Wireguard Client failed access to GLiNet Wireguard Server Lan (firmware 4.1)

Under 3 firmware my iPhone and Macinosh Wireguard clients could access the LAN of my GliNet Home Routers Wireguard Server. This has stopped since upgrading to firmware 4.1. I have tried this on SLATE AX, FLINT and Beryl units.

I am wondering if this relates to a new FIREWALL ruleset or ROUTING configuration. What can I provide to get to the bottom of this? Also where available I have clicked the LAN access toggle of course.

Do you have access to the LAN IP of the gateway itself from the client device?
Have you checked the traces from the client device to confirm that the packets sent to the devices in the Wireguard Server LAN are arriving correctly at the Wireguard Server?

What firewall is being used firewall3 or firewall4. 4 switched to NFtables from iptables

I thought you could run one wgserver and a ovpnclient? Can’t run wgserver and wgclient?

Shouldn’t wgserver have accept for all three? (I’m confused by the new Zones Use, and if you SSH and change the config manual it complicates things further according to Openwrt Firewall setup)

Something is going on with transfer over it seems based on forums, and thats a complete hole to go down only to come to dead ends

I have a issue with IPv6 being used for GL.iNet repo when it is only supposed to use IPv4 still trying to figure out.

I CAN see the IP address of the Wireguard Server (GliNet Router) so the tunnel appears to be up and running. I can see the Internet. No access to LAN devices (NAS etc).

No idea how to find a trace on an iPhone with Wireguard Client.

I simplified EVERYTHING. Reset to defaults, configured Wireguard Server ONLY and still have the problem in 4.1 Release 2.

/etc/config/network

config interface ‘loopback’
option device ‘lo’
option proto ‘static’
option ipaddr ‘127.0.0.1’
option netmask ‘255.0.0.0’

config globals ‘globals’
option packet_steering ‘1’
option ula_prefix ‘fd57:9439:8aae::/48’

config device
option name ‘br-lan’
option type ‘bridge’
list ports ‘lan1’
list ports ‘lan2’

config interface ‘lan’
option device ‘br-lan’
option proto ‘static’
option netmask ‘255.255.255.0’
option ip6assign ‘60’
option isolate ‘0’
option ipaddr ‘192.168.88.1’

config interface ‘wan’
option device ‘wan’
option proto ‘dhcp’
option ipv6 ‘0’

config interface ‘wan6’
option proto ‘dhcpv6’
option disabled ‘1’
option device ‘@wan

config interface ‘tethering6’
option proto ‘dhcpv6’
option disabled ‘1’
option device ‘@tethering

config interface ‘wwan6’
option proto ‘dhcpv6’
option disabled ‘1’
option device ‘@wwan

config interface ‘guest’
option force_link ‘1’
option type ‘bridge’
option proto ‘static’
option netmask ‘255.255.255.0’
option ip6assign ‘60’
option multicast_querier ‘1’
option igmp_snooping ‘0’
option isolate ‘0’
option bridge_empty ‘1’
option ipaddr ‘192.168.89.1’

config interface ‘wwan’
option proto ‘dhcp’

config rule ‘policy_bypass_vpn’
option mark ‘0x60000/0x60000’
option lookup ‘53’
option priority ‘53’

config rule ‘policy_via_vpn’
option mark ‘0x80000/0x80000’
option lookup ‘52’
option priority ‘52’

config rule ‘policy_dns’
option mark ‘0x100000/0x100000’
option lookup ‘51’
option priority ‘51’

config interface ‘wgserver’
option proto ‘wgserver’
option config ‘main_server’
option disabled ‘0’

config interface ‘ovpnserver’
option proto ‘ovpnserver’
option disabled ‘1’

config interface ‘tethering’
option proto ‘dhcp’
option ifname ‘eth1’
option metric ‘30’
option disabled ‘1’

/etc/config/firewall

config defaults
option input ‘ACCEPT’
option output ‘ACCEPT’
option forward ‘REJECT’
option synflood_protect ‘1’

config zone
option name ‘lan’
list network ‘lan’
option input ‘ACCEPT’
option output ‘ACCEPT’
option forward ‘ACCEPT’

config zone
option name ‘wan’
option output ‘ACCEPT’
option forward ‘REJECT’
option masq ‘1’
option mtu_fix ‘1’
option input ‘DROP’
list network ‘wan’
list network ‘wan6’
list network ‘wwan’
list network ‘tethering’

config forwarding
option src ‘lan’
option dest ‘wan’

