Wireguard internal LAN access differs mobile vs laptop

Hi all,
I've run wireguard succesfully on my laptop and android phone for a year or so now. One thing I've been frustrated with is my Android phone seems to be able to consistently access proper resources from my LAN while the laptop does not.

For instance my deluge docker container that I use to torrent directly to my NAS is visable over android using the wireguard tunnel and the laptop cannot.

As far as I can tell the two interfaces defined in /etc/config/network are exactly the same. I noted that
'config interface 'wg0'

has one line that says

'list dns '192.168.1.1''

Maybe that shouldn't be there. Any other files that would be worth checking I'd appreciate the advice. Silly thought, but don't I want wireguard to be handing out just regular dhcp addresses from my address pool vs 192.168.2.1/32 ? is that wrong?

Do you have only one router which is directly connected to the internet and to which you phone and laptop connect form the internet?

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
wg show
Both the laptop and phone WG config

Do you have only one router which is directly connected to the internet and to which you phone and laptop connect form the internet?

Yes, it's an x86 fanless machine, with seperate dumb WAP connected via a POE switch.
Rest of the wired network is connected via that switch as well.

Sorry for the massive paste. I broke them into sections using the pre markup tags for ease of reading. I assumed it was safe to leave the public key info in my post, correct?

root@OpenWrt_Fitlet:~# ubus call system board
{
	"kernel": "5.4.154",
	"hostname": "OpenWrt_Fitlet",
	"system": "AMD A4 Micro-6400T APU + AMD Radeon R3 Graphics",
	"model": "CompuLab fitlet",
	"board_name": "compulab-fitlet",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.1",
		"revision": "r16325-88151b8303",
		"target": "x86/64",
		"description": "OpenWrt 21.02.1 r16325-88151b8303"

root@OpenWrt_Fitlet:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth1'
	list ports 'eth2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth3'
	option peerdns '0'

config interface 'wg0'
	option proto 'wireguard'
	option listen_port '51820'
	list addresses '192.168.2.1/24'
	option private_key 'REDACTED'
	option peerdns '0'
	list dns '192.168.1.1'

config wireguard_wg0
	option description 'REDACTED'
	option public_key 'REDACTED='
	option persistent_keepalive '25'
	list allowed_ips '192.168.2.2/32'
	option route_allowed_ips '1'

config wireguard_wg0
	option description 'REDACTED'
	option public_key 'REDACTED'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	list allowed_ips '192.168.2.3/32'

config wireguard_wg0
	option description 'LAPTOP'
	option public_key 'MORE_REDACTED'
	list allowed_ips '192.168.2.4/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg0
	option description 'PHONE'
	option public_key 'MORE_REDACTED'
	list allowed_ips '192.168.2.5/32'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
root@OpenWrt_Fitlet:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list local_dns_server '8.8.8.8'
	list server '9.9.9.9'
	list server '9.9.9.10'
	list server '1.1.1.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'REDACTED'
	option dns '1'
	option mac 'REDACTED'
	option ip '192.168.1.152'
	option leasetime 'infinite'

config host
	option name 'REDACTED'
	option dns '1'
	option mac 'REDACTED'
	option ip '192.168.1.125'
	option leasetime 'infinite'

config host
	option dns '1'
	option mac 'REDACTED'
	option ip '192.168.1.3'
	option leasetime 'infinite'
	option name 'REDACTED'

config host
	option name 'REDACTED'
	option duid 'REDACTED'
	option mac 'REDACTED'

config host
	option name 'REDACTED'
	option duid 'REDACTED'
	option mac 'REDACTED'
	option ip '192.168.1.226'
	option leasetime 'infinite'

config domain
	option name 'REDACTED'
	option ip 'REDACTED'

config domain
	option name 'REDACTED'
	option ip '192.168.1.152'

config domain
	option name 'REDACTED'
	option ip '192.168.1.125'

config host
	option ip '192.168.1.235'
	option mac 'REDACTED'
	option name 'REDACTED'
	option dns '1'
	option leasetime 'infinite'

config domain
	option name 'REDACTED'
	option ip '192.168.1.235'

config dhcp 'wg0'
	option interface 'wg0'
	list ra_flags 'none'

config domain
	option name 'REDACTED'
	option ip '192.168.1.236'

config host
	option name 'REDACTED'
	option dns '1'
	option mac 'REDACTED'
	option ip '192.168.1.236'

