Last year, I successfully installed OpenWrt on my router. However, since then I can’t connect to my home server running as a WireGuard peer, so I can connect to it and access my local network from everywhere.
My setup is :
My ISP router ←—→ My OpenWrt router ←—→ My WireGuard server
I’m posting on this forum because the problem occurred since I installed OpenWrt (I did not change my WireGuard configs since). What I did correctly (I think) is port redirection on both routers (it’s like when the router was on stock firmware). I’m able to connect to my WireGuard server, but then I have no access over the local network or the internet. So I think it could be a routing issue maybe ?
If anyone has an idea of what could be wrong, any help would be appreciable. If I need to share specifics details don’t hesitate to ask. Thanks in advance !
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
To be clear, the client is connecting from the Internet provided by the ISP router assigned a public IP and you've made a port forward for the Wireguard listening port, correct?
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.73",
"hostname": "OpenWrt",
"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
"model": "Xiaomi AIoT AC2350",
"board_name": "xiaomi,aiot-ac2350",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "ath79/generic",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdab:64ff:ac97::/48'
option packet_steering '2'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
option ipv6 '0'
config device
option name 'eth0.1'
option macaddr 'MAC_ADDRESS'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '192.168.1.200'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option peerdns '0'
list dns '192.168.1.200'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
option peerdns '0'
option disabled '1'
list dns '192.168.1.200'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config route
option interface 'wan'
option target '192.168.1.4/8'
option gateway '192.168.1.4'
option disabled '1'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
option ipv6 '0'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'VPN'
list proto 'udp'
option src 'wan'
option src_dport '1694'
option dest_ip '192.168.1.200'
option dest_port '1694'
config redirect
option target 'DNAT'
option name 'ISP Router'
option src 'lan'
option src_dport '5361'
option dest_port '443'
option dest 'wan'
option dest_ip '192.168.1.4'
list proto 'tcp'
list proto 'udp'
option enabled '0'
config rule
option name 'DNS Blocking'
option src 'wan'
option src_port '53'
option dest '*'
option target 'REJECT'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option target 'ACCEPT'
My ISP router is 192.168.1.4, my Server running WireGuard is 192.168.1.200 and my OpenWrt router is 192.168.1.1.
You can also see my redirection for the VPN with port 1694.
And yes you are correct, from outside my home network I connect to my ISP IP (with dynamic DNS, I don’t have a static IP), and my ISP router has the correct port open and redirects it to my OpenWrt router on port 1694.
It's not clear how the OpenWrt is involved or why you have it in the chain. Can you explain how you direct traffic from the ISP device to the WireGuard server?
Yes the ISP router is connected directly to the Internet.
The OpenWrt’s port connected to the ISP router is the WAN port. The server running WireGuard is connected on one the 3 LAN port of the OpenWrt router.
I’m not really sure, but I would say bridged IP ? It gets the Internet connection from the ISP router, and I connect every device to it (the ISP router have Wi-Fi disabled, nothing is connected to it expect the OpenWrt Router, and the Internet)
If I’m not wrong all devices (that includes the ISP router) are on the same subnet. Also, the server running WireGuard (192.168.1.200) also serves as the DNS server, but I don’t think it matters here. (note that DoH redirection from the Internet to the 192.168.1.200 works perfectly, and I did the same this I did for WireGuard, just mapping/opening ports on both routers)
No, WireGuard is running on another machine connected to the OpenWrt router through a LAN port (the machine running WireGuard is 192.168.1.200).
Yes.
Before OpenWrt the router was just running it’s official, closed-source firmware from Xiaomi (which was a heavily modified version of OpenWrt according to them)
The ISP router (192.168.1.4) is connected to the Internet, and has 4 LAN ports. One of these ports connects it to the OpenWrt router (WAN port, 192.168.1.1). The WireGuard server (192.168.1.200) is connected to a LAN port of the OpenWrt router.
I'd love to review which docs you followed -- there are many changes here that don't seem right at all. Could you show us what documentation you were using?
I'll ask this a different way -- what is the purpose of the OpenWrt router on your network? Right now, you could remove it from your network and things would probably work properly (maybe even better).
A fundamental requirement of all routing (not unique to OpenWrt, but absolutely relevant) is that every network interface (i.e. wan, lan, guest, VPN, etc.) must be on its own unique non-overlapping subnet.
If your goal is simply to use the existing subnet from the ISP router, the OpenWrt router is not needed at all, or at least not in a routing capacity (maybe you want it for wireless??).
I must add that I did a really strange observation, when I connect with the same WireGuard configuration from my Android phone, I can reach the Internet from my home network (I didn’t test local devices, but I guess too?). I don’t know if it helps or if it makes everything even more confusing tho :’)
It sounds like what you probably want is a bridged AP and then a guest network on top of that.
If, on the other hand, you don't want anything directly connected to your ISP router, you can either remove/replace it entirely (if that is possible), or you can move everything such that it is behind the OpenWrt router (with nothing, other than the OpenWrt router itself connecting to the ISP router).
Doing all of the routing on your OpenWrt router gives you more flexibility and control, if that's something you want/need. However, if you do want to use OpenWrt as your main router, you would want to disable the wifi on your ISP router so that OpenWrt is the only active wifi network.
Do you want/need to have both devices providing wifi for adequate coverage of your home, or is does the OpenWrt device provide sufficient performance/coverage to enable you to use it exclusively?
Reset your OpenWrt router to defaults (your current config is very broken, no need to save anything)
Change the lan IP to something like 192.168.23.1/24 (this is an example, it can be any RFC1918 range, but you must avoid 192.168.1.0/24 since that is the subnet used by the upstream)
Configure wifi on the OpenWrt router.
Connect a cable between the ISP's lan port and the wan of your openwrt router.
Connect all of your devices to the wifi and/or ethernet ports of your OpenWrt router (the only thing connected to the ISP router will be your OpenWrt router).
Now, everything on your network will be behind the OpenWrt router. You'll need to update the hosts on your network (and your external DHCP server, if you continue to use it) to participate on the new lan subnet you've created. (also, if you're using an external DHCP server, be sure to disable the DHCP server on the OpenWrt lan).
Once al of that is working normally, you can setup port forwarding on the ISP router to either "DMZ"/port-forward all to the OpenWrt router (the address on the OpenWrt wan in the 192.168.1.0/24 network), or set specific port forwards for what you need. And then make a corresponding port forward from your OpenWrt router to your server. (alternatively, you could run Wireguard on the OpenWrt router instead).
With a successful setup of all of the previous stuff, you can move on and create a guest wifi network. If you need this to be connected to ethernet, too, a few tweaks will get that done.
