Wireguard internal LAN access differs mobile vs laptop

Hi all,
I've run wireguard succesfully on my laptop and android phone for a year or so now. One thing I've been frustrated with is my Android phone seems to be able to consistently access proper resources from my LAN while the laptop does not.

For instance my deluge docker container that I use to torrent directly to my NAS is visable over android using the wireguard tunnel and the laptop cannot.

As far as I can tell the two interfaces defined in /etc/config/network are exactly the same. I noted that
'config interface 'wg0'

has one line that says

'list dns '192.168.1.1''

Maybe that shouldn't be there. Any other files that would be worth checking I'd appreciate the advice. Silly thought, but don't I want wireguard to be handing out just regular dhcp addresses from my address pool vs 192.168.2.1/32 ? is that wrong?

Do you have only one router which is directly connected to the internet and to which you phone and laptop connect form the internet?

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
wg show
Both the laptop and phone WG config

Do you have only one router which is directly connected to the internet and to which you phone and laptop connect form the internet?

Yes, it's an x86 fanless machine, with seperate dumb WAP connected via a POE switch.
Rest of the wired network is connected via that switch as well.

Sorry for the massive paste. I broke them into sections using the pre markup tags for ease of reading. I assumed it was safe to leave the public key info in my post, correct?

root@OpenWrt_Fitlet:~# ubus call system board
{
	"kernel": "5.4.154",
	"hostname": "OpenWrt_Fitlet",
	"system": "AMD A4 Micro-6400T APU + AMD Radeon R3 Graphics",
	"model": "CompuLab fitlet",
	"board_name": "compulab-fitlet",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.1",
		"revision": "r16325-88151b8303",
		"target": "x86/64",
		"description": "OpenWrt 21.02.1 r16325-88151b8303"

root@OpenWrt_Fitlet:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth1'
	list ports 'eth2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth3'
	option peerdns '0'

config interface 'wg0'
	option proto 'wireguard'
	option listen_port '51820'
	list addresses '192.168.2.1/24'
	option private_key 'REDACTED'
	option peerdns '0'
	list dns '192.168.1.1'

config wireguard_wg0
	option description 'REDACTED'
	option public_key 'REDACTED='
	option persistent_keepalive '25'
	list allowed_ips '192.168.2.2/32'
	option route_allowed_ips '1'

config wireguard_wg0
	option description 'REDACTED'
	option public_key 'REDACTED'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	list allowed_ips '192.168.2.3/32'

config wireguard_wg0
	option description 'LAPTOP'
	option public_key 'MORE_REDACTED'
	list allowed_ips '192.168.2.4/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg0
	option description 'PHONE'
	option public_key 'MORE_REDACTED'
	list allowed_ips '192.168.2.5/32'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
root@OpenWrt_Fitlet:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list local_dns_server '8.8.8.8'
	list server '9.9.9.9'
	list server '9.9.9.10'
	list server '1.1.1.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'REDACTED'
	option dns '1'
	option mac 'REDACTED'
	option ip '192.168.1.152'
	option leasetime 'infinite'

config host
	option name 'REDACTED'
	option dns '1'
	option mac 'REDACTED'
	option ip '192.168.1.125'
	option leasetime 'infinite'

config host
	option dns '1'
	option mac 'REDACTED'
	option ip '192.168.1.3'
	option leasetime 'infinite'
	option name 'REDACTED'

config host
	option name 'REDACTED'
	option duid 'REDACTED'
	option mac 'REDACTED'

config host
	option name 'REDACTED'
	option duid 'REDACTED'
	option mac 'REDACTED'
	option ip '192.168.1.226'
	option leasetime 'infinite'

config domain
	option name 'REDACTED'
	option ip 'REDACTED'

config domain
	option name 'REDACTED'
	option ip '192.168.1.152'

config domain
	option name 'REDACTED'
	option ip '192.168.1.125'

config host
	option ip '192.168.1.235'
	option mac 'REDACTED'
	option name 'REDACTED'
	option dns '1'
	option leasetime 'infinite'

config domain
	option name 'REDACTED'
	option ip '192.168.1.235'

config dhcp 'wg0'
	option interface 'wg0'
	list ra_flags 'none'

config domain
	option name 'REDACTED'
	option ip '192.168.1.236'

config host
	option name 'REDACTED'
	option dns '1'
	option mac 'REDACTED'
	option ip '192.168.1.236'

config host
	option name 'REDACTED'
	option ip '192.168.1.201'
	option mac 'REDACTED'

config host
	option name 'REDACTED'
	option ip '192.168.1.176'
	option mac 'REDACTED'
root@OpenWrt_Fitlet:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config rule
	option name 'allow-ssh-router'
	list proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'
	option src '*'
	option family 'ipv4'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.1.226'
	option dest_port '80'
	option dest 'lan'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option dest_port '443'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '51413'
	option dest_port '51413'
	option dest 'lan'
	option dest_ip '192.168.1.152'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '8096'
	option dest_port '8096'
	option dest_ip '192.168.1.226'
	option dest 'lan'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '8092'
	option dest_port '8092'
	option dest 'lan'
	option dest_ip '192.168.1.226'

