I am new to OpenWRT and also in configuring firewalls.
I am running an OpenWRT-based Router with a WireGuard S2S and a separated WireGuard E2S interface.
The problem: On the E2S-Interface, the peer is configurated to route all traffic through the VPN, so the Peer gets Internet-Access from my Router and also have access to hosts in the local LAN behind the Router.
But: This only works, when I place the E2S-Interface into the LAN-Zone on the Firewall with Masquerading enabled.
To learn more about how to configure the firewall, I want to create a separated Firewall-Zone for the given interface, where the hosts in LAN can be accessed and also the peer can reach the Internet without Masquerading.
Can anyone tell me how to do that in best practice?
Are we talking about 2 or more openwrt routers in the site to site and endpoint to site configuration? Is the problem on the “server” side or the “client” endpoint peer?
The S2S configuration is established without any problems between my openwrt router and an raspberry pi 4 on the other side.
The E2S configuration is for my smartphones, tablets and so on when I'm traveling.
I think this must be a problem on server (my routers) side, because when I place the E2S interface in the LAN-Zone of the firewall with Masquerading turned on, everything works fine. If I place the E2S interface in its own firewall zone with forwarding e.g. from VPN to LAN and from LAN-Zone to VPN-Zone, I only get access to my NAS or different hosts, neither to the Internet.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Both configs are heavy customized, apologizing for that.
The listed dns in wan/6, iot, guest and smarthome interfaces are public IP addresses from Freifunk Munich.
The other listed dns in lan/6 and wireguard interfaces are local ipv4/6 addresses, ipv6 addresses have been modified.
WireGuard-Keys have been modified as well.
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'lan6'
list network 'rsq'
list network 'wg_e2s'
list network 'wg_s2s'
option masq '1'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'DCKRSRV - HTTP'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.1.16'
option dest_port '80'
config redirect
option dest 'lan'
option target 'DNAT'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.1.16'
option dest_port '443'
option name 'DCKRSRV - HTTPS'
config rule 'wg'
option src 'wan'
option proto 'udp'
option target 'ACCEPT'
option name 'Allow-WireGuard-lan'
option dest_port '51820 51821'
config rule
option name 'Guest - Allow DHCP'
list proto 'udp'
option src 'Guest'
option src_port '67-68 546-547'
option dest_port '67-68 546-547'
option target 'ACCEPT'
config rule
option name 'Guest - Allow DNS'
option src 'Guest'
option dest_port '53 853'
option target 'ACCEPT'
config rule
option name 'Guest - Drop LAN'
option src 'Guest'
option dest 'lan'
option target 'DROP'
config rule
option name 'Guest - Allow HTTP/S'
list proto 'tcp'
option src 'Guest'
option dest 'wan'
option dest_port '80 8080 443'
option target 'ACCEPT'
config rule
option name 'Guest - Allow ICMP Ping'
list proto 'icmp'
option src 'Guest'
option dest 'wan'
option target 'ACCEPT'
config rule
list proto 'tcp'
option src 'Guest'
option dest 'wan'
option dest_port '110 143 465 587 993 995'
option target 'ACCEPT'
option name 'Guest - Allow E-Mail'
config rule
option name 'Guest - Drop WAN'
option src 'Guest'
option dest 'wan'
option target 'DROP'
config rule
list proto 'udp'
option src 'IOT'
option src_port '67-68 546-547'
option dest_port '67-68 546-547'
option target 'ACCEPT'
