Wireguard on raspberry and single interface

Hi all,

I've been using OpenWrt for a while but I'm now setting up a raspberry PI with Wireguard and I'd use only one interface.
I've configured the vpn and seems I can connect (I see traffic on both my android app and raspberry UI) but I cannot reach any of the IPs of the lan.
I've tried to check firewall and zone with no luck.

Any suggestions?

Thank you

Are the Raspberry Pi and your LAN devices in the same subnet/VLAN and are they in the same firewall zone? If not you may need some firewall traffic rules or allow inter-VLAN routing my specifying zone forwarding.

yes network is the same, also the IP that is set on the client belong to the same network. I associated the wg0 interface to LAN zone

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Here the output, eth1 is present but not planning to use it and is disconnected.

root@OpenWrt:/etc/config# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro åli tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
	"kernel": "5.4.154",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 3",
	"model": "Raspberry Pi 4 Model B Rev 1.4",
	"board_name": "raspberrypi,4-model-b",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.1",
		"revision": "r16325-88151b8303",
		"target": "bcm27xx/bcm2711",
		"description": "OpenWrt 21.02.1 r16325-88151b8303"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd6:6dd4:d0e6::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.100.210'
	option gateway '192.168.100.254'
	option broadcast '192.168.100.255'
	list dns '1.1.1.1'
	list dns '8.8.8.8'

config interface 'WAN'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wg0'
	option proto 'wireguard'
	option private_key ''
	option listen_port '51820'
	list addresses '192.168.100.210'

config wireguard_wg0
	option description 'Android'
	option public_key ''
	option route_allowed_ips '1'
	list allowed_ips '0.0.0.0/0'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv4 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'
	option start '100'
	option limit '150'
	option ra 'hybrid'
	option dhcpv6 'hybrid'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'wg0'
	option interface 'wg0'
	option ignore '1'
	list ra_flags 'none'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'WAN'
	option input 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config rule
	option name 'Test-temporary'
	option target 'ACCEPT'
	option family 'ipv4'
	option src 'lan'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 192.168.100.210/32 brd 255.255.255.255 scope global wg0
       valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.100.210/24 brd 192.168.100.255 scope global br-lan
       valid_lft forever preferred_lft forever
default via 192.168.100.254 dev br-lan proto static
192.168.100.0/24 dev br-lan proto kernel scope link src 192.168.100.210
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.100.0 dev br-lan table local proto kernel scope link src 192.168.100.210
local 192.168.100.210 dev wg0 table local proto kernel scope host src 192.168.100.210
local 192.168.100.210 dev br-lan table local proto kernel scope host src 192.168.100.210
broadcast 192.168.100.255 dev br-lan table local proto kernel scope link src 192.168.100.210
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
lrwxrwxrwx    1 root     root            16 Oct 24 09:01 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Feb 23 15:49 /tmp/resolv.conf
-rw-r--r--    1 root     root            54 Feb 23 15:24 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            54 Feb 23 15:24 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface lan
nameserver 1.1.1.1
nameserver 8.8.8.8

This is overlapping your LAN subnet. It must be a different subnet. You can use anything that is non-overlapping. For example, for they interface definition, 192.168.9.1/24 is a common choice.

Then, for the peer, I recommend setting the allowed IPs to a /32 in the same subnet as the WG interface. So maybe 192.168.9.2/32.

1 Like

I've tried but no luck. still same issue.

It appears that you have an upstream router (192.168.100.254) -- did you add a route to the OpenWrt WG network?
192.168.9.0/24 via 192.168.100.210. <----- this needs to be added to the main router on the network.

If that is not possible, there is another way to handle this -- enable masquerading on the LAN zone.

1 Like

Thx @psherman for your help, yes I do have a router upstream so openwrt is just meant to be a network host with wireguard functionality.
Architecture looks like:

main router [public IP on eth1, private IP on eth0] -> Pi4 with openwrt[private IP on eth0]
Port forwarding from upstream router to openwrt where wireguard is listening.

I have 2 choices now:
1- Configure 2nd ETH of my Pi4 (eth1) and create a secondary network that I can use to access my box
2- Configure the VPN so that ETH0 of Pi4 is reachable rom wireguard clients (Preferred)

Any advice?
thx

Did you check to see if your main router supports static routes?

nope it doesn't unfortunately

Ok. Then here is how you’ll make this work:

  • create a new firewall zone for the vpn (it can mirror the settings for the lan zone).
  • remove wg0 from the lan zone
  • add wg0 to the new vpn zone
  • allow forwarding from vpn zone > lan zone
  • enable masquerading on the lan zone.

Give that a shot. If it doesn’t work, post your current network and firewall config files as well as the remote peer (“client”) wg config.

1 Like