. Assuming the openwrt device has 0.0.0.0/0 as the allowed IPs then all the traffic will get routed out through the WG interface.

1 Like

Meaning on the WG interface, right?

Will give that a try, thanks!

Yes, you want it in the wireguard peer config.

2 Likes

I think it's working! Thanks so much. I admit, still not sure why the traffic goes over WG, vs. the WAN ... assuming that's routing table related somehow - I'm just not sure why WG takes priority (over the WAN). Sometime, if you have nothing better to do, I'd be curious why that's the case (but don't want to waste your time). I 100% know that's me just being a dough-head :stuck_out_tongue_winking_eye:

Thanks so much, I owe you a beverage of your liking.

Execute route and check the metric value that may answer your question

Yep, had checked that (all metrics are 0) - but to my surprise, the Genmask for WAN is quite "restrictive" ... so not matching in general. Not sure if WG makes that happen or not.

Thanks!

Ah my bad (haven't used WG for anything that is not site to site). So yes WG doesn't use a metric change but ip rules.

2 Likes

Makes sense, thanks! OK, one "small" problem it seems ... wired is fine, but WiFi not going over WG (actually, no internet at all). Very odd.

Moreover, this is not correct in general case which may include routes like 0.0.0.0/1 + 128.0.0.0/1 and routing rules.
The proper method to test routing is ip route get or tools like traceroute, tracepath, mtr, etc.

This depends on the client implementation and its configuration.
WireGuard configured with netifd doesn't create any IP rules on OpenWrt by default.

2 Likes

Thanks for the pointers! I think my issue is DHCP related (did some more digging). I say that because I had been using traceroute (and ping, etc.) ... no issue with access from the router itself (ssh'd in), but from a WiFi connected device => no internet access. Poking around, it seems like perhaps DHCP is not setting (and sending) the gateway correctly? I need to get access to the WiFi device, but that's waiting on time zones ... LOL!

Is it normally the case that DHCP (Option 3?) needs to be set if WG is used (routing all traffic)? And I'm still a bit confused - what to set as the gateway address? The local WG IP address, or the peer (other end of the link)? Or something else?

Thanks!

Add the client side subnet to the allowed IPs on the server.

Make sure I understand :laughing:. So not related to any WG addresses, rather the IP (range) the DHCP server is providing (locally, to WiFi connected devices) ... right?

No changes needed to WG on the "client" (OpenWrt) side, given the 0.0.0.0/0 entry ... agreed?

Thanks!

1 Like

FYI, this sort of works (but may be me!). Seems like devices on the OpenWrt (DHCP) subnet can get to remote machines, but not out the remote end to the internet (i.e. redirecting all traffic). Thinking on the "server" end I need to also add 0.0.0.0/0 ... would that make sense?

No, only the peer's IP and the client side subnet.
But make sure the server has a route to the client side subnet via the peer's IP.

It does! And the client can get to machines on the server subnet - just not to the internet. Hmmm.

Thanks!

FYI, have a similar setup for another client (iPhone), and that one does get out. Not sure why the difference.

1 Like

Since the original issue has been solved, it's best to open a new thread with detailed diagnostics from both server and client:

ip address show; ip route show table all; ip rule show; iptables-save; wg show
1 Like

Very good point, will do. Thanks!

1 Like

This topic was automatically closed 0 minutes after the last reply. New replies are no longer allowed.