This is one to add to the pile, probably. I'm new to Wireguard (and the whole VPN thing altogether). What I would like to achieve seems pretty simple, but at the moment it's very elusive: access to my LAN with a remote client.
I have set up a Wireguard server on my OpenWrt router, and configured my Android client with the Wireguard app. The LAN is a 10.0.0.x subnet, with a very limited DHCP range (.30-.60). Wireguard interface gets a high IP outside that scope so there shouldn't be any collisions afaik.
I have 'backported' the latest Wireguard commits from master to 18.06, but it all compiled fine, and the connection gets established, so I do not think this is an issue, but I am mentioning it just in case.
The intention is for the remote client to have access to the whole LAN, so from what I gathered putting the whole subnet in allowed_ips
is OK?
Server configuration - /etc/config/network
:
config interface 'wg0'
option proto 'wireguard'
option private_key 'xxxx'
option listen_port '8192'
list addresses '10.0.0.248/29'
config wireguard_wg0
option public_key 'xxxx'
option persistent_keepalive '25'
list allowed_ips '10.0.0.0/24'
/etc/config/firewall
looks OK as well:
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '8192'
option name 'Allow-Wireguard-Inbound'
The wireguard server seems to come up correctly and a connection gets established:
# wg
interface: wg0
public key: xxxx
private key: (hidden)
listening port: 8192
peer: xxxx
endpoint: 199.199.1xx.xxx:42268
allowed ips: 10.0.0.0/24
latest handshake: 36 seconds ago
transfer: 130.29 KiB received, 53.94 KiB sent
persistent keepalive: every 25 seconds
What I found out:
- I can ping the router's LAN IP (10.0.0.1) from my smartphone (10.0.0.250) and vice versa.
- Pinging any other LAN client from my smartphone does not work.
- Pinging a remote IP from the smartphone (e.g. 8.8.8.8) does work.
- Surfing does not, so it looks like DNS is being hijacked by the Wireguard connection, which should only handle 10.0.0.x connections?
I have tried allow_routed_ips (which pops up here in the forums quite a lot but does not seem to be meant for this kind of setup), makes no difference. I'm not sure what to do here...
Thank you!