Wireguard Server: No Acesss The Local Network / Internet

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello,

I've a NanoPi NEO2 SBC running LuCI openwrt-22.03 branch (git-22.288.45147-96ec0cd) / OpenWrt 22.03.2 r19803-9a599fee93. This is a cheap ARM board that has one gigabit Ethernet port and I've it setup as DHCP and DNS server for my network. The router ISP works as gateway.

  • OpenWrt/ARM (DHCP/DNS Server): 172.20.1.1
  • ISP Router (Gateway): 172.20.1.254

I've setup a WG "server" using the GUI and I'm able to connect my phone to it. The phone is able access the OpenWrt interface but it can't access any other on the network and/or the Internet.

Network config:

# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb0:01c0:5208::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option delegate '0'
        list ipaddr '172.20.1.1/24'
        option gateway '172.20.1.254'
        option broadcast '172.20.1.255'

config device
        option name 'eth0'
        option ipv6 '0'

config interface 'VPN'
        option proto 'wireguard'
        option private_key '...'
        option listen_port '41390'
        option mtu '1200'
        option peerdns '0'
        list dns '172.20.1.1'
        option delegate '0'
        list addresses '172.20.3.1/24'

config wireguard_VPN
        option description 'iPhone'
        option public_key '...'
        option private_key '...'
        option preshared_key '...'
        option route_allowed_ips '1'
        option persistent_keepalive '600'
        list allowed_ips '172.20.3.10/32'

config device
        option name 'VPN'
        option ipv6 '0'

Client config:

IMG_689952705692
IMG_689952705692323×600 19.3 KB

As I said the phone connects just fine:

# wg show
interface: VPN
  public key: ......
  private key: (hidden)
  listening port: 41390

peer: ......
  preshared key: (hidden)
  endpoint: ....:33817
  allowed ips: 172.20.3.10/32
  latest handshake: 41 seconds ago
  transfer: 14.21 KiB received, 12.70 KiB sent
  persistent keepalive: every 10 minutes

The current routing table:

# ip route show
default via 172.20.1.254 dev br-lan
172.20.1.0/24 dev br-lan scope link  src 172.20.1.1
172.20.3.0/24 dev VPN scope link  src 172.20.3.1
172.20.3.10 dev VPN scope link

This looks to me like some routing problem but since this isn't a standard setup where the OpenWrt box also acts as gateway I'm not sure.

Thank you.

2

There are two ways to handle this:

  1. if your main router supports it, add a static route to its routing table: 127.20.3.0/24 via 172.20.1.1

Or

  1. put the Wireguard network it its own firewall zone and (input, output, and forward = accept), with masquerading enabled. Then allow forwarding from this new zone > lan.
1 Like
3

I started with option 2 because the ISP router doesn't allow for custom routes and it worked just fine.

I was a bit unhappy with the blunt masquerading and traffic forwarding (makes it impossible to keep IPs intact) so I ended up with a slightly different config. The following config works because my OpenWrt device doesn't have a WAN port, everything is considered LAN.

  1. Firewall NAT rules to allow traffic from any VPN client to reach the LAN and to masquerade anything that needs to be sent to the gateway/internet:
firewall.@nat[0]=nat
firewall.@nat[0].name='vpnrule-internal'
firewall.@nat[0].proto='all'
firewall.@nat[0].src='lan'
firewall.@nat[0].src_ip='172.20.3.0/24'
firewall.@nat[0].dest_ip='172.20.1.0/24'
firewall.@nat[0].target='ACCEPT'
firewall.@nat[1]=nat
firewall.@nat[1].name='vpnrule'
firewall.@nat[1].src='lan'
firewall.@nat[1].src_ip='172.20.3.0/24'
firewall.@nat[1].target='MASQUERADE'
firewall.@nat[1].proto='all'

This way I can for instance ping computer on the local network from the VPN and have the source IP intact:

imcp
imcp730×192 32.2 KB

  1. Now in order to allow the reverse (communication from computers on the local network to the VPN devices), I added the option 121 to the DHCP on the LAN interface:
dhcp.lan.dhcp_option='6,172.20.1.1' '121,172.20.3.0/24,172.20.1.1' '3,172.20.1.254'

This pushes a custom route to the DHCP clients:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     172.20.1.254     172.20.1.102     25
       172.20.3.0    255.255.255.0       172.20.1.1     172.20.1.102     26

Thank you for the help!

1 Like
4

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.