WireGuard unable to access LAN

Currently I can access WAN (Internet) through the Wireguard and seems that the traffic goes through my home network.

(Remote Client) => (Home Network) => (Internet)

I can also connect to openWRT luci.

However the remote client is not able to connect to the devices on the home network. (The devices on the LAN)

(Remote Client) => (Home Network) =/=> (Home Device)

Those are my config. Please help. thanks for advance.

uci export network

package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd96:3489:f6df::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option ipaddr '10.0.0.1'
        option netmask '255.255.0.0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'WireGuard'
        option proto 'wireguard'
        option private_key '********'
        option listen_port '51820'
        option defaultroute '0'
        list dns '10.0.0.1'
        list addresses '10.10.0.1/24'

config wireguard_WireGuard
        option description 'Main Peer'
        option public_key '********'
        option private_key '********'
        option preshared_key '********'
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        list allowed_ips '10.10.0.2/32'

uci export firewall

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'wireguard'
        option output 'ACCEPT'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'WireGuard'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-WireGuard'
        list proto 'udp'
        option src 'wan'
        option target 'ACCEPT'
        option dest_port '51820'

config forwarding
        option src 'wireguard'
        option dest 'lan'

config forwarding
        option src 'wireguard'
        option dest 'wan'

root@OpenWrt:~# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet ***.***.***.***/26 brd ***.***.***.255 scope global wan
       valid_lft forever preferred_lft forever
28: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.0.0.1/16 brd 10.0.255.255 scope global br-lan
       valid_lft forever preferred_lft forever
29: WireGuard: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.10.0.1/24 brd 10.10.0.255 scope global WireGuard
       valid_lft forever preferred_lft forever

I assume those configs are from the 'Home Network'? For testing purposes, move the wireguard interface out of it's own firewall zone and put it into the lan zone.

Note that your LAN clients can have their own firewall which does not allow traffic coming from 10.10.0.0/24

As a test you can enable Masquerading on the LAN zone to see if this is the problem.

I moved the wireguard interface to the lan zone, but there was no differences.

Enabling the masquerading option on Firewall didn't solved it either.

For information, the client Wireguard configuration is like below

[Interface]
PrivateKey = ********
Address = 10.10.0.2/32
DNS = 10.0.0.1

[Peer]
PublicKey = ********
PresharedKey = ********
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ***.***.***.***:51820
PersistentKeepalive = 25

Did you remove it from the wireguard zone?

What are you trying to connect to in the home network? Have you checked there isn't a local firewall running on it?

Does the client side has a different subnet than the server and the WG subnet?

There are Proxmox server in my home, running 4 Linux VMs, one for NAS, one for Development, one for Proxy and one for FreeIPA. So I want to connect to them remotly with Wireguard here.

i removed from wireguard zone and moved to lan zone, but it didn't show a difference.

LAN netmask is 10.0.0.1/16, which is 10.0.0.0 to 10.0.255.255
Wireguard netmask is 10.10.0.1/24, which is 10.10.0.0 to 10.10.0.255
I don't think that the LAN netmask is overlapping with the VPN, isn't it?

Also, I use my 10.0.x.0 (the x digit) to distinguish my servers and desktops. So I would like to use /16

I don't understand "different subnet" is in this context.
The Wireguard Server Subnet is 10.10.0.1/24, Wireguard Client Subnet is 10.10.0.2/32.

The server has 10.0.0.0/16, your WG subnet is 10.10.0.0/24, the client also has a subnet which should be different if the client also has a subnet 10.0.x.x it is possible it cannot route to the server

It works now, I think it's the lan masquerading did it. Thanks!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.