I'm having trouble reaching my lan from my wireguard client. I've read a lot of solutions, but I have not been successful with trying any of the solutions.
However, if I put wireguard instance under LAN firewall I'm able to reach LAN with my wireguard client. I would prefer to have wireguard under its own firewall rule, since I'm not to familiar to the risks regarding shared firewalls.
Before you dive in to the details below, I'd like to inform you that I have two wireguard interfaces running, under the same firewall, but separate ports (51820 and 51821). The reason for this is that through much trial and error, I have closed the tunnel I've been working on when away from my home, one to many times.
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix ulaprefix
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth0 eth0.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr 'd8:0d:17:2c:fd:84'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config interface 'wg0'
option proto 'wireguard'
option private_key privatekey
option listen_port '51820'
list addresses '10.200.200.1/24'
config wireguard_wg0
option public_key publickey
option route_allowed_ips '1'
option persistent_keepalive '25'
option description 'client1'
list allowed_ips '10.200.200.2/32'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '5 4 3 2 0t'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
config interface 'wg1'
option proto 'wireguard'
option private_key privatekey
list addresses '10.200.201.1/24'
option listen_port '51821'
config wireguard_wg1
option route_allowed_ips '1'
option public_key publickey
option description 'client1'
list allowed_ips '10.200.201.2/32'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'wg'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'wg0 wg1 '
config forwarding
option src 'wg'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'wg'
config forwarding
option src 'wg'
option dest 'lan'
config rule
option name 'Allow-Wireguard-Inbound'
option target 'ACCEPT'
option dest_port '51820'
list proto 'udp'
option src '*'
option family 'ipv4'
config rule
option dest_port '51821'
option src '*'
option name 'Allow-Wireguard-Inbound2'
option target 'ACCEPT'
list proto 'udp'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
Client config
wg0
[Interface]
Address = 10.200.200.2/24
PrivateKey = privatekey
DNS = 192.168.1.1
[Peer]
PublicKey = publickey
Endpoint = ISPIP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
wg1
[Interface]
Address = 10.200.201.2/24
PrivateKey = privatekey
DNS = 192.168.1.1
[Peer]
PublicKey = publickey
AllowedIPs = 0.0.0.0/0
Endpoint = ISPIP:51821
PersistentKeepalive = 25