option name 'IOT - Allow DHCP'
config rule
option src 'IOT'
option dest_port '53 853'
option target 'ACCEPT'
option name 'IOT - Allow DNS'
config rule
option name 'IOT - Drop LAN'
option src 'IOT'
option dest 'lan'
option target 'DROP'
config rule
list proto 'icmp'
option src 'IOT'
option dest 'wan'
option target 'ACCEPT'
option name 'IOT - Allow ICMP Ping'
config rule
option name 'IOT - Drop WAN'
option src 'IOT'
option dest 'wan'
option target 'DROP'
config rule
list proto 'udp'
option src 'smarthome'
option src_port '67-68 546-547'
option dest_port '67-68 546-547'
option target 'ACCEPT'
option name 'Smarthome - Allow DHCP'
config rule
option src 'smarthome'
option dest_port '53 853'
option target 'ACCEPT'
option name 'Smarthome - Allow DNS'
config rule
option name 'Smarthome - Drop LAN'
option src 'smarthome'
option dest 'lan'
option target 'DROP'
config rule
list proto 'icmp'
option src 'smarthome'
option dest 'wan'
option target 'ACCEPT'
option name 'Smarthome - Allow ICMP Ping'
config rule
option name 'Smarthome - Allow HTTP/S'
list proto 'tcp'
option src 'smarthome'
option dest 'wan'
option target 'ACCEPT'
option dest_port '80 8080 443'
config rule
list proto 'udp'
option src 'smarthome'
option dest 'wan'
option dest_port '6667'
option target 'ACCEPT'
option name 'Smarthome - Allow UDP 6667'
config rule
option name 'Smarthome - Allow TCP 8886'
list proto 'tcp'
option src 'smarthome'
option dest 'wan'
option dest_port '8886'
option target 'ACCEPT'
config rule
option name 'Smarthome - Drop WAN'
option src 'smarthome'
option dest 'wan'
option target 'DROP'
config zone 'VPN_S2S'
option name 'VPN_S2S'
option output 'ACCEPT'
option forward 'REJECT'
option input 'ACCEPT'
list network 'wg_s2s'
config zone 'Guest'
option name 'Guest'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'guest'
config zone 'IOT'
option name 'IOT'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'iot'
config forwarding
option src 'lan'
option dest 'IOT'
config forwarding
option src 'lan'
option dest 'VPN_S2S'
config forwarding
option src 'VPN_S2S'
option dest 'lan'
config zone 'smarthome'
option name 'smarthome'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
list network 'smarthome'
config forwarding
option src 'lan'
option dest 'smarthome'
config forwarding
option src 'Guest'
option dest 'wan'
config forwarding
option src 'smarthome'
option dest 'wan'
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd00::/64'
option packet_steering '1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '99'
option description 'lan'
option vid '99'
option ports '0t 4t'
config switch_vlan
option device 'switch0'
option vlan '55'
option description 'rsq'
option vid '55'
option ports '0t 3'
config switch_vlan
option device 'switch0'
option vlan '10'
option description 'guest'
option vid '10'
option ports '0t 4t'
config switch_vlan
option device 'switch0'
option vlan '20'
option description 'iot'
option vid '20'
option ports '0t 4t'
config switch_vlan
option device 'switch0'
option vlan '30'
option description 'smarthome'
option vid '30'
option ports '0t 4t'
config device
option name 'br-lan'
option type 'bridge'
option bridge_empty '1'
list ports 'eth0.99'
config device
option name 'br-rsq'
option type 'bridge'
option bridge_empty '1'
list ports 'eth0.55'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
list ports 'eth0.10'
config device
option type 'bridge'
option name 'br-iot'
option bridge_empty '1'
list ports 'eth0.20'
config device
option type 'bridge'
option name 'br-smarthome'
option bridge_empty '1'
