Cannot ssh to clients on lan when accessing router via wireguard client

I think I see the problem...

In each of your peer stanzas, you are missing:

	option route_allowed_ips '1'

It was there before, but for some reason it is not there now...

Add that into each peer, restart the router, and see if that fixes the issue.

I made the changes but the issue is not resolved. Still no ssh or access to lan devices.

Are you getting successful handshakes?
Can you ping the devices in question?

Handshakes to the vpn are successfull. I cannot ping the devices in question, but can only ping them when plugged directly into my openwrt router, not through the vpn.

Do you have OpenVPN or another vpn running concurrently? If so, turn it off and see if things start working.

I turned off openvpn. Still no dice. However, if I ssh into the router while connected to it via wireguard, I can ping the lan devices from the router with a proper response. I just can't ping them from my mac.

Let’s look at your mac’s wireguard configuration again.

[Interface]
Address = 192.168.9.3/24, fdf1:e8a1:8d3f:9::3/64
PrivateKey = *****s=
DNS = 192.168.9.1, fdf1:e8a1:8d3f:9::1
[Peer]
PublicKey = *******=
PresharedKey = *******=
PersistentKeepalive = 25
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = **.***.***.**:51820

I'm really at a loss here. The only thing I can think of is IPv6 -- maybe there is something happening there.

Have you tried a different device as the remote peer? Maybe try using a phone or another Mac or really anything else. I wonder if your Mac has some strange issue with the route.

Could you run the following on your Mac terminal

netstat -rn

If it was my mac, I don't see why it would work on my soho router.

I’m not understanding your point/question. I’d recommend setting up wg on a phone and seeing if the pings work to the lan devices in question. This will rule out an issue with your Mac if it also doesn’t work, or point to problem there if it does.

Sorry for the delay.

netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags        Netif Expire
default            link#15            UCSg         utun4
default            192.168.10.10      UGScIg         en0
17.111.103.26      link#15            UHWIig       utun4
17.248.190.69      link#15            UHWIig       utun4
17.248.190.137     link#15            UHWIig       utun4
34.117.59.81       link#15            UHW3Ig       utun4   3592
40.115.22.134      link#15            UHWIig       utun4
52.217.200.96      link#15            UHWIig       utun4
104.40.147.142     link#15            UHWIig       utun4
127                127.0.0.1          UCS            lo0
127.0.0.1          127.0.0.1          UH             lo0
139.59.210.197     link#15            UHWIig       utun4
142.250.191.131    link#15            UHWIig       utun4
142.250.191.138    link#15            UHWIig       utun4
142.250.191.234    link#15            UHWIig       utun4
142.251.166.188    link#15            UHWIig       utun4
149.28.125.6       link#15            UHWIig       utun4
169.254            link#4             UCS            en0      !
184.29.92.83       link#15            UHWIig       utun4
192.168.9          192.168.9.3        UGSc         utun4
192.168.9.3        192.168.9.3        UH           utun4
192.168.10         link#4             UCS            en0      !
192.168.10.10/32   link#4             UCS            en0      !
192.168.10.10      c0:56:27:74:ed:d5  UHLWIir        en0   1182
192.168.10.39/32   link#4             UCS            en0      !
192.168.10.50      28:39:5e:2e:97:89  UHLWI          en0   1200
192.168.10.255     ff:ff:ff:ff:ff:ff  UHLWbI         en0      !
224.0.0/4          link#15            UmCS         utun4
224.0.0/4          link#4             UmCSI          en0      !
239.255.255.250    1:0:5e:7f:ff:fa    UHmLWI         en0
239.255.255.250    link#15            UHmW3I       utun4   3591
255.255.255.255/32 link#15            UCS          utun4
255.255.255.255/32 link#4             UCSI           en0      !

