[Wireguard] How configure the Firewall to access to LAN devices?

Can you help me to config my Firewall to access to LAN devices through Wireguard VPN, please?
I have installed Wireguard Server in my Router with OpenWRT 23.05, when I connect with my Wireguard client through WAN interface, I only can access to LAN devices if I enable the option masq '1' in config zone 'lan', but If I forget disable it, and it keeps enabling I can't connect again with my Wireguard client to the Router. It is very annoying each time I want to access to LAN devices thought Wireguard VPN, to enable and remember disable the "Masquerading" of LAN zone.

Other problem lower important that I have, I can't connect to Wireguard Server from other LAN net with IP range 192.168.1.0/24, I have to use mobile data to connect to him. I suppose it is due to a local IP range conflict, is it not? Is it possible to modify the Wireguard config to allow connecting from other IP local range? Thanks.

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd66:1645:185b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.10'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '8.8.8.8'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config interface 'wan'
	option proto '3g'
	option device '/dev/ttyUSB0'
	option service 'umts'
	option apn 'myApn'

config interface 'WireGuard'
	option proto 'wireguard'
	option private_key 'XX'
	option listen_port '51234'
	list addresses '10.0.0.1/24'
	list addresses 'fd00:2::1/64'
	option defaultroute '0'

config wireguard_WireGuard 'wgclient'
	option public_key 'VV'
	option preshared_key 'YY'
	option private_key 'XX'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	--***option masq '1'***--

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option masq '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
 	option dest_port '51234'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'VPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'WireGuard'

config forwarding
	option src 'lan'
	option dest 'VPN'

config forwarding
	option src 'VPN'
	option dest 'wan'

config forwarding
	option src 'VPN'
	option dest 'lan'

Remove the last line (defaultroute) from below:

Change the allowed IPs to a /32 in the same subnet as the main wg interface. For example: 10.0.0.2/32. Remove the IPv6 allowed IPs.

Delete the masquerading line:

And remove masquerading from here, too:

Now, lets look at your remote peer's config.

2 Likes

My remote peer's config

[Interface]
PrivateKey = XX
Address = 0.0.0.0/0, ::/0
# ListenPort not defined
DNS = 192.168.1.10

[Peer]
PublicKey = XX
PresharedKey = XX
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myendpoint.com
PersistentKeepAlive = 25

The address should match the peer allowed_ips that I said needed to change above. Therefore, this should probably be 10.0.0.2 (in this case you can make it a /24):

Reboot both devices after making the changes and test again. If it doesn't work, post the latest configs from both sides.

If I'm not wrong, they should look like this, are they right?

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd66:1645:185b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.10'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '8.8.8.8'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config interface 'wan'
	option proto '3g'
	option device '/dev/ttyUSB0'
	option service 'umts'
	option apn 'myApn'

config interface 'WireGuard'
	option proto 'wireguard'
	option private_key 'XX'
	option listen_port '51234'
	list addresses '10.0.0.1/24'

config wireguard_WireGuard 'wgclient'
	option public_key 'VV'
	option preshared_key 'YY'
	option private_key 'XX'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	list allowed_ips '10.0.0.2/32'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option masq '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
 	option dest_port '51234'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'VPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'WireGuard'

config forwarding
	option src 'lan'
	option dest 'VPN'

config forwarding
	option src 'VPN'
	option dest 'wan'

config forwarding
	option src 'VPN'
	option dest 'lan'

Remote peer's config

[Interface]
PrivateKey = XX
Address = 10.0.0.2/24
# ListenPort not defined
DNS = 192.168.1.10

[Peer]
PublicKey = XX
PresharedKey = XX
AllowedIPs = 10.0.0.2/24
Endpoint = myendpoint.com
PersistentKeepAlive = 25

You need a port number here

Endpoint = myendpoint.com:51234

Try again after adjusting that. If it doesn't work, let's see the following from your router:

wg show
2 Likes

To add, you already had AllowedIPs = 0.0.0.0/0 that was correct so change that back

