Wireguard no internet connection

I'm not networking expect and very new to openwrt. I had my wireguard setup in openwrt and opnsense.

Site Office = Openwrt (behind nat I think because the wan is getting dhpc from 4g router which the internet IP is private 10.x.x.x). LAN 192.168.1.0/24
HQ = Opnsense (pppoe dial up, public fix ip) multiple vlan 10.0.10.0/24, 10.0.20.0/24, 10.0.30.0/24

In HQ, I able to ping the lan host (192.168.1.x) in Site office.
In Site office, I able to ping all the lan host in HQ.

My HQ lan host has internet access. but the problem is site office lan host has no internet access.

What I want is

  1. site office lan host has internet access and only able to access HQ 10.0.10.0/24 network.
  2. HQ lan host has internet access and only able to access site office 192.168.1.0/24 from 10.0.10.0/24

I'm not sure which part is wrong, routing, NAT, firewall rules, really no idea. I had spend 1 week time and I can't understand how to diagnostic this issue.

Below is my config

======================NETWORK==========================

Sorry I replace secret to 11111

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '1111:1111:4c7f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr '11:11:11:11:11:11'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '0'

config switch
        option name 'switch1'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch1'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch1'
        option vlan '2'
        option ports '0 6t'

config interface 'WireGuard'
        option proto 'wireguard'
        option private_key '1111111111Tl1111111111='
        option listen_port '51820'
        list addresses '10.0.0.254/32'

config wireguard_WireGuard
        option description 'HQTUNNEL'
        option public_key '1111111111Tl1111111111='
        option preshared_key '1111111111Tl1111111111='
        option route_allowed_ips '1'
        option endpoint_host '111.111.111.111'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'

======================FIREWALL==========================

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'WireGuard'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

Nominally I'd handle things at the HQ side of the equation, but you can do some of this on the site office. Internet is likely an issue with the HQ's configuration... you'll have to allow forwarding from the WG network to the WAN network in the HQ OpenSense router.

For the rest of the requirements...

I'd split the WG network into its own firewall zone.

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wireguard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'WireGuard'

config forwarding
        option src 'lan'
        option dest 'wireguard'

Then create traffic rules to limit the outbound connection (block the two HQ networks)

config rule
        option name 'block-20-30'
        list proto 'all'
        option src 'lan'
        option dest 'wireguard'
        list dest_ip '10.0.20.0/24'
        list dest_ip '10.0.30.0/24'
        option target 'REJECT'

and one to allow the inbound connections:

config rule
        option name 'block-20-30'
        list proto 'all'
        option src 'wireguard'
        option dest 'lan'
        list src_ip '10.0.10.0/24'
        option target 'ACCEPT'

Also, you've got an issue with the WAN zone (probably not a real problem, but not best practice as it stands now) -- input and forward should be REJECT, as follows:

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        list network 'wan'
        list network 'wan6'
2 Likes

Thank you for answering my question and your configuration. The internet is not important is site office, but the important thing for us is HQ able to acccesss the site office LAN host.

Currently HQ only able to ping 192.168.1.1 (the openwrt router lan interface), but no the LAN host (for example web server with IP 192.168.1.30). Sorry my wrote wrongly in my previous post.

No luck for me, I tried your configuration but still cannot access/ping any LAN host from HQ to site office.

I believe I need to set in openwrt instead of my opnsense firewall but I have no idea :frowning:

What operating systems are on the hosts in question? Some OS's have firewalls that prohibit incoming connections from other subnets -- Windows in particular is known to block them unless you modify the windows firewall configuration to allow it.

Let's see the latest config files.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

Below is my updated configration. Before that I would to thank you @psherman for your patient, very appreciate.


root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '1111:1111:1111::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option metric '1'

config device
        option name 'eth0.2'
        option macaddr '11:11:11:11:11:11'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '0'

config switch
        option name 'switch1'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch1'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch1'
        option vlan '2'
        option ports '0 6t'

config interface 'WireGuard'
        option proto 'wireguard'
        option private_key '111111111111111111111111'
        option listen_port '51820'
        option delegate '0'
        list addresses '10.0.0.254/32'
        option defaultroute '0'

config wireguard_WireGuard
        option description 'TUNNEL'
        option public_key '111111111111111111111111111111111111111111111111'
        option preshared_key '111111111111111111111111'
        option route_allowed_ips '1'
        option endpoint_host '11.11.11.11'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'

config device
        option name 'WireGuard'

config route
        option interface 'WireGuard'
        option target '10.88.88.0/24'
        option gateway '10.0.0.254'

config route
        option interface 'lan'
        option gateway '10.0.0.254'
        option target '10.88.88.0/24'


root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'WireGuard'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

I did tried split the WG network into its own firewall zone but no effect, then I removed it and put into lan zone, both are same for me.

I notice that I no need to add firewall rules. Instead, I can disable default gateway and add static route only so that my site office only can allow to access 10.88.88.0/24


I did tried traceroute from HQ. I'm not able to ping 192.168.1.130 host (this is windows 10 host, firewall & av off). I'm 100% not the host issue as I try other IOT device and CCTV all are not able to ping.

I think most likely is openwrt routing or firewall issue but I really no idea. I really want my HQ able to access the lan host(192.168.1.130) in openwrt.

You have a few unnecessary things in the configuration... specifically the routes are not needed because all non-local traffic will go through the tunnel (because of the 0.0.0.0/0 allowed IPs).

So remove these:

Also remove this:

remove these two options:

I'd recommend using separate zone... you'll want to be able to enable masquerading.

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'WireGuard'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'vpn'
2 Likes

It works it working! Thank you very much @psherman

Now I able to ping 192.168.1.130 from HQ. I guess the key function that I miss out is masquerading ? I'm not really familiar with masquerading even though I had played WatchGuard firewall for 3 years. :sweat_smile:

My next step is to block site office access to some network, I will try your config that your post earlier and test it with my openwrt and optimize in my opnsense.

So much thank you to you because I spent more than weeks and finally get it resolved :smile:

Unfortune thing happened. The wireguard client (openwrt) isn't auto re-establish the wireguard vpn connection to my HQ after the VPN connection dropped. I waited 1 day for the VPN to up and I tried to restart my HQ opnsense firewall but still not work.

My HQ is using DDNS (dynamic public IP).

This should help: