Wireguard VPN works only with LAN-Connection - Not Wifi

Hi, I am quite new here, and I hope my questions are not silly.

i have created my own VPN Server on OpenWrt via Wireguard and my own Client.
Description of my Issue:
Now, whenever i connect to the client-router via Ethernet-Cable, i can establish the connection via VPN. When I do that via Wifi, that does not work out.

It is very interesting, that whenever I connect to my router wirelessly and turn off wireguard, I do have internet access.
If i turn wireguard on, there is no connection to the VPN, hence no internet connection,

I guess i have a firewall issue, but i dont know how to solve it.
Appreciate any help! Thanks!

here are my configs for
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd04:2354:64f8::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wwan'
	option proto 'dhcp'

config interface 'WireguardTunnel'
	option proto 'wireguard'
	option listen_port '51820'
	option private_key '***MY PRIVATE KEY****'
	list addresses '192.168.9.15/32'
	list addresses '192.168.9.12/30'

config wireguard_WireguardTunnel
	list allowed_ips '0.0.0.0/0'
	option description '*****'
	option endpoint_host '****ENDPOINTHOST****'
	option public_key '***KEY***'
	option endpoint_port '51820'
	option route_allowed_ips '1'

config interface 'MIKEGIGABIT'
	option proto 'static'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '1.1.1.1'
	option ipaddr '192.168.8.1'
	option gateway '192.168.2.1'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '****''
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '****'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option encryption 'psk2'
	option network 'MIKEGIGABIT'
	option key '*****'
	option ssid '*****'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'
	option flow_offloading '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	option input 'REJECT'
	option forward 'REJECT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest 'lan'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'lan'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config rule
	option name 'ALLOW WIREGUARD'
	option dest_port '51820'
	option target 'ACCEPT'
	option src 'mikegigabit'

config zone
	option name 'wireguard'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'lan'
	list network 'WireguardTunnel'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wireguard'

config zone
	option name 'mikegigabit'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	list network 'MIKEGIGABIT'
	option mtu_fix '1'

config rule
	option name 'WIFIDHCP'
	list proto 'udp'
	option src 'mikegigabit'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'WIFIDNS'
	list proto 'tcp'
	option src 'mikegigabit'
	option dest_port '53'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'mikegigabit'
	option dest 'wan'

config forwarding
	option src 'mikegigabit'
	option dest 'wireguard'

config rule
	option name 'ALLOW WIREGUARD LAN'
	option src 'lan'
	option dest_port '51820'
	option target 'ACCEPT'

Starting here:

If I understood your description properly, the OpenWrt device is performing as a Wireguard 'server', correct?

If so, there are errors here...It should look more like this:

config interface 'WireguardTunnel'
	option proto 'wireguard'
	option listen_port '51820'
	option private_key '***MY PRIVATE KEY****'
	list addresses '192.168.9.1/24'

config wireguard_WireguardTunnel
	list allowed_ips '192.168.9.2/32'
	option description '*****'
	option public_key '***KEY***'
	option route_allowed_ips '1'

Then, on your 'client' peer, the interface address should match (192.168.9.2) and the allowed IPs on that device should be 0.0.0.0/0 (if you want all traffic routed through the tunnel).

You also have a bunch of other stuff going on in the networks and firewall rules that could be incorrect, but let's start with this.

2 Likes

Hey thanks for replying.
My device performs as wireguard Client. So all config I posted are regarding Wireguard Client.
And I am able to connect to the VPN server, but only when I connect using a LAN Cable. Not when I connect to openWRT router with a wireless connection. That's my core problem.

Ok... so as a client, this is fine (although the listen port should be removed from the interface definition, and likely you only need a single address; those won't cause the issue you're describing, though).

I suspect that the gateway defined on your MIKEGIGABIT network may be causing the issue. This should probably be omitted entirely.

Your firewall does have a bunch of strange things, though...

The following can be removed, it has no function since your lan already has input allowed, and the WG connection is outbound, not inbound.

likewise, the following should also be removed for the same reasons:

The lan network needs to be removed from the wireguard firewall zone. It is already included in the lan firewall zone.