config rule
option name ‘Allow-DHCP-Renew’
option src ‘wan’
option proto ‘udp’
option dest_port ‘68’
option target ‘ACCEPT’
option family ‘ipv4’

config rule
option name ‘Allow-Ping’
option src ‘wan’
option proto ‘icmp’
option icmp_type ‘echo-request’
option family ‘ipv4’
option target ‘ACCEPT’

config rule
option name ‘Allow-IGMP’
option src ‘wan’
option proto ‘igmp’
option family ‘ipv4’
option target ‘ACCEPT’

config rule
option name ‘Allow-DHCPv6’
option src ‘wan’
option proto ‘udp’
option dest_port ‘546’
option family ‘ipv6’
option target ‘ACCEPT’

config rule
option name ‘Allow-MLD’
option src ‘wan’
option proto ‘icmp’
option src_ip ‘fe80::/10’
list icmp_type ‘130/0’
list icmp_type ‘131/0’
list icmp_type ‘132/0’
list icmp_type ‘143/0’
option family ‘ipv6’
option target ‘ACCEPT’

config rule
option name ‘Allow-ICMPv6-Input’
option src ‘wan’
option proto ‘icmp’
list icmp_type ‘echo-request’
list icmp_type ‘echo-reply’
list icmp_type ‘destination-unreachable’
list icmp_type ‘packet-too-big’
list icmp_type ‘time-exceeded’
list icmp_type ‘bad-header’
list icmp_type ‘unknown-header-type’
list icmp_type ‘router-solicitation’
list icmp_type ‘neighbour-solicitation’
list icmp_type ‘router-advertisement’
list icmp_type ‘neighbour-advertisement’
option limit ‘1000/sec’
option family ‘ipv6’
option target ‘ACCEPT’

config rule
option name ‘Allow-ICMPv6-Forward’
option src ‘wan’
option dest ‘*’
option proto ‘icmp’
list icmp_type ‘echo-request’
list icmp_type ‘echo-reply’
list icmp_type ‘destination-unreachable’
list icmp_type ‘packet-too-big’
list icmp_type ‘time-exceeded’
list icmp_type ‘bad-header’
list icmp_type ‘unknown-header-type’
option limit ‘1000/sec’
option family ‘ipv6’
option target ‘ACCEPT’

config rule
option name ‘Allow-IPSec-ESP’
option src ‘wan’
option dest ‘lan’
option proto ‘esp’
option target ‘ACCEPT’

config rule
option name ‘Allow-ISAKMP’
option src ‘wan’
option dest ‘lan’
option dest_port ‘500’
option proto ‘udp’
option target ‘ACCEPT’

config include ‘nat6’
option path ‘/etc/firewall.nat6’
option reload ‘1’

config include ‘gls2s’
option type ‘script’
option path ‘/var/etc/gls2s.include’
option reload ‘1’

config include ‘glblock’
option type ‘script’
option path ‘/usr/bin/gl_block.sh’
option reload ‘1’

config zone
option name ‘guest’
option network ‘guest’
option forward ‘REJECT’
option output ‘ACCEPT’
option input ‘REJECT’

config forwarding
option src ‘guest’
option dest ‘wan’

config rule
option name ‘Allow-DHCP’
option src ‘guest’
option target ‘ACCEPT’
option proto ‘udp’
option dest_port ‘67-68’

config rule
option name ‘Allow-DNS’
option src ‘guest’
option target ‘ACCEPT’
option proto ‘tcp udp’
option dest_port ‘53’

config rule ‘sambasharewan’
option src ‘wan’
option dest_port ‘137 138 139 445’
option dest_proto ‘tcpudp’
option target ‘DROP’

config rule ‘sambasharelan’
option src ‘lan’
option dest_port ‘137 138 139 445’
option dest_proto ‘tcpudp’
option target ‘ACCEPT’

config rule ‘glnas_ser’
option src ‘wan’
option dest_port ‘6000-6002’
option dest_proto ‘tcp’
option target ‘DROP’

config rule ‘webdav_wan’
option src ‘wan’
option dest_port ‘6008’
option dest_proto ‘tcp’
option target ‘DROP’

config forwarding ‘wgserver2wgclient’
option src ‘wgserver’
option dest ‘wgclient’
option enabled ‘1’

config forwarding ‘wgserver2ovpnclient’
option src ‘wgserver’
option dest ‘ovpnclient’
option enabled ‘1’

config rule ‘wgserver_allow’
option name ‘wgserver_allow’
option target ‘ACCEPT’
option src ‘wan’
option proto ‘udp tcp’
option family ‘ipv4’
option dest_port ‘51820’
option enabled ‘1’

