Wireguard - Unable to reach lan from client

Installing and Using OpenWrt Network and Wireless Configuration
1

I'm having trouble reaching my lan from my wireguard client. I've read a lot of solutions, but I have not been successful with trying any of the solutions.
However, if I put wireguard instance under LAN firewall I'm able to reach LAN with my wireguard client. I would prefer to have wireguard under its own firewall rule, since I'm not to familiar to the risks regarding shared firewalls.

Before you dive in to the details below, I'd like to inform you that I have two wireguard interfaces running, under the same firewall, but separate ports (51820 and 51821). The reason for this is that through much trial and error, I have closed the tunnel I've been working on when away from my home, one to many times.

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix ulaprefix

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ifname 'eth0 eth0.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'd8:0d:17:2c:fd:84'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config interface 'wg0'
	option proto 'wireguard'
	option private_key privatekey
	option listen_port '51820'
	list addresses '10.200.200.1/24'

config wireguard_wg0
	option public_key publickey
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option description 'client1'
	list allowed_ips '10.200.200.2/32'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '5 4 3 2 0t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'

config interface 'wg1'
	option proto 'wireguard'
	option private_key privatekey
	list addresses '10.200.201.1/24'
	option listen_port '51821'

config wireguard_wg1
	option route_allowed_ips '1'
	option public_key publickey
	option description 'client1'
	list allowed_ips '10.200.201.2/32'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'wg0 wg1 '

config forwarding
	option src 'wg'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wg'

config forwarding
	option src 'wg'
	option dest 'lan'

config rule
	option name 'Allow-Wireguard-Inbound'
	option target 'ACCEPT'
	option dest_port '51820'
	list proto 'udp'
	option src '*'
	option family 'ipv4'

config rule
	option dest_port '51821'
	option src '*'
	option name 'Allow-Wireguard-Inbound2'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

Client config

wg0

[Interface]
Address = 10.200.200.2/24
PrivateKey = privatekey
DNS = 192.168.1.1

[Peer]
PublicKey = publickey
Endpoint = ISPIP:51820
AllowedIPs = 0.0.0.0/0

PersistentKeepalive = 25

wg1

[Interface]                                                                                                                                                               
Address = 10.200.201.2/24                                                                                                                                                 
PrivateKey = privatekey                                                                                                               
DNS = 192.168.1.1
                                                                                                                                                                          
[Peer]                                                                                                                                                                    
PublicKey = publickey                                                                                                                 
AllowedIPs = 0.0.0.0/0                                                                                                                                                    
Endpoint = ISPIP:51821                                                                                                                                           
PersistentKeepalive = 25
2

In the WG config on the OpenWrt side, you're missing the route allowed IPs option.

This belongs in the peer config stanzas (on the OpenWrt side):
option route_allowed_ips '1'

3

I'm uncertain on where you refer to this, network or firewall?

Do you mean like this in network?

config interface 'wg0'
	option proto 'wireguard'
    *option route_allowed_ips '1'*
	option private_key privatekey
	option listen_port '51820'
	list addresses '10.200.200.1/24'

config wireguard_wg0
	option public_key publickey
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option description 'client1'
	list allowed_ips '10.200.200.2/32'

The one above is the openwrt interface. In luci-web-app it does not give option route allowed ips.
The one under is the client, where the route_allowed_ips is set to '1'

4

Sorry if it was not clear...

To clarify, this belongs in the peer configuration stanza, not the interface. In this case, it belongs in the section you have called 'client' )but technically speaking Wireguard does not use client-server terminology - all 'remote' WG instances are referred to as peers from each side).

It should look like this (the LuCI implementation puts the option in the correct place):

config interface 'wg0'
	option proto 'wireguard'
	option private_key privatekey
	option listen_port '51820'
	list addresses '10.200.200.1/24'

config wireguard_wg0
	option public_key publickey
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option description 'client1'
	list allowed_ips '10.200.200.2/32'
5

Well thank you for you reply, but what you posted is how it was already configured in the original post.

6

@jehe,

OK...I was preparing to respond...but then while reading your original post, it changed.

Please refrain from using Post #1 to update information.

Nonetheless, it seems all you need to do it place the interface in its own firewall zone and allow forwarding to LAN.

7

Ah... yes, I see it now. you have wg0 and wg1. wg1 does not have route_allowed_ips enabled.

Which wg tunnel is being used (or at issue)?

1 Like
8

Im sorry about this. It will not happen again.

9

Well this is how the original post configured wg1. Looks the same to me, with option route_allowed_ips set to '1'

config interface 'wg1'
	option proto 'wireguard'
	option private_key privatekey
	list addresses '10.200.201.1/24'
	option listen_port '51821'

config wireguard_wg1
	option route_allowed_ips '1'
	option public_key publickey
	option description 'client1'
	list allowed_ips '10.200.201.2/32'

Both tunnels have an issue with this.

10

Maybe I missed it, but I could swear I didn’t see it initially.

Are you getting valid handshakes? And can you reach the internet but not your lan?

11

I think i have this covered with:

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'wg'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wg'

config forwarding
	option src 'wg'
	option dest 'lan

Both interfaces 'wg0' and 'wg1' has this issue, through 'wg' firewall zone.

12

Does that mean it's working now?

13

I can relate to this :smile:

I'm getting valid handshakes and I'm able to access internet through my tunnel.
The main problem is that i cannot ping or ssh to a rpi on the LAN network.

If I change wg0 or wg1 to use lan firewall zone, I access the LAN and are able to ping and ssh the rpi.

14

Have you tried restarting the router recently (I know... but humor me!)?

15

It was a copy of firewall rules from post #1.
So this is already configured and it does not work, unfortunately.

16

Yes, I have. Multiple times. I've also restored Openwrt to default and configured everything from scratch.

17

Does your rpi have its gateway address properly configured?

18

Well apparently not.
I'm embarrassed to say, but I've been running an openvpn instance on my rpi. When I stopped openvpn, it worked. :see_no_evil: This must have caused problems when routing.

Is there a way to fix this, so my openvpn instance can run (without docker), while I'm able to ssh to it? Or should I direct this question to a more rpi related forum?

19

:confused:

That's the intended function of a VPN...otherwise, you have a leak.

I'm not sure about dockers or whatever; but you need to make a routing rule or policy to reach the desired subnets via the Ethernet (and not the VPN). Simple.

You'll probably get a quicker answer on how to do so, if that the Operating System its running.

20

Yes.

I know there is an option to run a docker environment on the rpi, so that your services in that environment can run through the openvpn. However, I'm not to familiar with docker, so this can be a little painful to set up.

But thank you guys so much!