Internet6:
Destination                             Gateway                         Flags         Netif Expire
default                                 fe80::%utun0                    UGcIg         utun0
default                                 fe80::%utun1                    UGcIg         utun1
default                                 fe80::%utun2                    UGcIg         utun2
default                                 fe80::%utun3                    UGcIg         utun3
::1                                     ::1                             UHL             lo0
fe80::%lo0/64                           fe80::1%lo0                     UcI             lo0
fe80::1%lo0                             link#1                          UHLI            lo0
fe80::%awdl0/64                         link#9                          UCI           awdl0
fe80::64c5:f9ff:fe1a:fc07%awdl0         66:c5:f9:1a:fc:7                UHLI            lo0
fe80::%llw0/64                          link#10                         UCI            llw0
fe80::64c5:f9ff:fe1a:fc07%llw0          66:c5:f9:1a:fc:7                UHLI            lo0
fe80::%utun0/64                         fe80::5937:974b:863d:b058%utun0 UcI           utun0
fe80::5937:974b:863d:b058%utun0         link#11                         UHLI            lo0
fe80::%utun1/64                         fe80::13cf:ff27:886d:ecd8%utun1 UcI           utun1
fe80::13cf:ff27:886d:ecd8%utun1         link#12                         UHLI            lo0
fe80::%utun2/64                         fe80::e534:b8c2:8fac:2b8%utun2  UcI           utun2
fe80::e534:b8c2:8fac:2b8%utun2          link#13                         UHLI            lo0
fe80::%utun3/64                         fe80::1fe9:ce72:8c62:27c%utun3  UcI           utun3
fe80::1fe9:ce72:8c62:27c%utun3          link#14                         UHLI            lo0
ff00::/8                                ::1                             UmCI            lo0
ff00::/8                                link#9                          UmCI          awdl0
ff00::/8                                link#10                         UmCI           llw0
ff00::/8                                fe80::5937:974b:863d:b058%utun0 UmCI          utun0
ff00::/8                                fe80::13cf:ff27:886d:ecd8%utun1 UmCI          utun1
ff00::/8                                fe80::e534:b8c2:8fac:2b8%utun2  UmCI          utun2
ff00::/8                                fe80::1fe9:ce72:8c62:27c%utun3  UmCI          utun3
ff01::%lo0/32                           ::1                             UmCI            lo0
ff01::%awdl0/32                         link#9                          UmCI          awdl0
ff01::%llw0/32                          link#10                         UmCI           llw0
ff01::%utun0/32                         fe80::5937:974b:863d:b058%utun0 UmCI          utun0
ff01::%utun1/32                         fe80::13cf:ff27:886d:ecd8%utun1 UmCI          utun1
ff01::%utun2/32                         fe80::e534:b8c2:8fac:2b8%utun2  UmCI          utun2
ff01::%utun3/32                         fe80::1fe9:ce72:8c62:27c%utun3  UmCI          utun3
ff02::%lo0/32                           ::1                             UmCI            lo0
ff02::%awdl0/32                         link#9                          UmCI          awdl0
ff02::%llw0/32                          link#10                         UmCI           llw0
ff02::%utun0/32                         fe80::5937:974b:863d:b058%utun0 UmCI          utun0
ff02::%utun1/32                         fe80::13cf:ff27:886d:ecd8%utun1 UmCI          utun1
ff02::%utun2/32                         fe80::e534:b8c2:8fac:2b8%utun2  UmCI          utun2
ff02::%utun3/32                         fe80::1fe9:ce72:8c62:27c%utun3  UmCI          utun3

What I'm saying is, I haven't changed any settings on my mac whatsoever. And have connected a peplink soho router to my ISP router and configured a vpn server on it. When sshing into my local devices on the peplink, it works, without configuring anything on my mac whatsoever. So shouldn't that same mac configuration work on the Openwrt router? Also, unfortunately, I cannot test ssh on my phone because my local server reqires a yubikey for ssh, which no iOS app supports. So I wouldn't be able to ssh into my local server from my phone regardless.

Is the Peplink VPN setup being replaced by, or supplemented by the OpenWrt Router? What is the physical topology of your network (a diagram would be useful)? Is the subnet changing for your server, or does its address remain constant?

But you could test pings, or you could setup another host with ssh without the yubikey requirement (just for testing purposes).

Is the Peplink VPN setup being replaced by, or supplemented by the OpenWrt Router? What is the physical topology of your network (a diagram would be useful)? Is the subnet changing for your server, or does its address remain constant?

The Peplink VPN is replacing the openwrt router. I completely disconnected the openwrt router, and replaced it with the peplink using the same router ip address and subnet. The server subnet remains constant/static. Not sure how to make a diagram but the routers go like this:

ISP Router with portforwarding on > Peplink surf soho router wan port attached to ISP Lan port > Macbook & Webserver attached to peplink lan ports.

But you could test pings, or you could setup another host with ssh without the yubikey requirement (just for testing purposes).

I will try this when I get home and let you know what happens.

Do you think this could possibly be a hardware issue by chance? I have a second linksys router that i could flash with openwrt to test, if you think it might be hardware related.

Lastly, do you know of any other expert eyes on this forum that you would be willing to ping to have a second pair of eyes take a look at my issue? Maybe there is something we are both missing? Just a thought, since I'm new to openwrt and the forum.

So to be clear about all of this, the Peplink router is the one that you're changing out for the OpenWrt router. When you have the Peplink router in place, you can reach its downstream devices via the VPN. But when the OpenWrt router is in place, you can connect to the VPN, but you are unable to do so.

Some things to check in the setup (and/or verify/document for clarity):

  1. The Peplink router's WAN is connected to the ISP LAN.
  2. When the OpenWrt router is installed, the peplink router is removed.
  3. The OpenWrt router, when installed, is connected to the ISP LAN.
  4. The WAN IP of the [Peplink XOR OpenWrt] router is always the the same, so that the port forwarding from the ISP router points to the same IP address at all times (never changes).
  5. The LAN subnet of both the Peplink and the OpenWrt routers are the same (and they must obviously be unique relative to the ISP router).
  6. All client devices in question are downstream of the [OpenWrt XOR Peplink] router (i.e. they are on the LAN of whichever device is installed)
  7. The IP addresses of the client devices always remains th same when you swap the Peplink/OpenWrt routers (by means of either static IP assignments on those hosts, or DHCP reservations on the routers themselves).

Please verify this, and if there is any possibility for ambiguity, please run some tests and/or clarify as necessary.

All of this is absouletely correct.

Everything seems like it should work. I do not understand why it is not... and I've helped many other people with WG configurations, so I usually have a pretty good handle on this.

I can offer one other idea:

  • move the wireguard network into another firewall zone (I'd recommend a new zone for this)
  • turn on masquerading on the wireguard zone.
  • allow forwarding from this new wg zone > lan zone.

then try again.

1 Like

I just tried doing all of these suggestions, and I can connect to the router and luci, however I cannot connect to the internet, or ssh to any of my local devices still.