OpenWrt and linux Wireguard (site to site)

I need to create a site to site connection. I installed WG in LXC debian and also in Wifi router with OpenWRT (see image).

My goal is mutual ping 192.168.30.209 <--> 192.168.1.22.
I Ping from 192.168.30.209 to 10.11.0.3
I ping from 10.11.0.3 to 192.1668.1.22
How should I set the routing in openwrt to mutual ping from 192.168.30.209 to 192.168.1.22 ?
My config OpenWRT:

/etc/config/network
config interface 'wg0'                                                          
        option proto 'wireguard'                                                
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='       
        option listen_port '51821'                                              
        list addresses '10.11.0.3/32'                                           
                                                                                
config wireguard_wg0                                                            
        option description 'server'                                             
        option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='        
        list allowed_ips '10.11.0.0/24'                                         
        list allowed_ips '192.168.1.0/24'                                       
        option route_allowed_ips '1'                                            
        option endpoint_host 'my-wg-example.com'                                   
        option endpoint_port '51821'                                            
        option persistent_keepalive '25' 
/etc/config/firewall
config zone                                     
        option name 'wg0'                       
        option input 'ACCEPT'                   
        option output 'ACCEPT'                  
        option forward 'REJECT'                 
        list network 'wg0'                      
                                                
config forwarding                               
        option src 'wg0'                        
        option dest 'lan'

LXC Wireguard (debian 11)

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
Address = 10.11.0.1/32
ListenPort = 51821
PreUp = iptables -I FORWARD -i wg1 -d 0.0.0.0/0 -j REJECT
PostDown = iptables -D FORWARD -i wg1 -d 0.0.0.0/0 -j REJECT
PreUp = iptables -I FORWARD -i wg1 -d 192.168.1.0/24 -j ACCEPT
PostDown = iptables -D FORWARD -i wg1 -d 192.168.1.0/24 -j ACCEPT


[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
AllowedIPs = 10.11.0.3/32,192.168.30.0/24

Is the lan=>wg0 forwarding allowed?

Thanks, after adding it works.

config forwarding                               
        option src 'lan'                        
        option dest 'wg0'

The ping from 192.168.30.209 to 192.168.1.22 is OK
I apologize, I know this is not a Linux forum, but I still can't ping from 192.168.1.22 to 192.168.30.209

OpenWrt is Linux :smiley:

1 Like

Try adding this:

PreUp = iptables -I FORWARD -o wg1 -d 192.168.30.0/24 -j ACCEPT
PostDown = iptables -D FORWARD -o wg1 -d 192.168.30.0/24 -j ACCEPT

There is probably also another problem, because I can't ping from 192.168.1.22 to 10.11.0.1

iptables -I INPUT -i wg1 -j ACCEPT
iptables -I FORWARD -i wg1 -j ACCEPT
iptables -I FORWARD -o wg1 -j ACCEPT

I added to wg1.conf

PreUp = iptables -I INPUT -i wg1 -j ACCEPT
PostDown = iptables -D INPUT -i wg1 -j ACCEPT
PreUp = iptables -I FORWARD -i wg1 -j ACCEPT
PostDown = iptables -D FORWARD -i wg1 -j ACCEPT
PreUp = iptables -I FORWARD -o wg1 -j ACCEPT
PostDown = iptables -D FORWARD -o wg1 -j ACCEPT

but it doesn't work

What is the output of

iptables -nvL FORWARD

Redact the sensitive information, if any.

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      wg1     0.0.0.0/0            192.168.20.0/24    
    0     0 ACCEPT     all  --  *      wg1     0.0.0.0/0            192.168.30.0/24    
    0     0 ACCEPT     all  --  wg1    *       0.0.0.0/0            192.168.1.0/24      
    0     0 ACCEPT     all  --  *      wg1     0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  wg1    *       0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  wg1    *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
  229  109K ACCEPT     all  --  *      wg1     0.0.0.0/0            0.0.0.0/0           
  195 19949 ACCEPT     all  --  wg1    *       0.0.0.0/0            0.0.0.0/0    

Wireguard is on the LAN IP address 192.168.1.111. pfSense has the address 192.168.1.1, which is the gateway to the internet. If I send a packet from 192.168.1.22 to 10.11.0.1, it goes to GW 192.168.1.1. GW does not know about IP address 10.11.0.1.
According to the topology I use, I did this.
I created a new GW 192.168.1.111 in pfsense


I then created a static route so that the packet was not directed to 192.168.1.1, but to 192.168.1.111.

Now ping from 192.168.1.22 to 10.11.0.1 but not 192.168.30.209. There is still something missing.

All these firewall rules in the FORWARD chain are redundant. You can consider the wireguard interface as trusted, so use only the last two rules.

Try to ping 10.11.0.3 (if your diagram is correct).

If 192.168.30.209 is running Windows OS, check its firewall.

I haven't deleted the rules yet

ping 10.11.0.3
PING 10.11.0.3 (10.11.0.3) 56(84) bytes of data.
From 192.168.1.1 icmp_seq=1 Redirect Host(New nexthop: 192.168.1.111)
64 bytes from 10.11.0.3: icmp_seq=1 ttl=63 time=68.0 ms
64 bytes from 10.11.0.3: icmp_seq=2 ttl=63 time=76.7 ms
64 bytes from 10.11.0.3: icmp_seq=3 ttl=63 time=54.2 ms
64 bytes from 10.11.0.3: icmp_seq=4 ttl=63 time=50.1 ms
64 bytes from 10.11.0.3: icmp_seq=5 ttl=63 time=62.9 ms
64 bytes from 10.11.0.3: icmp_seq=6 ttl=63 time=95.8 ms
64 bytes from 10.11.0.3: icmp_seq=7 ttl=63 time=57.6 ms

Ping to 192.168.30.209 (respectively 192.168.30.1) (No OK)

ping 192.168.30.209
PING 192.168.30.209 (192.168.30.209) 56(84) bytes of data.

