I have been slamming my head on various Wireguard problems now for weeks. I have most sorted out but one is too messy and surely there is a better way.
I host websites, I also have wireguard setup for family and remote work tasks. wireguard clients are not passing web traffic, they are set to AllowedIPs=10.0.0.0/8 (not the LAN class addresses). If a client tries to load one of the webpages it immediately says no connection. From the client I can ping the domain (correct public IP returned/associated), dig returns the correct info, tracepath returns correct. ip route shows the request going through the correct interface, i.e. NOT the wireguard interface...page won't load. Disable the VPN, sites load fine. I can not for the life of me find anything that works or even why this logically fails.
The only "fix" I've found is on the clients where you can edit the hosts file (so mobile clients are screwed) to associate the domains with wireguard class addresses so those requests are sent over wireguard then an openwrt forward rule forwards to the correct LAN address. This means if they disable the VPN the domains are now broken. This just feels wrong, broken...what am I missing here?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
If its Interal URL DNS resolving then use the following:
Go to NETWORK > DNS > GENERAL SETTINGS: Here there is an options Called "Addresses" you can add an address using the following template non-VPN "/mywedsite.lan/192.168.1.10", W/ VPN "/mywebsite.lan/10.0.0.10" i usually create both.
THEN go to NETWORK > DNS > DNS RECORDS > Hostnames and add the host name there.
However, access externally would need some attribution to the either the wiregaurd or the internal DHCP.
I'm not sure I follow this, it seems like steps IF wireguard clients were tunneling web traffic but they aren't (or they shouldn't be). Clients should be sending web requests via their local DNS etc i.e. they should resolve everything fine with my public IP and public TLD records. I mean for any other website this is exactly what happens.
How is this device connected to the upstream network? Is it via a lan port or the wan? And what is upstream (is it another router, or a direct connection to the internet)?
You have at least one issue in the firewall -- a newtork can only be in a single zone... here you have the wg_vpn in two zones.
The OpenWRT Router is connected WAN side to the ISP modem.
So then why does the UI allow this? seriously though, I know some of this will be "MESS." As I've said I've been banging my head on this for weeks and some of this will be trial and error cruft from throwing $h1t at the wall to see what sticks. I've deleted the WGVPN which also deleted the wg_vpn in the lan => wan zone...yay.
That said...
This is the only way I found I can connect back to clients via ssh, if I disable this I'm no longer able to help my daughter with her machine. (Unless the next few things fix this...I need some time to read/apply/test.)
Again without them nothing worked. Trust me I saw them as BS too, I thought Wireguard should be translating this, I mean wtf is the point if it doesn't but it didn't work.
I'll clean things up per your suggestions, I know you know what you're talking about and you've helped me many times so give me a bit to make changes and see what's broken now. Yup locked out.
Where is your daughter's computer? (is it connected to the OpenWrt router on 192.168.0.0/24, or is it connected to the upstream)?
What OS is your daughter's computer running?
It's not "wireguard translating this" -- it's the firewall. You already have a forward already defined... you don't need any other rules, and even if you did, they would be traffic rules, not port forwards/redirects.
Ah my mistake, i use wiregaurd to access my own internal set of tools so it does tunnel through my VPN network. i have adguard enryption (Acme) enabled so the external clients can still quires the internal sites im hosting; despite not accessing my Ubound recursive DNS.
Yes I'm locked out. I can't ask her to check if NFS/Samba is still accessible because she's at work or school. As for a different route, I only deleted the second zone you said wg_vpn wasn't allowed to be in. It then removed it from the original zone too.
seriously though, I know some of this will be "MESS." As I've said I've been banging my head on this for weeks and some of this will be trial and error cruft from throwing $h1t at the wall to see what sticks. I've deleted the WGVPN which also deleted the wg_vpn in the lan => wan zone...yay.