1 Like

Config saved, and devices rebooted.
I have connected to the Wireguard Server, but I don't get connect with the LAN device: 192.168.1.38

wg show

interface: WireGuard
  public key: XX
  private key: (hidden)
  listening port: 51234

peer: YY
  preshared key: (hidden)
  endpoint: 33.44.55.66:7777
  allowed ips: 10.0.0.2/32
  latest handshake: 1 minute, 33 seconds ago
  transfer: 247.05 KiB received, 642.23 KiB sent
  persistent keepalive: every 25 seconds

You've got a handshake, so that's good.

What OS is on this host?? If it is windows, it is likely blocking connection requests from other subnets. you need to adjust the windows firewall to allow it (you can completely disable it for a quick test).

it is a CCTV system, so it doesn't have firewall.

Also, I don't have internet in my Wireguard client, for example: I can't access to Google when I am connected to the VPN.

Does the CCTV system have the ability to cross subnets? If the IP address was set manually, make sure it has a gateway and subnet mask. Some CCTV and other IoT devices don't work across subnets, too.

Also, how are you accessing it? Is it via an app? A web browser? Something else?

Ok... What is this:

Is it a pihole? If so, you have to set it to "permit all origins" in the DNS settings, otherwise it will only work on its local subnet.

Sorry, 192.168.1.10 is my router OpenWRT with Wireguard Server, instead of 192.168.1.1, I fixed it in my posts.

The CCTV has the manual IP 192.168.1.38/24
I try to connect to the CCTV by app and web, but I can't pass off router (192.168.1.10), neither ping it.
Only if I come back to enable the option masq '1' in config zone 'lan' I can access to the LAN devices.

Ok... are you still having issues with internet access?

If so, try using a public DNS like 8.8.8.8

Does it have the gateway specified?

What do you mean by this? How exactly are you testing?

I have disconnected and connected to the VPN, and now I have internet access in my Wireguard Client.

Yes, It has the gateway 192.168.1.10

I have the XMeye app on my Wireguard client device, which I am using to try to connect to CCTV. Also, I am trying to access by web with the browser of my Wireguard client device. Both methods do not connect to the CCTV, it seems that the Wireguard client can't access the LAN 192.168.1.0/24, only the 10.0.0.1/24

Why if I enable the option masq '1' in config zone 'lan' can I access to the LAN devices?

Let's see the latest configs (network and firewall files from OpenWrt, WG configuration from your remote peer).

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd66:1645:185b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.10'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '8.8.8.8'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config interface 'wan'
	option proto '3g'
	option device '/dev/ttyUSB0'
	option service 'umts'
	option apn 'myApn'

config interface 'WireGuard'
	option proto 'wireguard'
	option private_key 'XX'
	option listen_port '51234'
	list addresses '10.0.0.1/24'

config wireguard_WireGuard 'wgclient'
	option public_key 'VV'
	option preshared_key 'YY'
	option private_key 'XX'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	list allowed_ips '10.0.0.2/32'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option masq '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
 	option dest_port '51234'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'VPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'WireGuard'

config forwarding
	option src 'lan'
	option dest 'VPN'

config forwarding
	option src 'VPN'
	option dest 'wan'

config forwarding
	option src 'VPN'
	option dest 'lan'

Remote peer's config

[Interface]
PrivateKey = XX
Address = 10.0.0.2/24
# ListenPort not defined
DNS = 192.168.1.10

[Peer]
PublicKey = XX
PresharedKey = XX
AllowedIPs = 0.0.0.0/0
Endpoint = myendpoint.com:51234
PersistentKeepAlive = 25

Everything looks fine.

One really important aspect -- is this the primary router for your network?

Yes, it is the unique

Do you have another lan device that you can test with? Try connecting from your remote peer to another device -- ideally a linux or mac system.

No, it is the unique device in the LAN :pensive:

I will look for other device