Routing in Wireguard site to site not working

Hi all,
I am trying to create a site-to-site wireguard connection to join two LANS. I can get the two devices to communicate but not ping from one network to the other. I used the script: https://openwrt.org/docs/guide-user/services/vpn/wireguard/site-to-site

-- Main Site --
device without making routing connected only to the LAN port. In the main router there's already a static route to 192.168.50.0/24 as a traceroute from a LAN PCs shows:

tracert 192.168.50.254
Tracing route to 192.168.50.254 over a maximum of 30 hops
  1     *        *        *     Request timed out.
  2     1 ms     6 ms     1 ms  vpn01.xxx.lan [192.168.200.30]
  3    13 ms    13 ms    13 ms  192.168.50.254

but cannot ping (perhaps because the WAN port doesn't respond to pings)

Configs from device in Main Site:
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd72:6414:7918::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.200.30'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.200.254'
        list dns '192.168.200.1'
        list dns '192.168.200.2'
        list dns_search 'xxx.lan'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'Wireguard_xxx'
        option proto 'wireguard'
        option private_key '####'
        option listen_port '51820'

config wireguard_Wireguard_xxx 's2s_vpn_Exterior'
        option public_key '####'
        option preshared_key '####'
        option description 'Exterior, wrgxxx.duckdns.org'
        list allowed_ips '192.168.50.0/24'
        list allowed_ips 'fd96:b46d:9fcc::/48'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'xxxxxx.duckdns.org'
        option endpoint_port '51820'

package firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'Wireguard_xxx'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-Control'
        list proto 'tcp'
        option src 'lan'
        list src_ip '192.168.200.12'
        list src_ip '192.168.200.13'
        list dest_ip '192.168.200.30'
        option dest_port '22 80 443'
        option target 'ACCEPT'

config rule 'wg_s2s_51820'
        option name 'Allow-WireGuard-51820'
        option src 'lan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

Route command

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.200.254 0.0.0.0         UG    0      0        0 br-lan
2.82.107.65     192.168.200.254 255.255.255.255 UGH   0      0        0 br-lan
192.168.50.0    *               255.255.255.0   U     0      0        0 Wireguard_xxx
192.168.200.0   *               255.255.255.0   U     0      0        0 br-lan

-- Secondary Site --
device connected to WAN to ISP router. Clients connect to this device in Wireless

I can't make traceroute to main site from router:

traceroute 192.168.200.30
traceroute to 192.168.200.30 (192.168.200.30), 30 hops max, 46 byte packets
 1  *  *  *
 2  *  *  *
 3  *  *  *

package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd96:b46d:9fcc::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.50.254'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'Wireguard_Ext'
        option proto 'wireguard'
        option private_key '######'
        option listen_port '51820'

config wireguard_Wireguard_Ext 's2s_vpn_CINEL'
        option public_key '######'
        option preshared_key '######'
        option description 'CINEL, 194.79.xxx.xxx'
        list allowed_ips '192.168.200.0/24'
        list allowed_ips 'fd72:6414:7918::/48'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host '194.79.xxx.xxx'
        option endpoint_port '51820'

package firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'Wireguard_Ext'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-Control-CINEL'
        list proto 'tcp'
        option src 'wan'
        list src_ip '194.79.xxx.xxx'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg_s2s_51820'
        option name 'Allow-WireGuard-51820'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

Route command

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.254   0.0.0.0         UG    0      0        0 wan
192.168.1.0     *               255.255.255.0   U     0      0        0 wan
192.168.50.0    *               255.255.255.0   U     0      0        0 br-lan
192.168.200.0   *               255.255.255.0   U     0      0        0 Wireguard_Ext
194.79.xxx.xxx    192.168.1.254   255.255.255.255 UGH   0      0        0 wan

I will start with the obvious thing

WireGuard is a routed solution so it needs three different subnets "server", "client" and wg subnet need to be different.
Your server and client (actually WG is peer-to-peer) are different but there is no WG subnet.

