This is one to add to the pile, probably. I'm new to Wireguard (and the whole VPN thing altogether). What I would like to achieve seems pretty simple, but at the moment it's very elusive: access to my LAN with a remote client.
I have set up a Wireguard server on my OpenWrt router, and configured my Android client with the Wireguard app. The LAN is a 10.0.0.x subnet, with a very limited DHCP range (.30-.60). Wireguard interface gets a high IP outside that scope so there shouldn't be any collisions afaik.
I have 'backported' the latest Wireguard commits from master to 18.06, but it all compiled fine, and the connection gets established, so I do not think this is an issue, but I am mentioning it just in case.
The intention is for the remote client to have access to the whole LAN, so from what I gathered putting the whole subnet in
allowed_ips is OK?
Server configuration -
config interface 'wg0' option proto 'wireguard' option private_key 'xxxx' option listen_port '8192' list addresses '10.0.0.248/29' config wireguard_wg0 option public_key 'xxxx' option persistent_keepalive '25' list allowed_ips '10.0.0.0/24'
/etc/config/firewall looks OK as well:
config rule option src '*' option target 'ACCEPT' option proto 'udp' option dest_port '8192' option name 'Allow-Wireguard-Inbound'
The wireguard server seems to come up correctly and a connection gets established:
# wg interface: wg0 public key: xxxx private key: (hidden) listening port: 8192 peer: xxxx endpoint: 199.199.1xx.xxx:42268 allowed ips: 10.0.0.0/24 latest handshake: 36 seconds ago transfer: 130.29 KiB received, 53.94 KiB sent persistent keepalive: every 25 seconds
What I found out:
- I can ping the router's LAN IP (10.0.0.1) from my smartphone (10.0.0.250) and vice versa.
- Pinging any other LAN client from my smartphone does not work.
- Pinging a remote IP from the smartphone (e.g. 126.96.36.199) does work.
- Surfing does not, so it looks like DNS is being hijacked by the Wireguard connection, which should only handle 10.0.0.x connections?
I have tried allow_routed_ips (which pops up here in the forums quite a lot but does not seem to be meant for this kind of setup), makes no difference. I'm not sure what to do here...