DHCP questions - was: Wireguard configuration - ping host to host

Installing and Using OpenWrt
1

I am struggling with wireguard configuration.
Actually the wireguard tunnel is working, but I cannot ping all hosts in both directions.

  • I can ping, ssh and http to OpenWrt router via the tunnel from all hosts I tried on other side of tunnel
  • I can ping hosts from OpenWrt router via the tunnel
  • I can ping other host in lan of OpenWrt router from remote router

However I cannot ping arbitray hosts via the tunnel.

What shall I look for, or what configuration do you need to help?

2

Are we talking about two OpenWrt routers (one on each side of the tunnel), or are the remote peers individual devices like phones/computers? Also, what OS are the hosts that you are trying to ping? Such as MacOS, Windows, Linux, etc.?

Let's start by looking at the configs. Please make it clear which is which if there are two OpenWrt devices involved here.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
1 Like
3

One OpenWrt, peer wireguard router is Ubuntu (and connecting to other sites as welll). Hosts are linux and windows.
Some of the hosts are able to ping after I added an explicit static route to the network reachable via the tunnel. I was assuming default gateway is sufficient, and for some hosts also DHCP would announce the route.

Thus partly related, partly not, I am struggling with DHCP:

  • DHCP replies do not announce the route to networks connected via Wireguard. I was assuming this is what "Route Allowed IPs" is supposed to do, but obviously it does not. Thus I a have to add static routes whether the tunnel is up or not?
  • I previously enabled DHCP relay (forwarding accross the tunnel), but that also appears to tell dnsmasq not to process any request destined for that interface itself. Is there a means to have both?
4

So that proves the tunnel is working. There is probably a better way, though... usually, if you're trying to do a site-to-site, include those in the allowed_ips and it should work.

I'd have to see your current config (and possibly a little more context, too) to advise with more specifics.

No. The route allowed IPs option affects the routing table on OpenWrt. It has nothing to do with DHCP advertisements. In fact, the OpenWrt router will have the route, so the client devices that are looking to connect through the tunnel will want to simply send that traffic to the OpenWrt router itself anyway, and the router will be aware of the route and handle that without any additional fuss. So, the DHCP advertised gateway should be the OpenWrt router itself and nothing else is required.

I would not do this... it is prone to failure. Keep a local DHCP server on each side of the tunnel (usually this is on the main router on each side), and then simply route between the networks.

5

Ideally yes, and I was also assuming that (no matter whether announced or configured), but reality proofed me wrong.

There is a local DCHP server on all networks. DHCP relay is supposed to support an application based on BOOTP, not DHCP. Unfortunately there is no BOOTP-relay I am aware of, and whatever relay has to use the same port as a DHCP server on that device. Or I have to use static IPs (and routes) on that specific LAN, which I also dislike.