config redirect
	option target 'DNAT'
	option src 'wan'
	option src_dport '25565'
	option dest_port '25565'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option src_ip 'REDACTED'
	list proto 'tcp'
	list proto 'udp'
	option name 'REDACTED'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '21025'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option dest_port '21025'
	option enabled '0'

config redirect
	option target 'DNAT'
	list proto 'tcp'
	option src 'wan'
	option src_dport '143'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option name 'REDACTED'
	option dest_port '143'

config redirect
	option target 'DNAT'
	list proto 'tcp'
	option src 'wan'
	option src_dport '993'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option name 'REDACTED'
	option dest_port '993'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '465'
	option dest 'lan'
	option dest_ip '192.168.1.226'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '587'
	option dest 'lan'
	option dest_ip '192.168.1.226'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '25'
	option dest 'lan'
	option dest_ip '192.168.1.226'

config rule
	option name 'REDACTED'
	option family 'ipv4'
	list proto 'tcp'
	option src '*'
	option dest 'lan'
	list dest_ip '192.168.1.226'
	option dest_port '25'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'REDACTED'
	list proto 'tcp'
	option src 'lan'
	list src_ip '192.168.1.226'
	option dest '*'
	option dest_port '25'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'REDACTED'
	list proto 'tcp'
	option src '*'
	option dest '*'
	option dest_port '25'
	option target 'REJECT'
	option enabled '0'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option family 'ipv4'

config forwarding
	option src 'wg'
	option dest 'lan'

config forwarding
	option src 'wg'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wg'

config forwarding
	option src 'wan'
	option dest 'wg'

config rule
	option name 'wan-local-wireguard'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '51820'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'udp'
	option src 'wan'
	option src_dport '7777'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option dest_port '7777'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	option src 'wan'
	option src_dport '7778'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option dest_port '7778'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	option src 'wan'
	option src_dport '27015'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option dest_port '27015'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '27020'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option dest_port '27020'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'udp'
	option src 'wan'
	option src_dport '34197'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option dest_port '34197'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	option src 'wan'
	option src_dport '25565'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option dest_port '25565'
	option src_ip '157.157.126.242'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	option src 'wan'
	option dest 'lan'
	option dest_ip '192.168.1.152'
	option dest_port '8081'
	option src_dport '8081'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'deluge'
	option src 'wan'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option src_dport '50881'
	option dest_port '50881'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	option src 'wan'
	option src_dport '25565'
	option dest 'lan'
	option src_ip '188.83.242.227'
	option dest_port '25565'
	option dest_ip '192.168.1.226'
root@OpenWrt_Fitlet:~# ip route show
default via REDACTED dev eth3  src REDACTED
REDACTED/24 dev eth3 scope link  src REDACTED
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.2.0/24 dev wg0 scope link  src 192.168.2.1 
192.168.2.2 dev wg0 scope link 
192.168.2.3 dev wg0 scope link 
192.168.2.4 dev wg0 scope link 
192.168.2.5 dev wg0 scope link
root@OpenWrt_Fitlet:~# ip route show table all
default via REDACTED dev eth3  src REDACTED
REDACTED/24 dev eth3 scope link  src REDACTED
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.2.0/24 dev wg0 scope link  src 192.168.2.1 
192.168.2.2 dev wg0 scope link 
192.168.2.3 dev wg0 scope link 
192.168.2.4 dev wg0 scope link 
192.168.2.5 dev wg0 scope link 
broadcast REDACTED dev eth3 table local scope link  src REDACTED
local REDACTED dev eth3 table local scope host  src REDACTED
broadcast REDACTED.255 dev eth3 table local scope link  src REDACTED 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1 
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1 
broadcast 192.168.2.0 dev wg0 table local scope link  src 192.168.2.1 
local 192.168.2.1 dev wg0 table local scope host  src 192.168.2.1 
broadcast 192.168.2.255 dev wg0 table local scope link  src 192.168.2.1 
fe80::/64 dev eth3  metric 256 
fe80::/64 dev br-lan  metric 256 
local ::1 dev lo table local  metric 0 
anycast fe80:: dev eth3 table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
local fe80::201:c0ff:fe18:af41 dev eth3 table local  metric 0 
local fe80::201:c0ff:fe19:6e56 dev br-lan table local  metric 0 
multicast ff00::/8 dev wg0 table local  metric 256 
multicast ff00::/8 dev eth3 table local  metric 256 
multicast ff00::/8 dev br-lan table local  metric 256
root@OpenWrt_Fitlet:~# ip rule show
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default
root@OpenWrt_Fitlet:~# wg show
interface: wg0
  public key: MORE_REDACTED
  private key: (hidden)
  listening port: 51820

peer: MORE_REDACTED
  endpoint: REDACTED:1024
  allowed ips: 192.168.2.4/32
  latest handshake: 8 hours, 55 minutes, 59 seconds ago
  transfer: 5.55 GiB received, 38.25 GiB sent
  persistent keepalive: every 25 seconds

