WireGuard tunnelling in not able to access entire network

Good morning everyone,

Firstly thank you all for you help last time with the DHCP issue I was having on my guest network, my router and networks have been running stably for a month now.

On to my next issue. I’ve ?successfully? managed so setup WireGuard on my router to enable remote access to my network. I’m able to tunnel in via both my phone and my laptop so that part is working, however, it seems that I’m only able to access my router and nothing else on the network. As mentioned I’m in this situation from both the client on my phone and my laptop. I have confirmed my limited access via trying to access IP cameras via browser as well as other devices via ping. I’m able to ping the router 192.168.6.1 but nothing else, not even the ‘WireGuard VPN’ Interface on 10.20.30.50. Any help would be greatly appreciated.

I’ve included my router config below.

Cheers,
Greg

> uci export network; 
{
	"kernel": "5.15.137",
	"hostname": "MF_House_Router",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "TP-Link Archer AX23 v1",
	"board_name": "tplink,archer-ax23-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc5:4844:079b::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.6.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username ‘xxxxxxx’
	option password 'xxxxxxx’'
	option ipv6 'auto'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'OpenVPN'
	option proto 'none'
	option device 'tun0'

config interface 'Guest'
	option proto 'static'
	option ipaddr '10.20.30.40'
	option netmask '255.255.255.0'
	option device 'br-guest'

config interface 'WireGuardIN'
	option proto 'wireguard'
	option private_key 'xxxxxxx'
	option listen_port 'xxxxxxx'
	list addresses '10.30.40.50/24'

config wireguard_WireGuardIN
	option description 'GLaptop'
	option public_key 'xxxxxxx’
	option private_key 'xxxxxxx'
	list allowed_ips '10.30.40.51/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_WireGuardIN
	option description 'GPhone'
	option public_key 'xxxxxxx'
	option private_key 'xxxxxxx’'
	list allowed_ips '10.30.40.52/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'

config wireguard_WireGuardIN
	option description 'GiPad'
	option public_key 'xxxxxxx'
	option private_key 'xxxxxxx’
	list allowed_ips '10.30.40.53/32'
	option persistent_keepalive '25'
	option route_allowed_ips '1'

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option cell_density '0'
	option country 'AU'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'Searching...'
	option encryption 'sae-mixed'
	option key 'xxxxxxx'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'
	option country 'AU'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Searching...'
	option encryption 'sae-mixed'
	option key 'xxxxxxx'
	option disabled '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Not Found...'
	option encryption 'sae-mixed'
	option key 'xxxxxxx'
	option network 'Guest'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Not Found...'
	option encryption 'sae-mixed'
	option key 'xxxxxxx'
	option network 'Guest'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'Guest'
	option interface 'Guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'

config host
	option name 'FireStickVPNBypass'
	option mac 'xxxxxxx'
	option ip '192.168.6.186'

config host
	option name 'GregsLaptop'
	option mac 'xxxxxxx'
	option ip '192.168.6.200'

config host
	option name 'GregsiPhone'
	option mac 'xxxxxxx'
	option ip '192.168.6.206'

config host
	option name 'MiriamsLaptop'
	option mac 'xxxxxxx'
	option ip '192.168.6.201'

config host
	option name 'ReoFrontRight'
	option mac 'xxxxxxx'
	option ip '192.168.6.40'

config host
	option name 'ReoDoorbell'
	option mac 'xxxxxxx'
	option ip '192.168.6.41'

config host
	option name 'ReoFrontLeft'
	option mac 'xxxxxxx'
	option ip '192.168.6.42'

config host
	option name 'ReoLeftSide'
	option mac 'xxxxxxx'
	option ip '192.168.6.43'

config host
	option name 'ReoBackyad'
	option mac 'xxxxxxx'
	option ip '192.168.6.44'

config host
	option name 'ReoPatio'
	option mac 'xxxxxxx'
	option ip '192.168.6.45'

config host
	option name 'WyzeGarage'
	option mac 'xxxxxxx'
	option ip '192.168.6.50'

