I've successfully set up a wireguard server on my router, and am able to confirm handshake and ping the router from the peer. However, I cannot access my home network (different subnet), nor access the internet from the connected peer. I've been fumbling with firewall settings for a couple days but can't seem to get this traffic forwarded. Please see firewall config below. Thanks for any help and let me know if you need more information.
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
list network 'lan'
list network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'wg-port'
list proto 'udp'
option src 'wan'
option dest_port '49xxx'
option target 'ACCEPT'
This is how things pass from one zone to another. If it's REJECT then it doesn't work.
I would / do run all of these a REJECT on my server as a router. Using iptables though and simply set them to drop to avoid responses to whomever is trying to get acknowledged.
*filter
:INPUT **DROP** [0:0]
:FORWARD **DROP** [0:0]
:OUTPUT **DROP** [0:0]
:PERMIT-FWD - [0:0]
:PERMIT-IN - [0:0]
:PERMIT-OUT - [0:0]
-A INPUT -j PERMIT-IN
-A FORWARD -j PERMIT-FWD
-A OUTPUT -j PERMIT-OUT
-A PERMIT-FWD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-FWD -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-FWD -j DROP
-A PERMIT-IN -i lo -j ACCEPT
-A PERMIT-IN -i br0 -j ACCEPT
-A PERMIT-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-IN -j DROP
-A PERMIT-OUT -o lo -j ACCEPT
-A PERMIT-OUT -o br0 -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-OUT -j DROP
COMMIT
# Completed on Sun Jan 23 20:51:32 2022
# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o bo0 -j MASQUERADE
COMMIT
This is actually a sometimes confusing feature of the firewall...
the "forward" zone rule does not affect inter-zone routing. This affects only intra-zone forwarding. In other words, if you have multiple networks that are assigned to the same firewall zone, this affects the ability for inter-VLAN (inter-network) routing between the networks within that zone (determined at the zone level).
When routing is desired between networks that are associated with different zones (again, at the zone level), forwarding rules such as the one below are used to allow this to work.
In this case, the OP theoretically has the WG interface associated with the lan firewall zone which has foward=accept (as shown below):
The "default" zone (which is kind of an unnamed zone) had the forward=reject (as you can see below), but that is not relevant to networks that are assigned to other zones. The default zone is what happens when you don't make an explicit assignment for a network into a zone.
In all cases, it is possible to write traffic rules that provide much more granularity -- so the default action within a zone (or a zone forwarding rule) can be overridden for specific hosts or networks by writing rules as desired.
Using iptables explicitly is one way to achieve the firewall goals, but what is available to implmeent in LuCI/UCI standard rules is usually sufficient. The use of iptables becomes useful if a more sophisticated/explicit/granular ruleset is needed as compared to what the UCI firewall syntax can provide and/or for those who prefer to write the rules this way (which is a totally legit option).
Thanks for the reply. I changed the default to ACCEPT as you noted above, as a test, but that broke the peer connection. Was not even able to ping the server, whereas when it is set to REJECT I am. Not sure why this is...
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
Also, please provide info about the remote peer:
what OS is it running (is it also OpenWrt)?
is the service you're trying to forward to running on that same host (alongside WG), or is it a different host on the network there?
is the service you're trying to forward to running on that same host (alongside WG), or is it a different host on the network there?
Different host on the network. But I'd also like to be able to access the internet from the connected peer via my home network when I am away from home.
Can you repost without redacting the rfc1918 addresses and the port numbers, too? They don’t reveal anything sensitive about your network, but it is important to see for troubleshooting
Also, please verify that you have gotten the handshakes to work:
yes confirmed
Can you repost without redacting the rfc1918 addresses and the port numbers, too? They don’t reveal anything sensitive about your network, but it is important to see for troubleshooting
This should be 192.168.10.3/32. Disregard if this was a typo in this post and is correct in your config.
I would recommend placing the vpn in its own firewall zone (you can set accept on input, output, and forward). Create a forward rule for the vpn zone > lan zone.
Meanwhile, it seems that this is not the main router. There are two ways to get this to work. Either enable masquerading on the lan firewall zone or setup a static route in the main router (if supported).
Thank you for the reply. Yes that is a typo, the address is correct.
Yes I am running the WG server on an access point, as my main router is running wireguard as a VPN client so keeping them separate. Not sure if this is necessary The main router is also running openwrt, so yes does support static routes.
I have trouble understanding firewall zones, can you help me to understand the steps involved in getting this working? Thank you again for your help here.
You can combine them, if you want. But since you have this setup, we can probably get it working.
NOTE: you may need to setup VPN Policy Based Routing in order to allow the inbound VPN connections from the WAN to work properly.
Yes...
You want your firewall zones to look like this (note that I have removed the vpn network from the lan and added it to its own zone):
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'vpn'
option name 'vpn'
list network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
Then add a forwarding rule:
config forwarding
option src 'vpn'
option dest 'lan'
On your main router, add a static route as follows:
192.168.10.0/24 via 192.168.1.2
Ok this is working!! Thank you so much, I really appreciate the help.
One small thing which which still isn't working: although I can ping and access multiple devices on the network, and access the internet, there is one server I cannot access or ping via the vpn. It is at 192.168.1.205. I can access it when logged onto the home network (192.168.1.x) and I can ping it from both routers. But when connected via the vpn, it times out. Any clues?
Windows? Check the windows firewall. By default, it will not accept connections from other subnets. You can modify the firewall to allow incoming connections from the VPN.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
No not windows, linux. I have def accessed this from other subnets. Ok I will dig into the settings on that machine. I will mark this as solved. Thank you for your excellent support!