config host
	option name 'REDACTED'
	option ip '192.168.1.201'
	option mac 'REDACTED'

config host
	option name 'REDACTED'
	option ip '192.168.1.176'
	option mac 'REDACTED'
root@OpenWrt_Fitlet:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config rule
	option name 'allow-ssh-router'
	list proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'
	option src '*'
	option family 'ipv4'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.1.226'
	option dest_port '80'
	option dest 'lan'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option dest_port '443'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '51413'
	option dest_port '51413'
	option dest 'lan'
	option dest_ip '192.168.1.152'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '8096'
	option dest_port '8096'
	option dest_ip '192.168.1.226'
	option dest 'lan'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '8092'
	option dest_port '8092'
	option dest 'lan'
	option dest_ip '192.168.1.226'

config redirect
	option target 'DNAT'
	option src 'wan'
	option src_dport '25565'
	option dest_port '25565'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option src_ip 'REDACTED'
	list proto 'tcp'
	list proto 'udp'
	option name 'REDACTED'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '21025'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option dest_port '21025'
	option enabled '0'

config redirect
	option target 'DNAT'
	list proto 'tcp'
	option src 'wan'
	option src_dport '143'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option name 'REDACTED'
	option dest_port '143'

config redirect
	option target 'DNAT'
	list proto 'tcp'
	option src 'wan'
	option src_dport '993'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option name 'REDACTED'
	option dest_port '993'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '465'
	option dest 'lan'
	option dest_ip '192.168.1.226'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '587'
	option dest 'lan'
	option dest_ip '192.168.1.226'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '25'
	option dest 'lan'
	option dest_ip '192.168.1.226'

config rule
	option name 'REDACTED'
	option family 'ipv4'
	list proto 'tcp'
	option src '*'
	option dest 'lan'
	list dest_ip '192.168.1.226'
	option dest_port '25'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'REDACTED'
	list proto 'tcp'
	option src 'lan'
	list src_ip '192.168.1.226'
	option dest '*'
	option dest_port '25'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'REDACTED'
	list proto 'tcp'
	option src '*'
	option dest '*'
	option dest_port '25'
	option target 'REJECT'
	option enabled '0'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option family 'ipv4'

config forwarding
	option src 'wg'
	option dest 'lan'

config forwarding
	option src 'wg'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wg'

config forwarding
	option src 'wan'
	option dest 'wg'

config rule
	option name 'wan-local-wireguard'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '51820'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'udp'
	option src 'wan'
	option src_dport '7777'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option dest_port '7777'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	option src 'wan'
	option src_dport '7778'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option dest_port '7778'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	option src 'wan'
	option src_dport '27015'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option dest_port '27015'
	list proto 'tcp'
	list proto 'udp'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'tcp'
	option src 'wan'
	option src_dport '27020'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option dest_port '27020'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	list proto 'udp'
	option src 'wan'
	option src_dport '34197'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option dest_port '34197'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	option src 'wan'
	option src_dport '25565'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option dest_port '25565'
	option src_ip '157.157.126.242'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	option src 'wan'
	option dest 'lan'
	option dest_ip '192.168.1.152'
	option dest_port '8081'
	option src_dport '8081'
	option enabled '0'

config redirect
	option target 'DNAT'
	option name 'deluge'
	option src 'wan'
	option dest 'lan'
	option dest_ip '192.168.1.226'
	option src_dport '50881'
	option dest_port '50881'