peer: MORE_REDACTED
  endpoint: REDACTED:51820
  allowed ips: 192.168.2.5/32
  latest handshake: 6 days, 7 hours, 53 minutes, 11 seconds ago
  transfer: 190.64 MiB received, 1.03 GiB sent
  persistent keepalive: every 25 seconds

peer: MORE_REDACTED
  allowed ips: 192.168.2.3/32
  persistent keepalive: every 25 seconds

peer: MORE_REDACTED
  allowed ips: 192.168.2.2/32
  persistent keepalive: every 25 seconds
Laptop Config 

user@LAPTOP:$ sudo cat /etc/wireguard/wg0.conf
[Interface]
Address = 192.168.2.4/32
DNS = 192.168.1.1
ListenPort = 51820
PrivateKey = REDACTED

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = REDACTED:51820
PersistentKeepalive = 15
PublicKey = MORE_REDACTED
Phone config

user@phone:$ cat openwrt.conf 
[Interface]
Address = 192.168.2.5/32
DNS = 9.9.9.9
ListenPort = 51820
PrivateKey = REDACTED

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = REDACTED:51820
PersistentKeepalive = 25
PublicKey = MORE_REDACTED

not related to the issue at hand, but 21.02 is EOL, you should upgrade.

I've been having trouble with sysupgrade but that's a topic for another thread.

Better redact your WG keys

Not your main problem but better remove list dns '192.168.1.1'

Remove this:

Move the WG interface to its own zone everything is already in place for that.

So move list network 'wg0' from LAN zone

to wg zone:

If you rely on internal DNS resolution by your clients make sure in both the clients config you set 192.168.1.1
In /etc/config/dhcp disable Local service only: option localservice '0'

Reboot and check again.

When accessing your local network the WG address is used so your local clients should allow subnet 192.168.2.0/24
A simple check if this is the problem is to enable MASQUERADING on the LAN zone

Furthermore you are running a very old and EOL build

I thought I had, should I redact my public keys as well?

Did I forget to redact any Wireguard priv keys in the paste?

Yes please do, we do not have your endpoint but it is a liability

1 Like

I have redacted the additional information, please let me know if you think anything else would be smart to redact further.

yes but I don't know the proper method to upgrade versions for x86 devices, especially while I'm abroad and not near the device.

I just thought of something tonight and ran a quick test.
So the laptop works fine and can access the remote lan resources over wireguard when I connecting to my phone as a hotspot.

So that must mean some sort of collision in the IP space when connecting to the remote Lan correct?
or I guess some outbound firewalling of sorts.

hello @frollic
I'm near the device now and would like to update it but there exists no method for reliably updating x86 based routers afaik. Any help?

hello again @egc
I'd like to begin fixing this now that I'm near the device again but more importantly I'd like to understand why I'm changing what I'm changing first.

So what do these changes you've asked me to make do?

woeisme_again
MTU
Had a similar problem where Android WG worked 100%, but ArchLinux WG laptop had connection issues - worked mostly, but broke on some sites.
I noticed that Android was using 1280 MTU on tun0.
I reduced the MTU to 1412 on the ArchLinux client Laptop WG interface and this solved the problem.

arch-laptop:$ cat /etc/wireguard/peer2.conf
[Interface]
Address = 192.168.24.20
...
MTU = 1412
[Peer]

I already posted the things you should look at earlier.

MTU problems as mentioned by @system32 is certainly something to look at it can cause slow or hanging connections and difficulty with streaming and certain websites.
You can try to search for the correct MTU see:

https://www.sonassi.com/help/troubleshooting/setting-correct-mtu-for-openvpn

Or just lower MTU and see if things go better.
A good starting point is 1280.
Max MTU is 1420 and if you are using PPPoE it is 1412

1 Like

@egc I cannot tell if you're replying to me or @system32 as this isn't a problem I'm experiencing.

I asked you a question above about what those changes you requested above were doing in a way I could understand. I've already changed them and rebooted earlier this morning however. (I mainly just commented out where appropriate in config files with # for my own record).

I'm also not finding a good way to upgrade releases, as AUC seems to be broken atm for me.


auc 
auc/0.3.1-1
Server:    https://sysupgrade.openwrt.org
Running:   21.02.1 r16325-88151b8303 on x86/64 (generic)
WARNING: cannot determing currently running branch.
Invalid argument (22)

auc is just a convenience service, you don't need it to upgrade.

It was more to elaborate on MTU settings.

See my earlier post about what could be changed: Wireguard internal LAN access differs mobile vs laptop - #6 by egc

I'll take ANY working method at this point tbh. The instructions for upgrading without losing packages and configs for x86 machines is very thin on the ground atm.

I've only found this thread about it thus far.

From where are you trying to access your local network when you’re using your laptop?

I wouldn’t be surprised if the subnet of the network that is local to your laptop is conflicting with your home lan. What is the subnet your laptop is using when you make the connection attempt?