config zone ‘wgserver’
option name ‘wgserver’
option output ‘ACCEPT’
option mtu_fix ‘1’
option network ‘wgserver’
option input ‘ACCEPT’
option masq ‘1’
option masq6 ‘1’
option forward ‘REJECT’
option enabled ‘1’

config forwarding ‘wgserver2wan’
option src ‘wgserver’
option dest ‘wan’
option enabled ‘1’

config forwarding ‘lan2wgserver’
option src ‘lan’
option dest ‘wgserver’
option enabled ‘1’

config forwarding ‘wgserver2lan’
option src ‘wgserver’
option dest ‘lan’
option enabled ‘1’

config rule ‘ovpnserver_allow’
option name ‘ovpnserver_allow’
option target ‘ACCEPT’
option src ‘wan’
option proto ‘udp’
option family ‘ipv4’
option dest_port ‘1194’
option enabled ‘0’

config zone ‘ovpnserver’
option name ‘ovpnserver’
option output ‘ACCEPT’
option mtu_fix ‘1’
option network ‘ovpnserver’
option masq ‘1’
option masq6 ‘1’
option enabled ‘0’
option forward ‘REJECT’
option input ‘ACCEPT’

config forwarding ‘ovpnserver2wan’
option src ‘ovpnserver’
option dest ‘wan’
option enabled ‘0’

config forwarding ‘lan2ovpnserver’
option src ‘lan’
option dest ‘ovpnserver’
option enabled ‘0’

config rule ‘glservice_https’
option name ‘glservice_https’
option dest_port ‘443’
option proto ‘tcp udp’
option src ‘wan’
option target ‘ACCEPT’
option enabled ‘0’

config forwarding
option dest ‘lan’
option src ‘ovpnserver’

wg show

interface: wgserver
public key: (hidden)
private key: (hidden)
listening port: 51820
peer: (hidden)
endpoint: 211.30.155.203:28722
allowed ips: 10.0.0.3/32
latest handshake: 3 minutes, 52 seconds ago
transfer: 460.49 KiB received, 2.99 MiB sent
persistent keepalive: every 25 seconds
peer: (hidden)
endpoint: 192.168.88.155:23347
allowed ips: 10.0.0.2/32
latest handshake: 48 minutes, 29 seconds ago
transfer: 12.94 MiB received, 57.97 MiB sent
persistent keepalive: every 25 seconds

netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default n114-75-176-1.r 0.0.0.0 UG 0 0 0 wan
10.0.0.0 * 255.255.255.0 U 0 0 0 wgserver
114.75.176.0 * 255.255.240.0 U 0 0 0 wan
192.168.88.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.89.0 * 255.255.255.0 U 0 0 0 br-guest

If you use traceroute in your Mac, can you see it reaching 10.0.0.1?

traceroute [Your NAS LAN IP]

With wireguard client running on a mac via cell to cloud…
Wireguard VPN to Beryl Running latest for it 4.1

As indicated I CAN ping the IP address of the Beryl LAN network…

traceroute 192.168.88.1
traceroute to 192.168.88.1 (192.168.88.1), 64 hops max, 52 byte packets
1 192.168.88.1 (192.168.88.1) 195.809 ms …

ping 192.168.88.1
PING 192.168.88.1 (192.168.88.1): 56 data bytes
64 bytes from 192.168.88.1: icmp_seq=0 ttl=64 time=123.619 ms
64 bytes from 192.168.88.1: icmp_seq=1 ttl=64 time=157.226 ms
64 bytes from 192.168.88.1: icmp_seq=2 ttl=64 time=229.129 ms

I CANNOT Ping or connect to any other devices on the Beryl LAN.

ping 192.168.88.60 2 ↵
PING 192.168.88.60 (192.168.88.60): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2

utun 5 is the Wireguard VPN 10.0.0.1
Eth 4 is the Tethering Cell Controller
(curiously 192.168.8.0/24 - the 2 192.168 private networks separated by 10.0.0.0 but they are different class c networks so routing should be OK.)

