WireGuard on AP/switch, interface working fine, but no internet for client

Hi, I'm having trouble getting internet access over my wireguard interface on OpenWRT. Hopefully someone can tell me how to fix this.

This is basically how my home-network is set up:

Let me start by saying that the WG-interface is doing everything I initially set out to do; I can reach the openwrt-router (forwarded the port in the main isp-router), and once connected I can reach other clients and their services in my home network.

What I cannot reach are the main router (192.168.77.1) and anything beyond that (the internet itself). If I load a website (any website out of my home network) on the client, it just keeps loading forever. It seems as if the wg-interface doesn't know how to reach my main router (192.168.77.1), and therefore also not the internet.

I've looked at several topics of other people who also didn't have internet-access, but none of them seem to offer a solution for my problem. In one of these topics someone suggested that WireGuard expects to be installed on a router (which has a connected WAN-interface). I use my OpenWRT-router as a switch/AP; It does still have the WAN-interface (from a time when I had double NAT), but nothing is connected to it now. All wired connections, including the one to the ISP-router, are on the LAN-ports.

Can anyone tell me if this is indeed the reason why I don't have internet-access? And more importantly, how can I fix this?

I realise I haven't given much details on the wg-interface itself. I'm not at home atm, but I can of course give more details if needed.

Any help is appreciated.

1 Like

It should work if you allow the traffic in the openwrt firewall settings.

If you still have problems it could be that the main router doesn't know how to reach the wg0 subnet. It can be solved with a static route on the main router or if it isn't possible the you need to enable masquerade on the LAN zone.

2 Likes

Hello Mikma, thanks for your reply.

Yes, i agree the first thing to look at is the firewall. The thing is, I'm not running a firewall on the openwrt-device. It's just a swich and wireless-AP now, running DHCP and DNS for the network.

I'd like to try your second suggestion, but unfortunately my provider has dumbed down their router to very minimal configuration options. Setting routes is not an option on the main router.

So that leaves me with your last suggestion on masquerading the LAN-zone. I remember setting up zones when I first got started with openwrt. I'd have to dive into that again to see how to set it up. But before I do, I just want to know; Isn't the whole thing with setting up zones only useful when working with the firewall? Or are zones required regardless of whether or not I use the firewall?

If I understand you correctly, you have DHCP running on your OpenWrt (192.168.77.3) which isn't your gateway.

This means you have to hand out the correct gateway (192.168.77.1) via DHCP Option No. 3.

I think you have to configure IP masquerade manually if you don't use the firewall. But it's probably easier to configure a firewall which allows all traffic.

@lleachii: Yes, dhcp is running on OpenWRT and it's not the gateway (that's 192.168.77.1, the main router). I tried what you suggested, but it doesn't make any difference.

@mikma: It might be easier to setup the firewall, i agree. But I can't really do that. What i didn't show in the picture of my network is that I have a switch with a connected computer in between the 2 routers. When i turn on the firewall I will end up with 2 networks, and all my clients behind the second router lose their connection to that computer.

I'll try and learn some more about routes and masquerading, and see if i can fix it that way.
Thanks for your suggestions.

  • You did renew leases on all devices, correct?
  • You used DHCP Option No. 3 (Gateway)?
  • You entered the IP of your gateway: 3,192.168.77.1 - correct?
  • You rebooted or restarted dnsmasq?

You can't firewall it, a gateway receives traffic on its MAC for another address.

  • no, i didn't. Just reconnected the wg-client
  • yes
  • yes
  • yes

Ok, so I could try again, and renew all leases. Do you mean every device on my home-network? Could you explain why we'd need to do that?

But more in general; What exactly are we trying to accomplish here? I'm not sure how we can get the wg0 to accept the 'new' gateway. Does the wg0-interface even have anything to do with the DHCP? It just sets it's own (very different from my home-network) IP and the connection, and that's it, right? Or does it actively starts seeking for DHCP-server after establishing connection?

