Wireguard handshakes but no access to IPs behind

i'm trying to get a vpn working (android -> openwrt), handshake is ok but i cannot access any IPs behind. 10.10.0.0/16 is my internal net. wg interface on android has 10.10.0.111/32, wgvpn is in zone lan to keep it simple.

root@wlanrouter:/etc/config# wg show
interface: wgvpn
  public key: HW1urKqVAAFF4S6dqdndVfmbghWYFSOHgpmeuGqvSls=
  private key: (hidden)
  listening port: 4444

peer: v3qMk12k5uKfgYHlY580cQK48SOlrg2HWwNjL5L3nAE=
  preshared key: (hidden)
  endpoint: <public-ip>:26464
  allowed ips: 10.10.0.0/16
  latest handshake: 11 minutes, 2 seconds ago
  transfer: 2.26 KiB received, 376 B sent

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wgvpn'

on android i can ping 8.8.8.8 but no IPs in 10.10.0.0/16. I'm stuck, any hints where to look?

You need to use a different subnet for the wireguard devices.

2 Likes

try changing the allowed ips of your peer config on the router to 10.10.0.111/32 instead 10.10.0.0/16 (and reboot).
The 10.10.0.0/16 entry should be configured on your android (or if all the traffic should run over you vpn then 0.0.0.0/0)

WG is a layer 3 protocol and the subnet used in the WG interface cannot overlap with the lan interface of the router.

1 Like

Thanks to all, i got it working, should have take a look at the routing table.

setting client ip to 10.10.0.111/32, allowed_ips to 10.10.0.111/32 and route_allowed_ips=1 works, using subnet 10.10.3..0/24 or 192.168.0.0/24 for clent and allowed_ips works too, but i have to set route_allowed_ips=1 to get the return packets routed back to the vpn interface.
route_allowed_ips is labeled as optional, how should it work without enabling this option?

ok, if you give the interface an ip you get a route and don't need route_allowed_ips=1