The WG interface needs an IP address/subnet

add the ip address here as e.g.:

list addresses '172.21.21.1/24'
list addresses 'fddb:b40f:f9bc:4ba5::1/64'

On the client side use

list addresses '172.21.21.2/24'
list addresses 'fddb:b40f:f9bc:4ba5::2/64'

if you do not use IPv6 then do not set an IPv6 address

It is good custom to also set the WG address of the other side as Allowed IP (although in a site-to-site setup you do not Masquerade so technically it will work without)

First I have to get some coffee will chime in later when I can have a better look at your config

Thanks @egc for your time analising my problem...

Manage to implement your suggestions:

config interface 'Wireguard_CINEL'
        option proto 'wireguard'
        option private_key '#####'
        option listen_port '51820'
        list addresses '172.20.1.1'

and

config wireguard_Wireguard_xxx 's2s_vpn_Exterior'
        option public_key '####'
        option preshared_key '####'
        option description 'Exterior, wrgxxx.duckdns.org'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'wrgxxx.duckdns.org'
        option endpoint_port '51820'
        list allowed_ips '192.168.50.0/24'
        list allowed_ips 'fd96:b46d:9fcc::/48'
        list allowed_ips '172.20.1.0/24'

Cannot see changes in previous behaviour...

Thanks

You also should set a submask so on the server side:

list addresses '172.20.1.1/24'

and on the client side set

list addresses '172.20.1.2/24'

You do not need to set a static route, as you have enabled route_allowed_ips the routes are set automatically.

Furthermore we want as little variables as possible when troubleshooting so for now I would remove the preshared keys, when everything works you can put those back.

What is the output of wg show from server and client side?
Redact keys when posting

wg show from Main site:

interface: Wireguard_CINEL
  public key: ####
  private key: (hidden)
  listening port: 51820

peer: ####
  preshared key: (hidden)
  endpoint: 2.82.xxx.xxx:51820
  allowed ips: 192.168.50.0/24, fd96:b46d:9fcc::/48, 172.20.1.0/24
  latest handshake: 1 minute, 35 seconds ago
  transfer: 2.92 KiB received, 2.69 KiB sent
  persistent keepalive: every 25 seconds

wg show from Secondary site:

interface: Wireguard_Ext
  public key: ####
  private key: (hidden)
  listening port: 51820

peer: ####
  preshared key: (hidden)
  endpoint: 194.79.xxx.xxx:10492
  allowed ips: 192.168.200.0/24, fd72:6414:7918::/48, 172.20.1.0/24
  latest handshake: 59 seconds ago
  transfer: 2.12 KiB received, 4.93 KiB sent
  persistent keepalive: every 25 seconds

I've noticed something strange:

endpoint: 194.79.xxx.xxx:10492

Shouldn't this be <<ip>>:51820? At least that's what I have configured:

image699×750 31.5 KB

@psherman, your enter!

There is traffic between sites so that is the good news.

Try to ping/traceroute.

To answer your question, what you have circled is the endpoint port of the peer.

What you want is the Listen Port which seem to be not set and then it uses a random port.
Check your Listen port on the General Settings tab, you might need to restart the tunnel and or reboot the routers.

However you do have an unusual setup as you specified an endpoint on both sides.
Normally the server side does not have an endpoint set but only listens, the client side has the endpoint set and initiates the connection.

I never tried it with endpoints on both sides, theoretically it could work as WG is in essence a peer to peer solution.
You could just delete the endpoint on one side if you keep having problems.

However there is a hand shake and traffic flowing so it seems to work.
ip route show should show the correct routes to route the other sides subnet via the WG tunnel
As you have added the WG interface to the LAN zone and opened up a port that should cover the firewall but it is possible I overlooked something.

I more or less duplicated your setup but with only one endpoint and that worked as advertised

Input is not allowed on the lan zone at the main site. Since there is not an exception through an allow ping rule, pings to that router will not be answered. Suggest setting input to ACCEPT on both ends during troubleshooting.

In general use pings to test basic connectivity, not traceroute, as traceroute is a more complex process.

(In order to effectively firewall vpn<->lan traffic, they need to be in separate zones. But don't do that until you have proof of concept working. Imposing more restrictive firewall rules would be the last step of deployment.)