Routing table of the mac is below.

netstat -r
Routing tables

Internet:
Destination Gateway Flags Netif Expire
default link#20 UCSg utun5
default 192.168.8.1 UGScIg en4
8.248.153.250 link#20 UHWIig utun5
10/24 10.0.0.2 UGSc utun5
10.0.0.2 10.0.0.2 UH utun5
server-13-35-147-1 link#20 UHWIig utun5
13.107.213.31 link#20 UHWIig utun5
13.107.246.31 link#20 UHWIig utun5
server-13-224-177- link#20 UHWIig utun5
server-13-224-178- link#20 UHWIig utun5
17.157.64.74 link#20 UHW3Ig utun5 3
17.248.185.198 link#20 UHWIig utun5
17.248.252.4 link#20 UHW3Ig utun5 !
ausyd2-vip-bx-007. link#20 UHWIig utun5
server-18-67-111-4 link#20 UHWIig utun5
20.190.167.18 link#20 UHWIig utun5
20.190.167.19 link#20 UHWIig utun5
20.190.167.20 link#20 UHWIig utun5
20.190.167.149 link#20 UHWIig utun5
20.190.167.150 link#20 UHWIig utun5
23.237.136.138 link#20 UHWIig utun5
45.223.22.155 link#20 UHWIig utun5
52.111.246.4 link#20 UHWIig utun5
52.182.143.208 link#20 UHWIig utun5
ec2-52-206-199-142 link#20 UHWIig utun5
52.226.139.121 link#20 UHWIig utun5
ec2-54-208-93-227. link#20 UHW3Ig utun5 !
rec1pubns1.ultradn link#20 UHWIig utun5
72.21.91.29 link#20 UHWIig utun5
103.138.128.75 link#20 UHWIig utun5
103.138.128.98 link#20 UHWIig utun5
103.138.128.103 link#20 UHWIig utun5
104.18.18.88 link#20 UHWIig utun5
104.18.19.88 link#20 UHWIig utun5
a104-74-54-126.dep link#20 UHWIig utun5
127 localhost UCS lo0
localhost localhost UH lo0
151.101.2.166 link#20 UHWIig utun5
151.101.30.114 link#20 UHWIig utun5
151.101.30.217 link#20 UHWIig utun5
151.101.66.166 link#20 UHWIig utun5
151.101.130.166 link#20 UHWIig utun5
151.101.194.166 link#20 UHWIig utun5
169.254 link#19 UCS en4 !
172.64.155.188 link#20 UHWIig utun5
syd15s06-in-f3.1e1 link#20 UHWIig utun5
a172-224-28-9.sour link#20 UHWIig utun5
192.168.8 link#19 UCS en4 !
192.168.8.1/32 link#19 UCS en4 !
192.168.8.1 0:10:20:30:40:50 UHLWIir en4 1108
192.168.8.117/32 link#19 UCS en4 !
192.168.8.117 0:1e:10:1f:0:0 UHLWI lo0
192.168.8.117 link#20 UHW3Ig utun5 !
192.168.8.255 ff:ff:ff:ff:ff:ff UHLWbI en4 !
192.168.88.1 link#20 UHW3Ig utun5 !
192.168.88.60 link#20 UHWIig utun5
192.168.88.124 link#20 UHW3Ig utun5 !
192.168.88.219 link#20 UHW3Ig utun5 !
192.168.88.247 link#20 UHWIig utun5
mail.wolfenden.net link#20 UHWIig utun5
224.0.0/4 link#20 UmCS utun5
224.0.0/4 link#19 UmCSI en4 !
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI en4
255.255.255.255/32 link#20 UCS utun5
255.255.255.255/32 link#19 UCSI en4 !

As indicated this issue is visible on multiple 4.1 devices - Beryl, State AX and Flint and mutliple end stations - Mac iPhone and Slate AX AND it used to work under v3.

Not sure if it pertains to you but Openwrt latest version has some issues and core updates

Migration from firewall3 to firewall4 with change over of from iptables based firewall3 to the nftables based firewall4.
:gl_emoji_dizzy:I do not work for and I am not directly associated with GL.iNet :gl_emoji_shacking:

Whatever the change …. The glinet product and the software it runs now has a broken feature of enabling vpn devices access to the product lan. This should be logged as a bug and fixed

Today I tried MT2500 Brume as wireguard server. IP 192.168.98.1

When I connect to it remotely I can ping 192.168.98.x without problem. No extra settings except for allow lan access is enabled.

What firmware. 3.2 works very well, 4.1 breaks Wireguard and OpenVPN for LAN (Not WAN) Access.

I am using firmware 4.1.0 release 3.

I can confirm the failure or not depends on the ORDER in which you create or remove features in the UI. If you modify LAN and Wifi … Basically configure networking FIRST then enable wireguard (lan access etc) it works. If you modify networking AFTER wireguard setup, lan access fails, even with restarts etc.

1 Like

The UI appears not to consistently add and remove features.