config redirect
	option target 'DNAT'
	option name 'REDACTED'
	option src 'wan'
	option src_dport '25565'
	option dest 'lan'
	option src_ip '188.83.242.227'
	option dest_port '25565'
	option dest_ip '192.168.1.226'
root@OpenWrt_Fitlet:~# ip route show
default via REDACTED dev eth3  src REDACTED
REDACTED/24 dev eth3 scope link  src REDACTED
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.2.0/24 dev wg0 scope link  src 192.168.2.1 
192.168.2.2 dev wg0 scope link 
192.168.2.3 dev wg0 scope link 
192.168.2.4 dev wg0 scope link 
192.168.2.5 dev wg0 scope link
root@OpenWrt_Fitlet:~# ip route show table all
default via REDACTED dev eth3  src REDACTED
REDACTED/24 dev eth3 scope link  src REDACTED
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.2.0/24 dev wg0 scope link  src 192.168.2.1 
192.168.2.2 dev wg0 scope link 
192.168.2.3 dev wg0 scope link 
192.168.2.4 dev wg0 scope link 
192.168.2.5 dev wg0 scope link 
broadcast REDACTED dev eth3 table local scope link  src REDACTED
local REDACTED dev eth3 table local scope host  src REDACTED
broadcast REDACTED.255 dev eth3 table local scope link  src REDACTED 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1 
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1 
broadcast 192.168.2.0 dev wg0 table local scope link  src 192.168.2.1 
local 192.168.2.1 dev wg0 table local scope host  src 192.168.2.1 
broadcast 192.168.2.255 dev wg0 table local scope link  src 192.168.2.1 
fe80::/64 dev eth3  metric 256 
fe80::/64 dev br-lan  metric 256 
local ::1 dev lo table local  metric 0 
anycast fe80:: dev eth3 table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
local fe80::201:c0ff:fe18:af41 dev eth3 table local  metric 0 
local fe80::201:c0ff:fe19:6e56 dev br-lan table local  metric 0 
multicast ff00::/8 dev wg0 table local  metric 256 
multicast ff00::/8 dev eth3 table local  metric 256 
multicast ff00::/8 dev br-lan table local  metric 256
root@OpenWrt_Fitlet:~# ip rule show
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default
root@OpenWrt_Fitlet:~# wg show
interface: wg0
  public key: MORE_REDACTED
  private key: (hidden)
  listening port: 51820

peer: MORE_REDACTED
  endpoint: REDACTED:1024
  allowed ips: 192.168.2.4/32
  latest handshake: 8 hours, 55 minutes, 59 seconds ago
  transfer: 5.55 GiB received, 38.25 GiB sent
  persistent keepalive: every 25 seconds

peer: MORE_REDACTED
  endpoint: REDACTED:51820
  allowed ips: 192.168.2.5/32
  latest handshake: 6 days, 7 hours, 53 minutes, 11 seconds ago
  transfer: 190.64 MiB received, 1.03 GiB sent
  persistent keepalive: every 25 seconds

peer: MORE_REDACTED
  allowed ips: 192.168.2.3/32
  persistent keepalive: every 25 seconds

peer: MORE_REDACTED
  allowed ips: 192.168.2.2/32
  persistent keepalive: every 25 seconds
Laptop Config 

user@LAPTOP:$ sudo cat /etc/wireguard/wg0.conf
[Interface]
Address = 192.168.2.4/32
DNS = 192.168.1.1
ListenPort = 51820
PrivateKey = REDACTED

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = REDACTED:51820
PersistentKeepalive = 15
PublicKey = MORE_REDACTED
Phone config

user@phone:$ cat openwrt.conf 
[Interface]
Address = 192.168.2.5/32
DNS = 9.9.9.9
ListenPort = 51820
PrivateKey = REDACTED

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = REDACTED:51820
PersistentKeepalive = 25
PublicKey = MORE_REDACTED

not related to the issue at hand, but 21.02 is EOL, you should upgrade.

I've been having trouble with sysupgrade but that's a topic for another thread.

Better redact your WG keys

Not your main problem but better remove list dns '192.168.1.1'

Remove this:

Move the WG interface to its own zone everything is already in place for that.

So move list network 'wg0' from LAN zone

to wg zone:

If you rely on internal DNS resolution by your clients make sure in both the clients config you set 192.168.1.1
In /etc/config/dhcp disable Local service only: option localservice '0'

Reboot and check again.

When accessing your local network the WG address is used so your local clients should allow subnet 192.168.2.0/24
A simple check if this is the problem is to enable MASQUERADING on the LAN zone

Furthermore you are running a very old and EOL build

I thought I had, should I redact my public keys as well?

Did I forget to redact any Wireguard priv keys in the paste?

Yes please do, we do not have your endpoint but it is a liability

1 Like

I have redacted the additional information, please let me know if you think anything else would be smart to redact further.

yes but I don't know the proper method to upgrade versions for x86 devices, especially while I'm abroad and not near the device.

I just thought of something tonight and ran a quick test.
So the laptop works fine and can access the remote lan resources over wireguard when I connecting to my phone as a hotspot.

So that must mean some sort of collision in the IP space when connecting to the remote Lan correct?
or I guess some outbound firewalling of sorts.