Losing LAN Internet access with Wireguard client enabled?

kodbuse · 2020-12-26T05:31:17.003Z

I thought I had everything working with my VPN setup, but then I noticed that my LAN loses Internet access when the Wireguard client is connected. However, the router itself (AR750S) has Internet access if I SSH in and try the same connectivity tests (e.g. ping 8.8.8.8). Within the LAN and across the VPN tunnel to the “AllowIPs” network, connectivity is fine. Disconnecting Wireguard immediately brings back connectivity. Some details below. Thanks!

VPN config:

root@GL-AR750S:/etc/config# cat wireguard
config proxy
        option main_server 'Home'
        option host <redacted>
        option enable '0'

config peers 'wg_peer_9655'
        option name 'Home'
        option private_key <redacted>
        option public_key <redacted>
        option persistent_keepalive '25'
        option listen_port '39977'
        option end_point '<redacted>:51820'
        option address '10.39.0.2/16'
        option allowed_ips '10.33.0.0/16','10.39.0.0/16'

Routing table on router:

root@GL-AR750S:/etc/config# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         fw.lan          0.0.0.0         UG    20     0        0 wlan-sta
10.33.0.0       *               255.255.0.0     U     0      0        0 wg0
10.37.0.0       *               255.255.0.0     U     20     0        0 wlan-sta
10.39.0.0       *               255.255.0.0     U     0      0        0 wg0
<vpn server ip>      fw.lan          255.255.255.255 UGH   0      0        0 wlan-sta
192.168.8.0     *               255.255.255.0   U     0      0        0 br-lan

Router has Internet access:

root@GL-AR750S:/etc/config# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=119 time=11.936 ms
64 bytes from 8.8.8.8: seq=1 ttl=119 time=11.588 ms

But not LAN device:

C:\Users\kodbuse> ping 8.8.8.8 -t
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 192.168.8.1: Destination port unreachable.
Reply from 192.168.8.1: Destination port unreachable.

kodbuse · 2020-12-26T07:19:38.700Z

I was able to fix this myself by removing the call to “lan2wan_forwarding disable” in /etc/init.d/wireguard.

This seems like a bug that should be fix in the repo. When AllowedIPs is not 0.0.0.0/0, it doesn’t make sense to disable LAN-to-WAN forwarding, because then there’s no working route for WAN traffic from the LAN.

BTW, maybe I just don’t understand the UI, but I wasn’t able to tell in LuCI that this change was made by the init.d script.

Thanks!

robotluo · 2021-01-04T01:45:02.702Z

In firmware version 3.105, LAN2WAN forwarding is not disabled if Allowdips is not 0.0.0.0/0.

kodbuse · 2021-01-06T14:17:27.977Z

Excellent, thank you!