The following two rules don't do anything because the mikegigabit zone already accepts input. They can be removed (unless you plan to set input to reject or drop on that zone).

1 Like

You were right. The Gateway defined in MIKEGIGABIT was the problem.

Thank you so much! Thank you!

Great!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Me again Weird stuff happens.

So I followed all your instructions. And the following happens: Everything works. Then, when I restart the router via openwrt it still works. But when I restart the router via plugging it out from electricity, it suddenly does not work and shows the same problem above. To fix that: I am disabling "wireless" Hotspot Restarting the router via openwrt And then connecting via Ethernet cable.

Then, it somehow unblocks the wireless connection. When I enable the wireless hotspot again it works and I can connect wirelessly to the router and wireguard works.

If you have any idea, I would be happy.

here is my config again::

 cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd04:2354:64f8::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'WireguardTunnel'
	option proto 'wireguard'
	option listen_port '51820'
	option private_key '***'
	list addresses '192.168.9.15/32'
	list addresses '192.168.9.12/30'

config wireguard_WireguardTunnel
	list allowed_ips '0.0.0.0/0'
	option description '****'
	option endpoint_host '****'
	option public_key '****'
	option endpoint_port '51820'
	option route_allowed_ips '1'

config interface 'MIKEGIGABIT'
	option proto 'static'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '1.1.1.1'
	option ipaddr '192.168.7.1'
root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option encryption '*** '
	option network 'MIKEGIGABIT'
	option key '*****'
	option ssid '****'
root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'
	option flow_offloading '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest 'lan'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'lan'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'

config include
	option path '/etc/firewall.user'

config rule
	option name 'ALLOW WIREGUARD'
	option dest_port '51820'
	option target 'ACCEPT'
	option src 'mikegigabit'
	option enabled '0'

config zone
	option name 'wireguard'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'WireguardTunnel'

config forwarding
	option src 'lan'
	option dest 'wireguard'

config zone
	option name 'mikegigabit'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'MIKEGIGABIT'

config rule
	option name 'WIFIDHCP'
	list proto 'udp'
	option src 'mikegigabit'
	option dest_port '67'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'WIFIDNS'
	list proto 'tcp'
	option src 'mikegigabit'
	option dest_port '53'
	option target 'ACCEPT'
	option enabled '0'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'mikegigabit'
	option dest 'wan'

config forwarding
	option src 'mikegigabit'
	option dest 'wireguard'

config rule
	option name 'ALLOW WIREGUARD LAN'
	option src 'lan'
	option dest_port '51820'
	option target 'ACCEPT'
	option enabled '0'

It sounds to me like you're running into a time issue. Specifically, WireGuard (and other VPNs) use time as part of the cryptographic process. If the time is wrong, the tunnel won't come up properly and the overall internet connection will appear to be down.

The reason this happens is due to the fact that the vast majority of consumer routers (especially all-in-one or embedded devices) do not have a persistent/real-time clock, so the initial date is derived from the most recent file that was touched on the filesystem, and then it is corrected once there is a successful sync with the network time servers via NTP. You must wait until this has completed before initiating Wireguard.

1 Like

What is the reason for having a separate "MIKEGIGABIT" network? If you want the same results on endpoints that are connected by wifi or by wire, put the wifi AP into the lan network along with the lan Ethernet ports.

@psherman thanks for that! i will check that thread and test and report here.
@mk24 i have a router from my ISP and a openWRT router. "mikegigabit" is the network on my openwrt router. through the interface "mikegigabit" i am able to connect to the router, wirelessly.

I think the point that @mk24 was making is that you've made this wifi network an entirely different subnet than the OpenWrt LAN (192.168.7.0/24 vs 192.168.1.0/24). You could have the 'mikegigabit' SSID associated with the OpenWrt LAN and then your wired and wireless devices connected to the OpenWrt router would be on the same network and have the same routing/VPN connectivity.

so now i attached the "wireless" SSID to the LAN Network (interface) and it works - on every router retart (of total 3) it worked..
i hope it is not to early to say: problem solved

what a simple solution :stuck_out_tongue: thanks @psherman @mk24

best,
mike