Install tcpdump on the router and check the incoming traffic on the wg0 interface.

If you can ping 192.168.30.1 and 192.168.30.209 from 192.168.1.111, try masquerading the outgoing traffic to see if it makes a difference.

iptables -t nat -I POSTROUTING -o wg1 -j MASQUERADE

When I added the wg1 interface to masquerade and pinged from 192.168.1.22 to 10.11.0.3.

PreUp = iptables -t nat -A POSTROUTING -o wg1 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o wg1 -j MASQUERADE

tcpdump runs on openwrt.

tcpdump -n -i wg0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
18:43:24.081483 IP 10.11.0.1 > 10.11.0.3: ICMP echo request, id 18, seq 12, length 64
18:43:24.081643 IP 10.11.0.3 > 10.11.0.1: ICMP echo reply, id 18, seq 12, length 64
18:43:25.082437 IP 10.11.0.1 > 10.11.0.3: ICMP echo request, id 18, seq 13, length 64
18:43:25.082617 IP 10.11.0.3 > 10.11.0.1: ICMP echo reply, id 18, seq 13, length 64

When I added the masquerade interface eth0 and pinged from 192.168.1.22 to 10.11.0.3.

PreUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

tcpdump runs on openwrt

tcpdump -n -i wg0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
18:45:24.211435 IP 192.168.1.22 > 10.11.0.3: ICMP echo request, id 19, seq 19, length 64
18:45:24.211595 IP 10.11.0.3 > 192.168.1.22: ICMP echo reply, id 19, seq 19, length 64
18:45:25.210630 IP 192.168.1.22 > 10.11.0.3: ICMP echo request, id 19, seq 20, length 64
18:45:25.210790 IP 10.11.0.3 > 192.168.1.22: ICMP echo reply, id 19, seq 20, length 64

Ping to 192.168.30.209 still does not work.

@pavelgl
Btw Thank you for your help.

I've been trying to make sense of this for a while.

Site A:
OpenWrt is main router, runs Wireguard
Wireguard tunnel 10.11.0.3/24
LAN 192.168.30.0/24

Site B
PFSense is main router
LAN 192.168.1.0/24
LXC VM runs Wireguard
LXC machine on LAN 192.168.1.111
Wireguard tunnel 10.11.0.1/24

Site B involves no OpenWrt and thus is outside the scope of this forum. As an "appendage" Wireguard termination, it is more complicated than site A which has all networks and routes in one place in the main router. The important thing with such a site is to install routes to the Wireguard sites in the main router, since clients on the LAN are not aware of the appendage wireguard link at all. They use the main router as the default route.
10.11.0.0/24 via 192.168.1.111
192.168.30.0/24 via 192.168.1.111

If you're trying to ping a Windows machine, realize that the default configuration of Windows drops pings. Also Windows can be set up to block any access to private IPs outside its own local LAN.

@mk24
In post number 10, I wrote how I added a new GW and a routing rule. So I was able to solve the ping from LAN 192.168.1.0 to WG network 10.11.0.0. I suppose it was the right move.
That's the route

10.11.0.0/24 via 192.168.1.111

Now I need to create a route to the WireGuard (WG) server

192.168.30.0/24 via 192.168.1.111

I want to create a new route rule

ip route add 192.168.30.0/24 via 192.168.1.111 dev eth0

But the answer is

RTNETLINK answers: File exists
ip r
default via 192.168.1.1 dev eth0 onlink 
10.11.0.2 dev wg1 scope link 
10.11.0.3 dev wg1 scope link 
10.11.0.4 dev wg1 scope link 
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.111 
192.168.30.0/24 dev wg1 scope link 

hmm

This route needs to be in the main router at site B. The VPN VM at site B also needs to be aware of the 192.168.30.0 network, but its route to there is the VPN tunnel. That appears to be configured correctly. Since Site A's LAN is 192.168.30.0, the route to that local LAN is already installed in the OpenWrt router.

The ping from 192.168.1.22 to 192.168.30.209 would then be routed this way:
the originating PC's default route is 192.168.1.1.
192.168.1.1 uses this rule to forward to 192.168.1.111
192.168.1.111 uses its rule (192.168.30.0/24 via 10.11.0.1) to send the packet into the VPN tunnel.
OpenWrt router at site A forwards to the interface holding 192.168.30.1

Equally important is the ping response.

Machine at 192.168.30.209 replies to 192.168.1.22(*) using its default route 192.168.30.1.
OpenWrt router uses its route 192.168.1.0/24 via 10.11.0.3 to send packet to the VPN tunnel
At site B, VPN VM receives packet and routes it to its local LAN interface, where 192.168.1.22 can receive it.
192.168.1.22 reports a successful ping.

  • (*) Consider that Windows PCs don't necessarily reply to pings in my previous post.
1 Like

Thank you friends :+1:
@mk24
@pavelgl
When I added the route to pfsense, it works.
I will create another WG network on another OpenWRT device. I will want to connect all 3 networks. I hope I can do it.
:beers:
BTW I do not use MS Windows OS anywhere

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.