Wireguard WAN IP server accessible from router, but not LAN

Question

I'm using a GL.inet router with OpenWRT OpenWrt 19.07.8 r11364-ef56c85848.

I have set up a Wireguard server on a remote machine. With the VPN not connected I can reach that server from my LAN using its public IP. With the VPN connected, I can reach it with the internal IP, but can no longer reach it via the external IP from a computer on my LAN.

Traceroute shows the packets failing at the router with no route to host:

~ % ping 35.190.161.xxx
PING 35.190.161.169 (35.190.161.xxx): 56 data bytes
92 bytes from router.local.wan (192.168.1.254): Destination Host Unreachable

However if I ssh into the router it not only shows the expected routing, but pings and traceroute succeed:

~# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         100.64.0.1      0.0.0.0         UG        0 0          0 wan
10.66.66.0      *               255.255.255.0   U         0 0          0 wg0
34.120.255.244  *               255.255.255.255 UH        0 0          0 wan
35.190.161.xxx  100.64.0.1      255.255.255.255 UGH       0 0          0 wan
100.64.0.0      *               255.192.0.0     U         0 0          0 wan
192.168.0.0     *               255.255.252.0   U         0 0          0 br-lan

~# ping 35.190.161.xxx
PING 35.190.161.xxx (35.190.161.xxx): 56 data bytes
64 bytes from 35.190.161.xxx: seq=0 ttl=59 time=243.335 ms

My Wireguard config for this client is:

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxlMxuhwtB9vV2Gpks=
Address = 10.66.66.3/32,fd42:42:42::3/128
DNS = 8.8.8.8,8.8.4.4

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxkIIPFsO2/EuXDNbeR3g=
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxYnnXy4CZUMUzGBAieqU=
Endpoint = 35.190.161.xxx:60242
AllowedIPs = 10.66.66.0/24,::/0

While I can get to the remote server (e.g. via ssh) using the internal IP, it's inconvenient to have to choose the right address depending on whether or not the VPN is established.

Is there something missing in my Wireguard config or is there some other issue?

Answer 1

I've recently faced this problem too. I found out that my router adds IP rule for the server IP address (table 31):

screenshot from LUCI route table

root@GL-MT300N-V2:~# ip rule
0:  from all lookup local
31: from all fwmark 0x60000/0x60000 lookup 31
1001:   from all iif eth0.2 lookup 1
2001:   from all fwmark 0x100/0x3f00 lookup 1
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
32766:  from all lookup main
32767:  from all lookup default

If I enable wireguard client, and then manually remove this rule using ip rule del from all fwmark 0x60000/0x60000 lookup 31 command, I can ping/ssh from LAN network to Wireguard server IP directly.

I found a few places where this rule is added:

/etc/init.d/wireguard

/etc/vpn.user

I've commented lines with IP rule add commands, and now I can turn wireguard client off and on and still access WAN IP :

    #fix ddns conflict
    #local DDNS=$(iptables -nL -t mangle | grep WG_DDNS)
    #local lanip=$(uci get network.lan.ipaddr)
    #local gateway=${lanip%.*}.0/24
    #if [ -z "$DDNS" ];then
            #iptables -t mangle -N WG_DDNS
            #iptables -A WG_DDNS -t mangle -i br-lan -s $gateway -d $publicip -j MARK --set-mark 0x60000
            #iptables -t mangle -I PREROUTING -j WG_DDNS
            #ip rule add fwmark 0x60000/0x60000 lookup 31 pref 31
            #ip route add $publicip dev wg0 table 31
    #fi

Please note that I am not an expert in routing and I don't know if this hack breaks anything (in comments it says 'fix ddns conflict' - not sure what it means), but for me it works OK and does not break anything (I am using wireguard connection to access remote network only). Also I am not an expert in OpenWRT, so I cannot guarantee that these changes will be saved across router reboots.