Wireguard unable to access LAN

Its my first post and I will try and explain my setup as best as I can, thank you for your patience.

My set up:
Remote Client < ----Wireguard tunnel ---> Router/Gateway/DHCP (192.168.1.1) ---> LAN / openwrt box

Openwrt box is connected to the LAN and set to "static" on 192.168.1.20 and is the wireguard server
wg0 set to 10.5.0.1. Its only used as a wireguard server and a switch. I also have a piHole setup on 192.168.1.100.

I can get a handshake from my Remote client to the openwrt box. I can ping 10.5.0.1. I am unable to ping any of the devices on my network. I would like the remote client to access the other LAN devices on the nework. I would also like to grant WAN access to the remote device. (so my remote device IP appears the same as my home network).

Please see the following config files:

cat firewall 

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option src '*'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '51820'
        option name 'Allow-Wireguard-Inbound'

and:

cat /etc/config/network 

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxxxxxxxx::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'

config dsl 'dsl'
        option annex 'a'
        option tone 'av'
        option xfer_mode 'ptm'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'
        option dns '192.168.1.100'
        option ipaddr '192.168.1.20'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr 'xxxxxxxxxxxx'

config interface 'wan'
        option ifname 'ptm0'
        option proto 'pppoe'
        option username 'xxxxxxxx'
        option password 'xxxxxxxx'
        option ipv6 '1'

config device 'wan_dev'
        option name 'ptm0'
        option macaddr 'xxxxxxxxxxxxx'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'

config interface 'wg0'
        option proto 'wireguard'
        option listen_port '51820'
        list addresses '10.5.0.1/24'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='

config wireguard_wg0
        option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
        list allowed_ips '10.5.0.2/32'
        option route_allowed_ips '1'

Remote client allowed IPs is set to 0.0.0.0/0

Thank you for your help

You need to add a static route on your Router/Gateway
10.5.0.0/24 via 192.168.1.20

Your client will probably need a static route too as wg client on PC will not create it automatically as I recall:
192.168.1.0/24 via 10.5.0.1 or via {wg interface name}

Thank you for this information. I assume this is a firewall rule. I would be grateful if you could give me a little more information about how I need to implement that.

Thanks again.

Nothing to do with firewall. Open your [main] router interface and search for static routes.

Ah i have found static routes with the following variables:

Destination IP / Subnet mask / gateway / interface

Based on the above would you suggest:
192.168.1.20 / 10.5.0.0 / 10.5.0.1 / LAN

thank you.

Wrong.
10.5.0.0/24 via 192.168.1.20 translates to
10.5.0.0 / 255.255.255.0 / 192.168.1.20 / LAN

thank you, you have saved me hours of time. This has indeed worked.

I can now ping devices on my LAN and WAN. However I am not able to resolve DNS quieries on my DNS (piHole) server (192.168.1.100) like my other devices on my LAN can, although I am able to PING 192.168.1.100 from my remote client.

Any suggestions welcome if not I am still very grateful for your help. Thank you.

Pi-Hole - Settings - DNS - Interface settings
Their default setting is

Allows only queries from devices that are at most one hop away (local devices)

Unrelated to OpenWrt )

The solution of @AndrewZ is the preferred one.
If you cannot set a static route on the main gateway you can instead enable masquerade on the lan interface of your openwrt router.
Assuming this is indeed a dumb ap which is connected via the lan to the main router.

I have attempted "permit all origins" on pihole but still no luck resolving host names to my remote client.

Regardless I am still very grateful for your help.

For my own learning: if someone is willing to explain why static routes are preferable to masquerade I would be interested to hear.Is there any extra security considerations I need to consider if using a static route.

EDIT
DNS resolving issue fixed by editing the firewall rules on my PiHole.

1 Like

When using Masquerade everything originates from the OpenWRT router so you cannot log or set access restrictions on the origin.

Furthermore but not important the Masquerade will use some CPU cycles so slows the traffic done a bit but on modern routers you will not notice.

But the advantage is that you do not need to open up the firewall e.g. of your Pi for the WG subnet.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.