Wireguard tunnel to home router

Hi all.

I have been using OpenVPN for accessing my internal network (behind OpenWRT router) for many years. Now I bought new router and decided to test WireGurad, that I heard so many good things about.
What I would like to achieve is to be able to flip VPN switch and have my mobile behave as being inside my 192.168.1.x LAN. It should be able to ping other devices on that subnet and surf the internet using my router on 192.168.1.1 as gateway

I used this FAQ to set up Wireguard server on my router and create 4 named peers:

I converted 1_lan_Alpha.conf file to QR, imported it into my Wireguard client on my iphone, changed Wireguard endpoint to IP of my router WAN and connected.

I can see in Status -> WireGuard -> Peers -> 1_lan_Alpha that I have connection (there are bytes flowing in/out) but I cannot ping anything from the phone. Not even 10.5.0.1 which should be WG interface.

This is content of 1_lan_Alpha.conf file used by "client" (=my mobile):

Address = 10.0.5.2/32
PrivateKey = redacted= # Peer's private key
DNS = 10.0.5.1

[Peer]
PublicKey = redacted= # Server's public key
PresharedKey = redacted= # Peer's pre-shared key
PersistentKeepalive = 25
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = my-ddns.no-ip.com:51820

This is how Interface "WG_LAN" is configured:

wg1902×820 25.5 KB

wg2905×232 11 KB

I assume I need to set up something in firewall so that my 10.5.0.2 client can access 192.168.1.1 subnet?

Thank you!

Ahh, sorry. I am stupid. I forgot to read this.

I will try to do this and get back if it doesn't work.

Edit: this is for routing all LAN traffic through VPN tunnel on router. I need to route all traffic on mobile through my tunnel. So I am still stuck.

Anyone who can give me a hint?

I'm pretty sure this is not the right way to do it but I use this method and it works fairly well:

So my usecase is pretty similar to yours, I too want to access my LAN devices as well as the WAN network through a phone(client).

So I created a new firewall zone called "WireGuard", and then added the wireguard interface to this zone.

config zone
	option name 'WireGuard'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wg_home'

My interface is wg_home.

Then I added 4 firewall rules like this:

config rule
        option target 'ACCEPT'
        option src 'WireGuard'
        list proto 'all'
        option dest 'lan'
        option name 'WgToLan'

config rule
        option target 'ACCEPT'
        option src 'lan'
        list proto 'all'
        option dest 'WireGuard'
        option name 'LanToWg'

config rule
        option target 'ACCEPT'
        option src 'wan'
        list proto 'all'
        option dest 'WireGuard'
        option name 'WanToWg'

config rule
        option target 'ACCEPT'
        option src 'WireGuard'
        list proto 'all'
        option dest 'wan'
        option name 'WgToWan'

All this goes into /etc/config/firewall

Instead of using the firewall rules you can just allow forwarding from zones to zones, but I prefer to use the rules.

That should be it for the firewall rules, once you restart everything it should work as expected, your LAN clients should be accessible through the wireguard interface and you should also be able to access the WAN network through the wireguard interface (on the client).

let's see the text configs that you've got on your router right now:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

A general allow wan->vpn forwarding is pointless since NAT is involved it won't work. Which is a good thing since it would be insecure if it did work.

To tunnel from the phone to the home Internet via VPN, vpn->wan forwarding must be allowed in the home router, but not the other direction.

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3b:1fdf:7038::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.1'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wg_lan'
	option proto 'wireguard'
	option private_key 'redacted='
	option listen_port '51820'
	option mtu '1420'
	list addresses '10.0.5.1'

config wireguard_wg_lan
	option public_key 'redacted='
	option preshared_key 'redacted='
	option description '1_lan_Alpha'
	list allowed_ips '10.0.5.2/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg_lan
	option public_key 'redacted='
	option preshared_key 'redacted='
	option description '2_lan_Bravo'
	list allowed_ips '10.0.5.3/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg_lan
	option public_key 'redacted='
	option preshared_key 'redacted='
	option description '3_lan_Charlie'
	list allowed_ips '10.0.5.4/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg_lan
	option public_key 'redacted='
	option preshared_key 'redacted='
	option description '4_lan_Delta'
	list allowed_ips '10.0.5.5/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg_lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'wg'
	option name 'Allow-WireGuard-lan'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

mostly looks fine.
I recommend specifying the size of the network in the WG interface conifg:

change this line:

	list addresses '10.0.5.1'

to

	list addresses '10.0.5.1/24'`

Are you getting a handshake:

wg show

Done. Restarted.

Yes:

root@OpenWrt:~# wg show
interface: wg_lan
  public key: redacted=
  private key: (hidden)
  listening port: 51820

peer: redacted=
  preshared key: (hidden)
  endpoint: my ip:57226
  allowed ips: 10.0.5.2/32
  transfer: 148 B received, 1.39 KiB sent
  persistent keepalive: every 25 seconds

Are you testing this from your lan, or from another network (such as another wifi network or cellular)?

Let's take a look at your remote peer config (I assume this is your phone or a computer)?

I think I had this issue and resolved it by adding my wireguard interface to my LAN firewall zone.

I think you nailed it.

Client is on LAN behind a OpenWRT router with true external IP on WAN (not CGNAT).
New router (that is being tested and hosts WireGuard server) has it WAN on same switch as client router. But it got some wonky WAN IP adress (CGNAT?) from ISP DHCP.

Once I hard-coded the server router WAN IP with "fake" IP I could ping it from client LAN. Once tunnel was established I was able to communicate from my 192.168.0.x "client" LAN to 192.168.1.x "server" LAN.
Basically, this is hard to test without having two dedicated "true" external IP's and I only had one.

Anyway, I did some iperf3 testing and speed is fantastic compared to my old OpenVPN link. I got 380Mbit/sec iperf3 throughput through WireGuard tunnel. On a friggin phone using WiFi!
irqbalance was balancing and cores never went above 30%....and this is with SQM shaping on the top of it!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.