Wireguard Server To Access Only LAN

Installing and Using OpenWrt
1

OpenWRT 18.06.1

I would like to setup an IPv4 only Wireguard interface so that WAN clients can access the LAN only (other machines + SSH and HTTPS into router. Essentially be in the same firewall zone as the LAN)

I found two guides:

  1. https://danrl.com/blog/2017/luci-proto-wireguard/
  2. https://casept.github.io/post/wireguard-server-on-openwrt-router/

Here's what I have so far:

General Setup: https://i.imgur.com/5b0fLXF.png
Advanced: https://i.imgur.com/cEPPVIK.png
Firewall: LAN
Traffic rule: https://i.imgur.com/mJ1AaEt.png

But when I restart the interface (no error upon connect, though it shows 0 packets rx/tx), I get "Error: Network device is not present"

Ideally this would be a split tunnel, but a full tunnel will do (WAN clients will not be able to access anything outside the router's LAN)

2

Please provide readable information:

ip a; ip r; ip ru
uci show network
uci show firewall
3

Here a screenshot of my setup. that works great37

4

By the way, I checked your General setup picture, you have a bug...you point on your interface to port 51821 but your clients endport is 51820, they must be same...! you trying to connect to a port, where nobody is listening...thats why it says Network interface not present

5

mooman, client endpoint hasn't been entered, it's grayed out. i can enter 51821, but i've left it blank for now

1 Like
6

restarting the router fixed the "Error: Network device is not present" error.

though the issue I have now is when I enable the router's WG iface, one of the machines in the LAN, which is running a WG client on 51820, loses it's wireguard connection to its server.

7

Try to modify "Persistent Keep Alive" setting.

1 Like
8

I have it set to 10 on the machine in the LAN and 25 in the router...

1 Like
9

They need to use different keys, even if running on different ports. Now the router tunnel doesn't interrupt the LAN machine tunnel, but I still can't connect to it.

10

Just wanted to chime in to add that the @MooMan setup totally helped me but i also changed the firewall zone, on the wg interface go to firewall settings and add the wg interface to the lan zone, i got it from another guide, im not totally sure how it works but i assume that it treats the wg network as part of the LAN in regards to security, i thing it is secure and simple for a home use...maybe that helps you...

1 Like
11

Can you provide details of setup?
Your LAN is 192.168.1.0/24 ?

I'm trying to access my home LAN remotely. Wireguard server on home router and using a windows client remotely.
Confused as to why you have 192.168.1.1 as an Endpoint host.

1 Like
12

@SR21 - There are a lot of wireguard threads and a tutorial that can help you get setup and/or fixed. It is probably going to be best if you check out those resources and ask specific questions where you are stuck or when things are not working.

Is there a specific issue you are dealing with right now?

2 Likes
13

Hi, I have two WireGuard Interfaces, one configured for MullvadVPN Wireguard... and another one, for my internal WLAN clients, iPhone, MacBooPro that connect via WireGuard interface of Router for my LAN/Wlan devices, crypto routing works by the way, so can mount my SMB server through my LANWLAN Wireguard interface. The screenhsot you see, is outdated, as my config is now difrent, one WireGuard Interface for MullvadVPN, and one WireguardVPN interface for WLAN clients in 10.0.0.0/24 Net

14

Thanks for the feedback from both of you'll. I haven't been able to have a client access LAN network remotely via wireguard tunnel. Will review the various threads.