Just to be clear, my regular network, and the clients connected to the openwrt-router all work fine; they get IP and the gateway from dhcp even without specifically naming it in dhcp-options. Also you showed a small picture where i can input these dhcp-options; on my router the only place where i can find this is in the LAN-interface, not in the wg0-interface. So how are these 'Lan-settings' gonna affect my wg0-interface?

I appreciate you trying to help me. I'm just trying to understand what we are trying to do.

Wait...Wireguard interfaces don't have gateways (they're not Layer 2).

I have 0 things to accomplish in this thread - I'm trying to assist you. Perhaps you should better explain what you're trying to accomplish.

Then I think I'll wait until you do.


  • Are you having issues with your Wireguard peers???
  • Do you have Internet connectivity issues on the device configured for Wireguard???
  • Are you having firewall issues???

Please show the relevant configs after clarifying.

@lleachii Ok, Let me try to explain it better :smiley:

I've updated the picture to better represent my home network.


Ok, so what I'm trying to accomplish is having a VPN-server at home for 2 purposes;

  1. Being able to access any host in my home network and their (web)services on my iphone
  2. Using the internet over my WireGuard connection. In a way that it seems as if it is someone from within my home network.

I'm not at all an expert on openWRT or anything Linux-related. I set up most of OpenWRT through Luci. I know the basics of a CLI, and can ssh into the router, but that's about it.

Then on to WireGuard; I only heard about it a couple of weeks ago from a colleague, telling me how easy it was to set up. So I tried it, following one of the guides available on the internet, and somewhat to my own surprise it actually worked (had to put in the port-forward).

So then I tried to work on goal nr 2, getting the internet to work over this WG-connection. From what I could find online, it seemed most people didn't have to do anything to get this working. Just fill in 0.0.0.0/0 at the clients 'allowed IPs', mark 'route allowed ips' on the 'server-peer' and that's it. Unfortunately that didn't do anything for me. So I started looking for a solution in threads from people having similar issues. Unfortunately the solutions provided very quickly involve routes, iptables, firewall-rules, postup/down-scripts and lots of other things I don't know much about.

So instead of trying these solutions, I posted my issue here, hoping someone would know what could be the cause, and hopefully offering a solution.

So on to the solution you suggested:

Yes, I have dhcp-running on the 77.3. From what I know a dhcp-server tells my connected clients what IP to use and what gateway. My regular clients connect to the internet just fine with the info provided by the dhcp. So when you suggested setting the proper gateway, I'm thinking, why? It already hands out the right gateway, what good will it do to put it in there again? Also in Luci I can only set these dhcp-options in the LAN-interface. I was thinking we were trying to set the gateway for the wg0-interface, so that left me wondering how that could be the solution to my problem.

Maybe I sounded a bit rude. I'm sorry, that was not my intention. I very much appreciate people taking the time to help out other people.

Then, to answer your questions:

  • I don't have issues with my wireguard peers. I only have one peer, but connecting is almost instant.
    On a side note; I said before that i could reach other clients in the network. I might have been wrong on that. At the moment (when connected) I can only ping the 'server'-peer (on both the 192.168.77.3 and the 10.200.200.1 IP)
  • Do you mean the iphone or the wg0-interface on openwrt? For the phone, yes I have issues, no internet at all. For the wg0-if, i wouldn't know how to check that.
  • No firewall issues, since I'm not running it at the moment. On my IPS-router I have the Firewall up, with a port-forward to the Openwrt-router, so WG-peers can connect.

I can show you configs, but I'm not sure which are relevant. Can you tell me which ones you'd like to see?

Cheers!

