Can't access other PC's on LAN through Wireguard

Technical Support for Routers VPN, DNS, Leaks
1

I have a laptop on my home network with videos on it that I want to be able to access remotely, and this laptop is connected to my home BGW320 router via wifi. I also have a Brume 2 connected to the BGW320 via ethernet with a wireguard server on it.

*internet --> BGW320 router ---> Brume 2 (wireguard server)
---> home laptop with shared folder

*remote laptop (wireguard client) :arrow_heading_up: (connects to WG server and home LAN)

I have my remote laptop with me running the wireguard client, which successfully connects to the wg server. However I cannot access a shared folder on my home laptop on the LAN.This folder can be accessed from other devices inside the LAN so I know it's shared correctly.

However I can't access the shared folder from my remote laptop even though I'm connected via WG. Anyone know what else I need to do to be able to access my shared folder on the LAN from my remote laptop?

image
image906×439 63.4 KB

2

Enabling "Remote Access LAN" only works as expected when you are running your WireGuard server on your main router, more precisely, in the router that acts as the default gateway of the network you want to be accessible. What this option actually does is put your LAN network address in the "Allowed IPs" in the peer section of your client configuration so the client know that all your LAN addresses are accessible through the WireGuard tunnel.

In your case the packets don't have any problem to go from Wireguard Client (remote laptop) to the home laptop. The problem is in the opposite direction. When the home laptop tries to send a packet to the remote laptop, it checks if the IP address is in their same network, it isn't, and then it sends the packet to the default gateway (the main router) but this router doesn't know how to reach the wireguard network. You have to tell the main router how can reach de WireGuard network by means of adding a manual routing rule.

This kind of questions are very common in this forum. I have posted on another thread how to join two networks but your have a more appropriate title because the other ones have very specific router models in the name and people tend to overlook them.

Using an example I will tell you what you need to configure two sub-networks so you can reach any computer from any other within your network when your WireGuard server or client is not your main and only router in your LAN.

wireguard esquema
wireguard esquema1780×1248 258 KB

Main routers:

  • You have to make your WireGuard "server" accessible from Internet
  • In router 192.168.0.1 you'll have to open and redirect the WireGuard server port to the 192.168.0.254
  • The main routers need to know how to reach any network not directly attached.
  • You will have to add some routes manually:
    • In router 192.168.0.1 you'll have to add route: 192.168.1.0/24 GW:192.168.0.254
    • In router 192.168.1.1 you'll have to add route: 192.168.0.0/24 GW:192.168.1.254

Secondary Router or just a WireGuard client-server

  • Connect LAN port to your main router LAN network
  • Disable DHCP server, because you have a DHCP server on your main router.
  • You dont't need WAN port, just LAN, so disable or disconnect any WAN, WiFi client, cellphone tethering... that acts as WAN connection and adds a default route (the goal is to remove any default gateway route).
  • You will have to add a default gateway route pointing your main router:
    • In router 192.168.0.254 you'll have to add route: 0.0.0.0/0 GW:192.168.0.1
    • In router 192.168.1.254 you'll have to add route: 0.0.0.0/0 GW:192.168.1.1

WireGuard configuration

  • Its very important to understand that what you put on "Allowed IPs" peer configuration is transformed into routing rules.
  • You need to put in "Allowed IPs" not only the IP of the other endpoint but all the accessible networks through the tunnel:
    • In 192.168.0.254 WireGuard "server" configuration you'll have to put in peer "Allowed IPs": 10.0.0.2/32, 192.168.1.0/24 (that's because you can reach through the tunnel to 10.0.0.2 host and full 192.168.1.0/24 network)
    • In 192.168.1.254 WireGuard "client" configuration you'll have to put in peer "Allowed IPs": 10.0.0.0/24, 192.168.0.0/24 (that's because you can reach through the tunnel to all the WireGuard peers 10.0.0.0/24 and full 192.168.0.0/24 network)
  • Is not the case in this example, but, if you want that a WireGuard "client" routes all traffic through the VPN tunnel, you have to put "Allowed IPs": 0.0.0.0/0 in the client peer configuration so it will be transformed into the default gateway rule for the client.

WireGuard Server 192.168.0.254 configuration example

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = GH7HVfpCc+36LXUFkGX38Ud3rfUC3YQP+oqTSWqg2UQ=
# PublicKey = ACVoP67IWqoOyCi0F7lmWiVNbmYcVMYiBqUB8cnGhGY=
# Server = wireguard.fqdn

[Peer]
PublicKey = fMl5wKucz5asA3RGMse+9HROAhNJOtk+OHLocfwsHRc=
AllowedIPs = 10.0.0.2/32, 192.168.1.0/24

WireGuard Client 192.168.1.254 configuration example

[Interface]
Address = 10.0.0.2/24
PrivateKey = OHLUXH43WBXzNHveaamFZBOxpwSGlUfngQk5qbLi/2Y=
#PublicKey = fMl5wKucz5asA3RGMse+9HROAhNJOtk+OHLocfwsHRc=

[Peer]
PublicKey = ACVoP67IWqoOyCi0F7lmWiVNbmYcVMYiBqUB8cnGhGY=
AllowedIPs = 10.0.0.0/24, 192.168.0.0/24
Endpoint = wireguard.fqdn:51820
PersistentKeepalive = 25

More info:

In this example the two WireGuard endpoints are accessible from all the computers using their LAN IPs but not their WireGuard IPs. If you want it to be accessible through their WireGuard IPs (10.0.0.X) it would be necessary to add an additional routing rule to the two main routers: DEST: 10.0.0.0/24 GW:192.168.X.254

All the clients behind NAT, if there is no port redirection, have to use "PersistentKeepalive = 25" in order to let the UDP packets in through the NAT-firewall. When a UDP packet goes out through a firewall, the firewall keeps the port open for a few seconds waiting for a response, letting in the packets that match IP-port-source-destination of the packet that came out. Sending continuously a UDP packet to the server before the waiting expires, creates kind of a port redirect to de client.