I have listen port defined:

I've simply used the script from OpenWRT site: https://openwrt.org/docs/guide-user/services/vpn/wireguard/site-to-site
It creates two endpoints, one for each site.

It should work theoretically and you see traffic flowing so if routing is Okay (and it should be but you can check) and the firewall should also be okay you should have a connection.

But note that your LAN clients can have their own firewall and will by default not allow traffic from the other sides subnet, so when testing disable the LAN clients firewall or tweak the LAN clients firewall to allow the necessary subnets.

Understand!
I've made the changes you asked and I can do ping from either side but not for the LAN.
Example: If ssh in Main Site device 192.168.200.30 I can make ping to 192.168.200.27 as intended (it's a printer so no firewall to bother so I'm using as a test).
But in Secondary Site in device 192.168.50.254 the ping fails to the Main Site LAN and works for OpenWRT device:

ping 192.168.200.30
PING 192.168.200.30 (192.168.200.30): 56 data bytes
64 bytes from 192.168.200.30: seq=0 ttl=64 time=12.730 ms
64 bytes from 192.168.200.30: seq=1 ttl=64 time=12.979 ms
64 bytes from 192.168.200.30: seq=2 ttl=64 time=12.860 ms
^C
--- 192.168.200.30 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 12.730/12.856/12.979 ms
root@Sala_Externa:~# ping 192.168.200.27
PING 192.168.200.27 (192.168.200.27): 56 data bytes
^C
--- 192.168.200.27 ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss

I'm using a LAN printer, so no firewall...

While it doesn't hurt to give the interface an IP it's not necessary, especially for a site to site setup.

Do you have a different device you can try? Preferably an actual computer where you can ensure the firewall is disabled and can try ping tests in the other direction.

Also, is there still a static route in the main router at the main site?

Disable firewall in 2 diferent computers and the problem is the same. No ping...

If I do a ping from the main site LAN computer it reaches secondary site router (at this time I don't have no more devices in there to test), so yes I have a static route in my router/firewall (palo-alto).

tracert 192.168.50.254

Tracing route to 192.168.50.254 over a maximum of 30 hops
  1     *        *        *     Request timed out.
  2     1 ms     1 ms     1 ms  vpn01.xxx.lan [192.168.200.30]
  3    14 ms    14 ms    12 ms  192.168.50.254

A traceroute from secondary site router:

traceroute to 192.168.200.158 (192.168.200.158), 30 hops max, 46 byte packets
 1  172.20.1.1 (172.20.1.1)  12.179 ms  12.297 ms  12.279 ms
 2  *  *  *
 3  *  *  *
 4  *  *  *

192.168.200.158 is an ordinary PC

It's time to do some tcpdumps to see where the packets are being lost.

In its default configuration, Windows does not answer pings. Also the firewall can be set to not respond to private IPs outside of its home LAN.

"Good news, everyone!" - Professor Farnsworth

Well I managed to ping LAN PC. I made some captures from traffic and I could see that ping were being send fom IP of the wireguard interface (of the origin device).

If I don't have an IP on that interface the ping doesn't appear on the LAN (seen with Wireshark capture).

image1183×36 2.03 KB

So, is this a expected behaviour?
I going to test with diferent traffic and then try to close more the firewall to ports and ip I need to comunicate.

EDIT: I forgot to say that I needed to add that route to my main router (ISP)

Usually the ping will use the egress interface IP, unless specified differently. Although wireguard can work without IPs at tunnel interfaces, it is best not to use it like this.

Well just for the record I did managed to get everything working.
The pings were fine but then when I needed to ad RDP traffic it all failed. Well that was because my firewall were blocking traffic because the traffice were not started in my LAN and didn't pass through it (firewall). So I had to disable it.

As stated in Palo Alto's website:
"Palo Alto Networks firewall will, by default, reject the first packet that does not have the SYN flag turned on as a security measure. Normal TCP connections start with a 3-way handshake, which means if the first packet seen by the firewall is not the SYN packet, it is likely not a valid packet and discards it."

With that disable, everything worked fine...

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.