Let me start by saying that the WG-interface is doing everything I initially set out to do; I can reach the openwrt-router (forwarded the port in the main isp-router), and once connected I can reach other clients and their services in my home network.
What I cannot reach are the main router (192.168.77.1) and anything beyond that (the internet itself). If I load a website (any website out of my home network) on the client, it just keeps loading forever. It seems as if the wg-interface doesn't know how to reach my main router (192.168.77.1), and therefore also not the internet.
I've looked at several topics of other people who also didn't have internet-access, but none of them seem to offer a solution for my problem. In one of these topics someone suggested that WireGuard expects to be installed on a router (which has a connected WAN-interface). I use my OpenWRT-router as a switch/AP; It does still have the WAN-interface (from a time when I had double NAT), but nothing is connected to it now. All wired connections, including the one to the ISP-router, are on the LAN-ports.
Can anyone tell me if this is indeed the reason why I don't have internet-access? And more importantly, how can I fix this?
I realise I haven't given much details on the wg-interface itself. I'm not at home atm, but I can of course give more details if needed.
It should work if you allow the traffic in the openwrt firewall settings.
If you still have problems it could be that the main router doesn't know how to reach the wg0 subnet. It can be solved with a static route on the main router or if it isn't possible the you need to enable masquerade on the LAN zone.
Yes, i agree the first thing to look at is the firewall. The thing is, I'm not running a firewall on the openwrt-device. It's just a swich and wireless-AP now, running DHCP and DNS for the network.
I'd like to try your second suggestion, but unfortunately my provider has dumbed down their router to very minimal configuration options. Setting routes is not an option on the main router.
So that leaves me with your last suggestion on masquerading the LAN-zone. I remember setting up zones when I first got started with openwrt. I'd have to dive into that again to see how to set it up. But before I do, I just want to know; Isn't the whole thing with setting up zones only useful when working with the firewall? Or are zones required regardless of whether or not I use the firewall?
@lleachii: Yes, dhcp is running on OpenWRT and it's not the gateway (that's 192.168.77.1, the main router). I tried what you suggested, but it doesn't make any difference.
@mikma: It might be easier to setup the firewall, i agree. But I can't really do that. What i didn't show in the picture of my network is that I have a switch with a connected computer in between the 2 routers. When i turn on the firewall I will end up with 2 networks, and all my clients behind the second router lose their connection to that computer.
I'll try and learn some more about routes and masquerading, and see if i can fix it that way.
Thanks for your suggestions.
Ok, so I could try again, and renew all leases. Do you mean every device on my home-network? Could you explain why we'd need to do that?
But more in general; What exactly are we trying to accomplish here? I'm not sure how we can get the wg0 to accept the 'new' gateway. Does the wg0-interface even have anything to do with the DHCP? It just sets it's own (very different from my home-network) IP and the connection, and that's it, right? Or does it actively starts seeking for DHCP-server after establishing connection?
Just to be clear, my regular network, and the clients connected to the openwrt-router all work fine; they get IP and the gateway from dhcp even without specifically naming it in dhcp-options. Also you showed a small picture where i can input these dhcp-options; on my router the only place where i can find this is in the LAN-interface, not in the wg0-interface. So how are these 'Lan-settings' gonna affect my wg0-interface?
I appreciate you trying to help me. I'm just trying to understand what we are trying to do.
Ok, so what I'm trying to accomplish is having a VPN-server at home for 2 purposes;
Being able to access any host in my home network and their (web)services on my iphone
Using the internet over my WireGuard connection. In a way that it seems as if it is someone from within my home network.
I'm not at all an expert on openWRT or anything Linux-related. I set up most of OpenWRT through Luci. I know the basics of a CLI, and can ssh into the router, but that's about it.
Then on to WireGuard; I only heard about it a couple of weeks ago from a colleague, telling me how easy it was to set up. So I tried it, following one of the guides available on the internet, and somewhat to my own surprise it actually worked (had to put in the port-forward).
So then I tried to work on goal nr 2, getting the internet to work over this WG-connection. From what I could find online, it seemed most people didn't have to do anything to get this working. Just fill in 0.0.0.0/0 at the clients 'allowed IPs', mark 'route allowed ips' on the 'server-peer' and that's it. Unfortunately that didn't do anything for me. So I started looking for a solution in threads from people having similar issues. Unfortunately the solutions provided very quickly involve routes, iptables, firewall-rules, postup/down-scripts and lots of other things I don't know much about.
So instead of trying these solutions, I posted my issue here, hoping someone would know what could be the cause, and hopefully offering a solution.
So on to the solution you suggested:
Yes, I have dhcp-running on the 77.3. From what I know a dhcp-server tells my connected clients what IP to use and what gateway. My regular clients connect to the internet just fine with the info provided by the dhcp. So when you suggested setting the proper gateway, I'm thinking, why? It already hands out the right gateway, what good will it do to put it in there again? Also in Luci I can only set these dhcp-options in the LAN-interface. I was thinking we were trying to set the gateway for the wg0-interface, so that left me wondering how that could be the solution to my problem.
Maybe I sounded a bit rude. I'm sorry, that was not my intention. I very much appreciate people taking the time to help out other people.
Then, to answer your questions:
I don't have issues with my wireguard peers. I only have one peer, but connecting is almost instant.
On a side note; I said before that i could reach other clients in the network. I might have been wrong on that. At the moment (when connected) I can only ping the 'server'-peer (on both the 192.168.77.3 and the 10.200.200.1 IP)
Do you mean the iphone or the wg0-interface on openwrt? For the phone, yes I have issues, no internet at all. For the wg0-if, i wouldn't know how to check that.
No firewall issues, since I'm not running it at the moment. On my IPS-router I have the Firewall up, with a port-forward to the Openwrt-router, so WG-peers can connect.
I can show you configs, but I'm not sure which are relevant. Can you tell me which ones you'd like to see?
@lleachii Ok, I'm stuck again. Tried different firewall settings, but the only thing that improved is that i can now reach all my other LAN devices (from the wg-client) with exception of the main router (77.1). This was suddenly possible after I set a zone-forward from 'vpn' to 'lan'. I can also reach them by (private) DNS-name. Other than that, the situation is pretty much the same.
Here's my network and firewall configs. Hopefully you can see what's wrong with it
Tried that. But it makes no difference. Also, in case you missed that part; My WAN-IF is (physically) not connected to anything. The router operates as a switch, and everything (clients and my main router) is connected to the LAN-ports. So would setting firewall or forward rules for that interface make any difference at all?
I've been reading other threads of people trying to pinpoint their problem by analysing the traffic with tcpdump. Unfortunately my only client is an iPhone, and there are no apps for doing that on iOS.
Do you know of any tools to do anything like that? Maybe if i can find where the traffic stops, it's easier to find the problem.