Wireguard routing help

thasan10 · March 30, 2020, 4:39pm

I have two routers: Main: Asus AC86U WAN DHCP LAN 192.168.0.0/24 running factory AsusWRT.
In the LAN side, I have a NeWiFi router running OpenWrt with Wireguard.

When the NeWiFi was running as a router, LAN IP was 192.168.1.0/24 and Wireguard was working perfecty.

I changed the NeWiFi to a switch and basically work as a Switch and WiFi Access Point. Now, I can connect the Wireguard from outside but the only IP I can access is the NeWiFi router's static IP in the 192.168.0.0/24 range. I am missing some routing somewhere but any help would be appreciated.

Tar

trendy · March 30, 2020, 5:23pm

Yes, the hosts in the lan don't know the existance of the Wireguard network. You need to add a static route for the subnet of Wireguard in the Asus.

thasan10 · March 30, 2020, 5:52pm

Thanks. That was half the battle. Now I can connect to anything within the LAN segment. Now I have to figure out how to surf the net. I think I have to add a route on the NeWiFi now.

trendy · March 30, 2020, 5:54pm

That can prove helpful.

thasan10 · March 30, 2020, 6:06pm

Any thoughts what should be? Should it be to forward 0.0.0.0 to Asus LAN address?

trendy · March 30, 2020, 6:10pm

Let me see the network configuration first:
uci export network

thasan10 · March 30, 2020, 6:28pm

Here is what I got.

package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd35:f8fc:2295::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.4'
        option gateway '192.168.0.1'
        option dns '8.8.8.8 8.8.4.4'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '22:76:93:2c:4e:88'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'
        option dns '8.8.8.8 8.8.4.4'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr '22:76:93:2c:4e:89'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 4 6t'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t'
        option vid '2'

config interface 'wg0'
        option proto 'wireguard'
        option private_key ''
        option listen_port '51820'
        list addresses '10.200.200.1/24'

config wireguard_wg0
        option public_key ''
        list allowed_ips '10.200.200.0/24'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

thasan10 · March 30, 2020, 7:06pm

Will do. I wasn't sure how to use those.

trendy · March 30, 2020, 9:26pm

It is already configured there, the gateway in lan interface.
The other reason for failing is that the ISP router will not masquerade (NAT) networks which are not directly connected. If that is the case and you cannot change it, you'll have to enable masquerade on the lan firewall zone.
While we are here, from the WG peer config change the allowed_ips to the IP that the peer is using, like 10.200.200.2/32 and remove the route_allowed_ips. The persistent_keepalive is important to be present on the peer configuration, here won't do much.

thasan10 · March 30, 2020, 9:49pm

Thank you so kindly. Just starting the dnsmasq service took care of it.

Tariq

system · April 9, 2020, 9:49pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.