list ports 'eth0.30'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
list dns_search 'local.home'
option dhcpv6 'server'
option ra 'server'
option ra_flags 'managed-config other-config'
option ip6assign '64'
option device 'br-lan'
list dns '192.168.1.5'
list dns '192.168.1.15'
list dns 'fd00::dea6:32bb:fe8a:b004'
list dns 'fd00::dea6:32aa:fe1a:a004'
config interface 'rsq'
option proto 'static'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
list dns '5.1.66.255'
list dns_search 'my.rsq'
option dhcpv6 'disabled'
option ra 'disabled'
option device 'br-rsq'
config interface 'wan'
option proto 'pppoe'
option device 'eth1'
option username 'MyCredentialsForISP'
option password 'PasswordForISP'
option ipv6 '0'
option peerdns '0'
option delegate '0'
list dns '5.1.66.255'
list dns '185.150.99.255'
config interface 'wan6'
option proto 'dhcpv6'
option device '@wan'
option reqaddress 'none'
option reqprefix 'auto'
option peerdns '0'
list dns '2001:678:e68:f000::'
list dns '2001:678:ed0:f000::'
config interface 'guest'
option proto 'static'
option device 'br-guest'
list ipaddr '192.168.91.1/26'
list dns '5.1.66.255'
list dns '185.150.99.255'
list dns '2001:678:e68:f000::'
list dns '2001:678:ed0:f000::'
list dns_search 'my.gu35t'
list ip6addr 'fd50::/64'
config interface 'iot'
option proto 'static'
option device 'br-iot'
list dns '5.1.66.255'
list dns '185.150.99.255'
list dns '2001:678:e68:f000::'
list dns '2001:678:ed0:f000::'
list dns_search 'my.10t'
list ipaddr '172.30.150.1/27'
list ip6addr 'fd51::/64'
config interface 'smarthome'
option proto 'static'
list ipaddr '10.55.99.1/27'
list ip6addr 'fd70::/64'
list dns '5.1.66.255'
list dns '185.150.99.255'
list dns '2001:678:e68:f000::'
list dns '2001:678:ed0:f000::'
option device 'br-smarthome'
list dns_search 'my.sm4rth0m3'
config route 'Testlabor'
option interface 'lan'
option target '192.168.10.0/24'
option source '192.168.1.1'
option gateway '192.168.1.240'
config interface 'wg_s2s'
option proto 'wireguard'
option private_key 'BABBCBDBEBFBGBHBIBJBKBL'
list addresses '192.168.81.1/28'
list addresses 'fd12:5ee:def:c0de::1/124'
option peerdns '0'
list dns '192.168.1.5'
list dns '192.168.1.15'
list dns_search 'my.s2svpn'
option listen_port '51820'
config wireguard_wg_s2s
option description '01_S2S_OtherSpot'
option public_key 'SSSSSSSSSSSSSSSSSSSSSSSSSSSSSS'
option preshared_key 'TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips 'fd12:5ee:def:c0de::/124'
list allowed_ips '192.168.2.0/24'
list allowed_ips '192.168.81.0/28'
option private_key 'ABACADAEAFAGAHAIAJAK'
option endpoint_host 'remote.s2s.dyndns'
option endpoint_port '51821'
config interface 'wg_e2s'
option proto 'wireguard'
option private_key 'ABCDEFGHIJKLMNOPQRST'
option listen_port '51821'
list addresses 'fd11:5ee:abc:c0de::1/124'
list addresses '192.168.77.1/24'
option peerdns '0'
list dns_search 'my.e2svpn'
list dns '192.168.1.5'
list dns '192.168.1.15'
list dns 'fd00::dea6:99ff:fe5a:a7b2'
config wireguard_wg_e2s
option description '02_TravelRouter_E2S'
option public_key 'PPPPPPPPPPPPPPP'
option private_key 'QQQQQQQQQQQQQQQQQQ'
option preshared_key 'RRRRRRRRRRRRRRRRRRRR'
option route_allowed_ips '1'
list allowed_ips 'fd11:5ee:abc:c0de::3/128'
list allowed_ips '192.168.77.3/32'
config wireguard_wg_e2s
option public_key 'MMMMMMMMMMMMMMMMMM'
option private_key 'NNNNNNNNNNNNNNNNNNN'
option preshared_key 'OOOOOOOOOOOOOOOOO'
option persistent_keepalive '25'
option description '03_Smartphone'
option route_allowed_ips '1'
list allowed_ips '192.168.77.4/32'