In WireGuard, if you have more than one "client", each "client" must have a unique Private-Public Key, because WireGuard "server" identifies the "client" by the key used to encrypt the tunnel not the source IP of encrypted packets. The clients can change their public IP whenever they want and there is no interruption because WireGuard uses UDP and associates the private VPN IP (10.0.0.X) to the encryption key.

2 Likes
3

thanks for the response. in order to make sure i'm conveying myself correctly i mocked up a little network diagram of my home network. Does this make sense?

image
image1318×759 17.4 KB

4

I have the exact same configuration at home but with a Flint 2 and a pfSense (plus more devices, APs, VLANs, Captive Portal, vouchers, ...)

OK, lets assume some addresses as example for reference (you would have to change the addresses in my instructions for your specific ones):

BGW-320

  • LAN-IP=192.168.0.1/24

Brume 2

  • WAN=disabled
  • LAN-IP=192.168.0.2/24
  • WireGuard-IP=10.0.0.1/24

Home Laptop

  • LAN-IP=192.168.0.3/24

Remote Laptop

  • WireGuard-IP: 10.0.0.2/24

Let's check "Remote Laptop" WireGuard configuration:

  • In the "Remote Laptop" [Peer] configuration you have two options
    • If you want to access Brume2 (and all the WireGuard peers you could add in the future) and all the computers in your home LAN from the "remote laptop" then you have to put in the [Peer] configuration "AllowedIPs = 10.0.0.0/24, 192.168.0.0/24"
    • If you want to access every device in your house and access to internet through your home network then you have to put in the [Peer] configuration "AllowedIPs = 0.0.0.0/0"
  • If you can access Brume2 is because you have at least "AllowedIPs = 10.0.0.0/24" or "AllowedIPs = 10.0.0.1/32"

Let's check "Brume 2" network configuration:

  • How is Brume 2 connected to BGW-320? WAN port? LAN port?
  • The wrong answer is WAN port. WAN must be disabled. You don't want to NAT between your local networks.
  • The right answer is LAN port. You need to disable Brume 2 DHCP server and configure LAN interface statically.
  • Brume2 needs to access Internet so the default gateway (default route) should point BGW-320 (192.168.0.1)
  • You can configure the default gateway in two different ways (choose one)
    • Go to LuCI->Network->Interfaces->LAN->Edit->"IPv4 gateway" 192.168.0.1
    • You can also add the default gateway as a static route in LuCI->Network->Interfaces->Static Routes "lan 0.0.0.0 0.0.0.0 192.168.0.1"

Let's check "BGW320" network configuration:

  • You need a port redirection pointing your Brume 2 WireGuard server. If you can connect to your WireGuard server, it's already done.
  • A neat solution would be to add a static route to the BGW320 so it knows how to reach WireGuard clients (Remote Laptop) through Brume2 but my brief research tells me that the BGW320 doesn't support adding static routes.
  • That route would be like adding DST:10.0.0.0/24 GW:192.168.0.2 and that's all the configuration needed. No more configuration.

What if I can't add routes to BGW320?

  • There are two more options (don't do both)
    1. Make Brume2 your LAN default gateway: Modify your BGW320 DHCP server configuration so Brume 2 is your default gateway for your DHCP clients. (And BGW320 must be Brume2's default gateway). This way all your computers configured by DHCP will be accessible from your Remote Laptop.
    2. Configure a static route in your "Home Laptop" so it knows how to reach 10.0.0.0/24 (WireGuard LAN) by itself. You will need to do that in every single device you want to be accessible. Use the Windows PowerShell command "route -p add 10.0.0.0 MASK 255.255.255.0 192.168.0.2" to add the needed route (only if your computer runs Windows). Click here for tutorial
1 Like
5

thanks for this, i will take some time to go through it and send a reply

6

Is the shared folder system Windows?

If yes, please enable the Masquerading of "LAN > WG server" on Luci > Network > Firewall, and see if it works.

image
image1063×423 28.6 KB

That is the Windows firewall drop the folder shared traffic from the VPN tunnel.

7

Bruce advice would be the third option in " What if I can't add routes to BGW320? section.

This option consists of applying NAT to packets leaving LAN interface (the ones that come from Remote Laptop WireGuard). That changes the source IP of packets, making the shared folder connection look like was initiated from Brume 2 and not Remote Laptop. That solves the routing problem, but using NAT only allow connections in one direction and introduces some quirks depending on the protocol, specifically on those which use UDP. I think for shared folders it's fine.

Avoid using NAT was the main reason for not using WAN port to connect Brume 2 to your local network. If you are about to enable NAT anyway, may be is better to use WAN port and you don't have to disable your Brume2 DHCP server. In that case, although you don't connect your Brume2 LAN port, you have to configure a LAN network sub-net different from the one in your Local Network (BGW320) to avoid conflicts.

If you just want to access your Home Laptop and nothing else, have you considered to install WireGuard in your Home Laptop and establish a direct tunnel between both computers? It's a lot easier.

1 Like
8

i had actually not thought of that, that does seem like a simpler option. thanks for the advice i might experiment