config host
	option name 'WyzePatio'
	option mac 'xxxxxxx'
	option ip '192.168.6.51'

config host
	option name 'WyzeBulbLounge'
	option mac 'xxxxxxx'
	option ip '192.168.6.52'

config host
	option name 'AirconTablet'
	option mac 'xxxxxxx'
	option ip '192.168.6.70'

config host
	option name 'PrinterBrother2360'
	option mac 'xxxxxxx'
	option ip '192.168.6.60'

config host
	option name 'SpeakerYamahaPortable'
	option mac 'xxxxxxx'
	option ip '192.168.6.80'

config host
	option name 'YamahaSoundBar'
	option mac 'xxxxxxx'
	option ip '192.168.6.81'

package firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'WireGuardIN'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config zone
	option name 'OpenVPN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'OpenVPN'
	option masq '1'
	option mtu_fix '1'
	list device 'tun0'

config forwarding
	option src 'lan'
	option dest 'OpenVPN'

config zone
	option name 'Guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Guest'

config rule
	option name 'Guest DNS'
	option src 'Guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option src 'Guest'
	option dest_port '67 68'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'WireGuardIN'
	option src 'wan'
	option src_dport 'xxxxxxx'
	option dest_ip '192.168.6.1'
	option dest_port 'xxxxxxx'
	list proto 'udp'

config forwarding
	option src 'Guest'
	option dest 'OpenVPN'

config forwarding
	option src 'lan'
	option dest 'wan'

head: /etc/firewall.user: No such file or directory
-ash: iptables-save: not found
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
10: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.20.30.40/24 brd 10.20.30.255 scope global br-guest
       valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.6.1/24 brd 192.168.6.255 scope global br-lan
       valid_lft forever preferred_lft forever
12: WireGuardIN: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.30.40.50/24 brd 10.30.40.255 scope global WireGuardIN
       valid_lft forever preferred_lft forever
17: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    inet xxxxxxx peer 10.20.23.6/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
18: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    inet xxxxxxx/24 scope global tun0
       valid_lft forever preferred_lft forever
default via 10.20.23.6 dev pppoe-wan table pbr_wan 
10.20.30.0/24 dev br-guest table pbr_wan proto kernel scope link src 10.20.30.40 
192.168.6.0/24 dev br-lan table pbr_wan proto kernel scope link src 192.168.6.1 
default via xxxxxxx dev tun0 table pbr_OpenVPN 
10.20.30.0/24 dev br-guest table pbr_OpenVPN proto kernel scope link src 10.20.30.40 
192.168.6.0/24 dev br-lan table pbr_OpenVPN proto kernel scope link src 192.168.6.1 
default via 10.30.40.50 dev WireGuardIN table pbr_WireGuardIN 
10.20.30.0/24 dev br-guest table pbr_WireGuardIN proto kernel scope link src 10.20.30.40 
192.168.6.0/24 dev br-lan table pbr_WireGuardIN proto kernel scope link src 192.168.6.1 
default via 10.20.23.6 dev pppoe-wan proto static 
10.7.1.0/24 dev tun0 proto kernel scope link src 10.7.1.4 
10.20.23.6 dev pppoe-wan proto kernel scope link src xxxxxxx 
10.20.30.0/24 dev br-guest proto kernel scope link src 10.20.30.40 
10.30.40.0/24 dev WireGuardIN proto kernel scope link src 10.30.40.50 
10.30.40.51 dev WireGuardIN proto static scope link 
10.30.40.52 dev WireGuardIN proto static scope link 
10.30.40.53 dev WireGuardIN proto static scope link 
10.30.40.54 dev WireGuardIN proto static scope link 
192.168.6.0/24 dev br-lan proto kernel scope link src 192.168.6.1 
local 10.7.1.4 dev tun0 table local proto kernel scope host src 10.7.1.4 
broadcast 10.7.1.255 dev tun0 table local proto kernel scope link src 10.7.1.4 
local 10.20.30.40 dev br-guest table local proto kernel scope host src 10.20.30.40 
broadcast 10.20.30.255 dev br-guest table local proto kernel scope link src 10.20.30.40 
local 10.30.40.50 dev WireGuardIN table local proto kernel scope host src 10.30.40.50 
broadcast 10.30.40.255 dev WireGuardIN table local proto kernel scope link src 10.30.40.50 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 192.168.6.1 dev br-lan table local proto kernel scope host src 192.168.6.1 
broadcast 192.168.6.255 dev br-lan table local proto kernel scope link src 192.168.6.1 
local xxxxxxx dev pppoe-wan table local proto kernel scope host src xxxxxxx 
0:	from all lookup local
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan
30001:	from all fwmark 0x20000/0xff0000 lookup pbr_OpenVPN
30002:	from all fwmark 0x30000/0xff0000 lookup pbr_WireGuardIN
32766:	from all lookup main
32767:	from all lookup default
lrwxrwxrwx    1 root     root            16 Nov 14 23:38 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Mar 10 06:07 /tmp/resolv.conf
-rw-r--r--    1 root     root           124 Mar  9 15:22 /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r--    1 root     root            50 Mar  9 15:22 /tmp/resolv.conf.ppp