Hopefully :pray: you setup everything on the command line or in the web GUI- if so they're in:

  • /etc/config/network - and
  • /etc/config/firewall

Some notes:

  • You have to permit forwarding from WG to WAN - we need to see your firewall configs to ensure you placed WG into a firewall zone. Placing WG in the LAN zone does this automatically.
  • The allowed IPs of 0.0.0.0/0 should be on the iPhone, the allowed IP for the peer should be an individual /32 up from the subnet
  • Address the interface with the full CIDR of the subnet (e.g. if your WG is 192.168.44.0/24 - you would make the interface on OpenWrt 192.168.44.1/24, and the peer would be 192.168.44.2/32)
  • Disregard my post regarding DHCP and gateways

No rudeness taken, I apologize if I seemed harsh myself. Thank you for the reply, and hope this helps.

Ok, so here's the contents of;

Network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2e:30c7:c9f6::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ifname 'eth0.1'
        option ipaddr '192.168.77.3'
        option gateway '192.168.77.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'private-key'
        option listen_port '51820'
        list addresses '10.200.200.1/24'

config wireguard_wg0
        option public_key 'public-key'
        option persistent_keepalive '25'
        list allowed_ips '10.200.200.2/32'
        option route_allowed_ips '1'

& the contents of Firewall

config defaults
        option forward 'REJECT'
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'

config redirect
        option enabled '1'

config rule
        option enabled '1'
        option target 'ACCEPT'

.....ok. so nothing is in a firewall zone at the moment i guess (I disabled the firewall and removed the zones once i started using the openwrt router as a switch a year ago).

edit: @lleachii: I think I'm making some progress at the moment. Will try a few things today, and report back with the results

@lleachii Ok, I'm stuck again. Tried different firewall settings, but the only thing that improved is that i can now reach all my other LAN devices (from the wg-client) with exception of the main router (77.1). This was suddenly possible after I set a zone-forward from 'vpn' to 'lan'. I can also reach them by (private) DNS-name. Other than that, the situation is pretty much the same.

Here's my network and firewall configs. Hopefully you can see what's wrong with it

Network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2e:30c7:c9f6::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ifname 'eth0.1'
        option ipaddr '192.168.77.3'
        option gateway '192.168.77.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'pri-key'
        option listen_port '51820'
        list addresses '10.200.200.1/24'

config wireguard_wg0
        option public_key 'pub-key'
        option persistent_keepalive '25'
        list allowed_ips '10.200.200.2/32'
        option route_allowed_ips '1'

Firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config redirect
        option enabled '1'

config rule
        option enabled '1'
        option target 'ACCEPT'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'lan'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'wan'
        option network 'wan wan6'
        option input 'REJECT'

config zone
        option output 'ACCEPT'
        option name 'vpn'
        option network 'wg0'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option dest 'lan'
        option src 'vpn'

Please use "Preformatted text </>" for logs, scripts, configs and general console output.
grafik

Please edit your posting accordingly.
Thanks!

1 Like

If you want Internet, add a VPN to WAN too.

Tried that. But it makes no difference. Also, in case you missed that part; My WAN-IF is (physically) not connected to anything. The router operates as a switch, and everything (clients and my main router) is connected to the LAN-ports. So would setting firewall or forward rules for that interface make any difference at all?

I've been reading other threads of people trying to pinpoint their problem by analysing the traffic with tcpdump. Unfortunately my only client is an iPhone, and there are no apps for doing that on iOS.

Do you know of any tools to do anything like that? Maybe if i can find where the traffic stops, it's easier to find the problem.

Any other suggestions are also welcome of course

You need add static route on ISP-router: destination network 10.200.200.0/24 - gateway 192.168.77.3

@leeandy Thanks for the suggestion, but my ISP-router is extremely limited, and I cannot add static routes unfortunately.

So there is no way to route wireguard client with your network topology.

@lleachii @leeandy @mikma Yes, succes!!!

That was it all along, masquerading the LAN-zone. I'm afraid I haven't tried it because I didn't have the firewall up when this was suggested. And when I did, I guess I forgot about this option.

Anyways, I was almost about to give up on this. Just re-read the thread one more time to make sure i didn't miss anything. Glad I did!

Thank you all for helping me. Now all I need to do is find out what I actually did by masquerading the LAN :smile:

2 Likes