Handshake works, client cannot ping server and vice versa

I'm a novice at linux and Open wrt. I managed to get the handshake working but for the life of me I cannot get any data to flow through the tunnel. I think it has something to do with firewall rules but I cannot be sure.

wg show says

 **interface**: VPN

**public key**: twDMrHUkrG+ufL3pWsOVLgIZjkn2dtoPmhvuPRmtOVY=

**private key**: (hidden)

**listening port**: 51820

**peer**: jtTUfqqMsSm7+RYhmDDsmESkQ2ierapyHTKR98DriQY=

**endpoint**: 108.30.242.XXX:60171

**allowed ips**: 192.168.88.4/32

**latest handshake**: 42 seconds ago

**transfer**: 470.02 MiB received, 15.74 GiB sent

**persistent keepalive**: every 25 seconds

config: nework

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd00:8f7a:fd99::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config device
	option name 'eth1'
	option macaddr 'c0:74:2b:ff:58:eb'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0'
	option macaddr 'c0:74:2b:ff:58:ea'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

config device
	option type 'bridge'
	option name 'docker0'

config interface 'VPN'
	option proto 'wireguard'
	option private_key 'XXXXXXXBXb1Q3vOQPo0floBp0GdD+OfzPIZUScM3P1s='
	list addresses '192.168.88.1/24'
	option listen_port '51820'

config wireguard_VPN
	option description 'Salmo'
	option endpoint_port '51820'
	option public_key 'jtTUfqqMsSm7+RYhmDDsmESkQ2ierapyHTKR98DriQY='
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	list allowed_ips '0.0.0.0/24'
	list allowed_ips '192.168.1.0/24'
	list allowed_ips '192.168.0.0/24'
	list allowed_ips '192.168.2.1/24'

that's a lot of data for something that doesn't get any data flow.

True. I am not able to ping the server from the client and vice versa. I cannot see any server ip's from the client.

Edit:
Your Allowed IPs are wrong. is this meant as a WG server to connect from the internet to your home?

Yes thats what I'm trying to acheive.

Your WG server has ip address: 192.168.88.1

The WG client should have e.g. as address in its wg client config: 192.168.88.2
So in Allowed IPs you set 192.168.88.2/32

For Firewall you have to add the VPN interface to the LAN firewall zone

I have added the vpn interface to the lan firewall zone. I am going to do the other part now.

1 Like

I have made the changes. I can ping the tunnel's ip from the client but I cannot ping any other ips server side.

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
wg show

and also the WG client config

ubus call system board

{
	"kernel": "5.4.154",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Xunlong Orange Pi R1 Plus LTS",
	"board_name": "xunlong,orangepi-r1-plus-lts",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.1",
		"revision": "r16325-88151b8303",
		"target": "rockchip/armv8",
		"description": "OpenWrt 21.02.1 r16325-88151b8303"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd00:8f7a:fd99::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config device
	option name 'eth1'
	option macaddr 'c0:74:2b:ff:58:eb'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0'
	option macaddr 'c0:74:2b:ff:58:ea'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

config device
	option type 'bridge'
	option name 'docker0'

config interface 'VPN'
	option proto 'wireguard'
	option private_key 'CBDsFedBXb1Q3vOQPo0floBp0GdD+OfzPIZUScM3P1s='
	list addresses '192.168.88.1/24'
	option listen_port '51820'

config wireguard_VPN
	option description 'Salmo'
	option endpoint_port '51820'
	option public_key 'XXXXXXXMsSm7+RYhmDDsmESkQ2ierapyHTKR98DriQY='
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	list allowed_ips '192.168.88.4/32

cat /etc/config/dhcp

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd00:8f7a:fd99::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config device
	option name 'eth1'
	option macaddr 'c0:74:2b:ff:58:eb'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0'
	option macaddr 'c0:74:2b:ff:58:ea'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

config interface 'docker'
	option device 'docker0'
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'VPN'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config include 'ss_rules'
	option path '/etc/firewall.ss-rules'
	option reload '1'

config zone 'docker'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'docker'
	list network 'docker'

config redirect
	option target 'DNAT'
	option name 'VPNTraffic'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest 'lan'

config rule
	list proto 'udp'
	option src 'wan'
	option src_port '51820'
	option dest 'lan'
	option target 'ACCEPT'

ip route show

default via 192.168.1.254 dev eth0 proto static src 192.168.1.192 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.192 
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1 
192.168.88.0/24 dev VPN proto kernel scope link src 192.168.88.1

wg show

**interface**: VPN

**public key**: xxxxxxxxxx+ufL3pWsOVLgIZjkn2dtoPmhvuPRmtOVY=

**private key**: (hidden)

**listening port**: 51820

**peer**: jtTUfqqMsSm7+RYhmDDsmESkQ2ierapyHTKR98DriQY=

**endpoint**: 108.30.xxx.xxx:60171

**allowed ips**: 192.168.88.4/32

**latest handshake**: 1 minute, 29 seconds ago

**transfer**: 815.32 MiB received, 26.19 GiB sent

**persistent keepalive**: every 25 seconds

WG client config

First of all you are using a really old build which is EOL and has security issues.
Upgrading to e.g. 23.05.3 is highly recommended.

We need to see the config of the client to review if that is correct.

Main problem see my earlier advice

But you LAN zone should not have MASQUERADE enabled.

Your WAN zone should have input set to REJECT to keep you safe

Note that the lan clients you are trying to reach can have their own firewall which should be tweaked to allow traffic from 192.168.88.0/24