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           124 Mar  9 15:22 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.ppp <==
nameserver xxxxxxx
nameserver xxxxxxx

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver xxxxxxx
nameserver xxxxxxx
# Interface wan6

It is well possible that the problem is the wireguard configuration on your end devices. Please also show the WG configuration of one of your devices (make sure to redact the keys).

Hi Andy,

Thanks I was wondering this. This is the configuration from my phone which atm is the same as the config for my laptop. Moving forward, on my phone I'd like to route all traffic through my WireGuard tunnel to my home network. On my computer I'd like to only route some specific IPs through to my home network. I've been googling and searching but admittedly I've not been very successful.

Thanks again,
Greg



In the firewall config, replace:

with:

config rule
	option name 'WireGuardIN'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port 'xxxxxxx'
	list proto 'udp'
1 Like

Change the firewall rule as mentioned by @oauestad first, then you should be able to replace the allowed_ips on the phone by 0.0.0.0/0, forcing all traffic through the Wireguard interface.

This is controlled by the allowed_ips setting in the computer's Wireguard configuration.

Thanks oauestad,

I'm very new to this and only using LuCI atm, are you able to help me with that? Here is my current options for the port forwarding (I'm guessing this is the one you're talking about from the options you mentioned?)

Cheers,
Greg

Thanks Andy, I will do as soon as I manage to get my firewall sorted out as mentioned above.
Cheers,
Greg

Hi Greg,

You do not use port forward here. Delete your port forward and create a Traffic Rule instead, with the following fields filled out:

Name: WireGuardIn
Protocol: UDP
Source Zone: WAN/WAN6
Destination Zone: Device (input)
Destination port: "your wireguard port"
Action: accept

Thanks oauestad,

I've done this with no change in what I'm able to access. After much pondering I'm now sure that this problem is being caused by two PBR rules I have in place to force all traffic (except one IP) through my OpenVPN connection. As soon as I disable these rules I'm able to access my entire network via WireGuard. For me this is an acceptable solution as I only really need to WG in remotely if something has gone wrong. Then I can access my router via WG, then disable the PBR, access my network to fix whatever is wrong, then just enable the PBR again before I leave. I am wondering however if there is a more elegant solution using PBR to route traffic from WG back to WG? This I can't figure out. I've attached screenshots of my two PBR rules.

Cheers,
Greg


Hi again Greg,

I did some more testing. It seems that your first attempt of using a port forward actually will work. I changed the Wireguard Traffic Rule to a port forward directed at the router address. The resulting firewall rules (as seen on Status - Firewall) are more complex than when using a Traffic Rule, but Wireguard works OK. New lesson learned here.

I am sorry I have no experience with PBR. Hopefully someone else can help you with that.

Thanks oauestad,

No worries thanks for putting in the time to help me. I'm very new to both networking in general and openWRT specifically. I've learned a heap from the forums and people replying to my queries. This situation isn't a show stopper as the current solution as detailed above is perfectly servicable for me until I understand more.

Cheers,
Greg