Wireguard server, client connects but no internet access on the web browser

Hello, I followed this guide https://openwrt.org/docs/guide-user/services/vpn/wireguard/server and have successfully setup the vpn. My main goal is to be able to access my private network resources (NAS) from anywhere and browse privately from public WIFI networks (My next step is to install adguard).
The problem that I'm having is to browse the internet from the client browser after I connect to the vpn.

The client connects using this configuration

[Interface]
PrivateKey = (hidden)
Address = 192.168.9.2/32
DNS = 192.168.1.1

[Peer]
PublicKey = (hidden)
PresharedKey = (hidden)
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 47.45.196.207:51820

When I run wg on openwrt, it shows the connection was stablished

$ wg
interface: vpn
  public key: xxx
  private key: (hidden)
  listening port: 51820

peer: xxx
  preshared key: (hidden)
  endpoint: xxxx
  allowed ips: 192.168.9.2/32, fd00:9::2/128
  latest handshake: 1 minute, 14 seconds ago
  transfer: 994.25 KiB received, 2.00 MiB sent

I can ping my openwrt router, Google dns and google.com from the client:

$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=253.909 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=315.822 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=182.250 ms

--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 182.250/250.660/315.822/54.579 ms

$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=115 time=157.013 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=393.595 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=144.193 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 144.193/231.600/393.595/114.667 ms

$ ping google.com
PING google.com (142.250.72.78): 56 data bytes
64 bytes from 142.250.72.78: icmp_seq=0 ttl=56 time=170.233 ms
64 bytes from 142.250.72.78: icmp_seq=1 ttl=56 time=180.180 ms
64 bytes from 142.250.72.78: icmp_seq=2 ttl=56 time=257.356 ms

--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 170.233/202.590/257.356/38.938 ms

I can also ping the client from a machine in my private network:

# ping 192.168.9.2
PING 192.168.9.2 (192.168.9.2): 56 data bytes
64 bytes from 192.168.9.2: seq=0 ttl=64 time=169.238 ms
64 bytes from 192.168.9.2: seq=1 ttl=64 time=484.125 ms
64 bytes from 192.168.9.2: seq=2 ttl=64 time=436.361 ms

--- 192.168.9.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 169.238/363.241/484.125 ms

But I cannot access the internet from the web browser, I'm using firefox and the error message NS_ERROR_NET_TIMEOUT.

My setup is an openwrt router connected to a cable modem"

+----+    +------------+    +-------------------+    +----------+
| lan | -> | openwrt | -> | cable modem | -> | internet |
+----+    +------------+    +-------------------+    +----------+

Here is the result of a ip -4 addr command

$ ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet x.x.x.x brd x.x.x.x scope global wan
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
11: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 192.168.9.1/24 brd 192.168.9.255 scope global vpn
       valid_lft forever preferred_lft forever
14: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.3.1/24 brd 192.168.3.255 scope global wlan1-1
       valid_lft forever preferred_lft forever
15: wlan1-2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.4.1/24 brd 192.168.4.255 scope global wlan1-2
       valid_lft forever preferred_lft forever

And finally my configuration files:

# cat /etc/config/network 

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9f:2821:4eb6::/48'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'guest'
        option proto 'static'
        list ipaddr '192.168.3.1/24'

config interface 'work'
        option proto 'static'
        list ipaddr '192.168.4.1/24'

config device
        option name 'wlan1-1'

config interface 'vpn'
        option proto 'wireguard'
        option private_key (hidden)
        option listen_port '51820'
        list addresses '192.168.9.1/24'
        list addresses 'fd00:9::1/64'

config wireguard_vpn 'wgclient'
        option public_key (hidden)
        option preshared_key (hidden)
        option private_key (hidden)
        list allowed_ips '192.168.9.2/32'
        list allowed_ips 'fd00:9::2/128'
        option description 'Test client'

config device
        option name 'vpn'

config device
        option name 'wan'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCP-Guest'
        list proto 'udp'
        option src 'guest'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Allow-DNS-Work'
        option src 'work'
        option target 'ACCEPT'
        option dest_port '53'

config zone
        option name 'work'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'work'

config forwarding
        option src 'work'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Work'
        list proto 'udp'
        option src 'work'
        option target 'ACCEPT'
        option dest_port '67-68'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

Thank you very much for your help

Try removign all of the IPv6 stuff from your WG configuration (both on the OpenWrt and the remote peer).

also, remove these:

Thank you very much, that worked!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.