list allowed_ips 'fd11:5ee:abc:c0de::4/128'
config wireguard_wg_e2s
option public_key 'JJJJJJJJJJJJJJJJJJJJJJJJJJ'
option private_key 'KKKKKKKKKKKKKKKKKKKKKKKK'
option preshared_key 'LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL'
option description '04_Notebook'
option route_allowed_ips '1'
list allowed_ips 'fd11:5ee:abc:c0de::5/128'
list allowed_ips '192.168.77.5/32'
config wireguard_wg_e2s
option description '05_Netbook'
option public_key 'GGGGGGGGGGGGGGGGGGGGGGGGG'
option private_key 'HHHHHHHHHHHHHHHHHHH'
option preshared_key 'IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII'
option route_allowed_ips '1'
list allowed_ips 'fd11:5ee:abc:c0de::6/128'
list allowed_ips '192.168.77.6/32'
config wireguard_wg_e2s
option description '06_Tablet1'
option public_key 'DDDDDDDDDDDDDDDDDDDDDDD'
option private_key 'EEEEEEEEEEEEEEEEEE'
option preshared_key 'FFFFFFFFFFFFFFFFFFFFFF'
option route_allowed_ips '1'
list allowed_ips 'fd11:5ee:abc:c0de::7/128'
list allowed_ips '192.168.77.7/32'
config wireguard_wg_e2s
option public_key 'AAAAAAAAAAAAAAAAA'
option private_key 'BBBBBBBBBBBBBBBBBB'
option preshared_key 'CCCCCCCCCCCCCCCCC'
option description '07_Tablet2'
option route_allowed_ips '1'
list allowed_ips 'fd11:5ee:abc:c0de::8/128'
list allowed_ips '192.168.77.8/32'
config interface 'lan6'
option device '@lan'
option proto 'dhcpv6'
option force_link '1'
option reqaddress 'none'
option reqprefix 'auto'
option peerdns '0'
list dns 'fd00::dea6:32bb:fe8a:b004'
list dns 'fd00::dea6:32aa:fe1a:a004'
list dns_search 'local.home'
option delegate '0'
option type 'bridge'
Hope this may help.
Note: At the moment, there isn't a separated firewall zone for E2S VPN.
Meanwhile, I have to correct my initial thread, because it can lead to misunderstandings.
Without a specified NAT-Rule in the firewall, I had to turn on Masquerading for the entire LAN-Zone.
If I place the E2S-VPN interface in LAN-zone, disabling Masquerading for the entire LAN-Zone and add a NAT-Rule as follows:
Outbound Zone -> LAN
Source Address -> 192.168.77.0/24
Destination Address -> Any
Action -> MASQUERADE
it works, too.
I don't think it can be done properly without Masquerading, but therefore, I'm not an expert.
But as mentioned, I want to get the VPN-E2S interface in a separate Firewall-Zone with forwarding to LAN-Zone, to get access to my hosts within the LAN (that works without a problem), and also get access to internet from the peer's side routing all traffic via VPN.
There must be a simple configuration, I'm not thinking about yet to get it to work.
I’ve just tested out a few things the last day. Unfortunately, I‘m already searching for a Solution. I can‘t believe, that this isn‘t possible to configure.
Do you need more information from my config or something else to help me?
meanwhile I found a solution that works for me and I'm happy with that.
At 1st I created a new zone called "VPN_E2S", set Input and Output to "Accept", Forward to "Reject". The zone should forward to Destination "LAN". Here, it's possible to also forward to "WAN"-Zone, so you don't have to set up specified traffic rules. However, I decided to set up these specified traffic rules.
On 2nd step, I went to the "NAT Rules" and also created a Rule called "VPN", set Protocol to "Any", Outbound Zone to "LAN", Source Address to the E2S-WireGuard-Subnet. I left Destination Address free and set the Action to "Masquerade".
Last but not least, I set up the traffic rules to forward the incoming internet traffic from "VPN_E2S" to "WAN"-Zone. I decided only to forward HTTP/S and E-Mail.
