Site to site vpn broken since after Kernel 6.12.67?

Hi,

I have an X86 router device at my house. I have openwrt devices at my parents’ house setup as WireGuard server so that I can remotely assist / administrate.

Running IP4 only snapshot across the board. On the X86, running openwrt-14fc3937e330-x86-64-generic-squashfs-combined-efi-20260125.img.gz all is well. This build has 6.12.67.

With no changes to config, installing these builds causes my X86 device to successfully connect to the remote WireGuard (as seen on the remote wireguard status page), however no traffic routes:

openwrt-14fc3937e330-x86-64-generic-squashfs-combined-efi-20260215.img.gz
openwrt-204af1f10c3f-x86-64-generic-squashfs-combined-efi-20260221.img.gz

The other end has been updated to the Feb 21st build which is kernel 6.12.71.

If I downgrade the router at my place back down to the 20260125 version above, all starts working again without any changes to config.

I understand that there problems introduced with Kernels after .67 but my understanding is/was that this openwrt commit served to resolve it – I guess not fully: https://github.com/openwrt/openwrt/commit/385b02614e3eb2204582bbfebb1d4e515da959c4

Just checking to see if anyone else is experiencing a similar issue.

Your issue could possibly be related to either something in the kernel itself or a bug that crept in recently. However, it is often best to first check the configs themselves to see if there are any issues there.

Can you get to the other side to grab the config? Even if not via the usual WG site-to-site, maybe you can use another method to remote into the network?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

For sure. Here is a remote device.

Of note as well, is that from my network I also have WireGuard client on my windows device (which I dont generally use as my router connects). With that said, in the newer versions where my X86 router can’t send data as a client to the remote wireguard, my Windows client can connect and send/receive without issue to the same end-point.

In the below my Windows PC is the “wg show” line that had last handshake ~6 hours ago, while my X86 router is the one with last handshake 3 seconds ago. Note that I have reverted to 6.12.67 on my router, but the connectivity was the same on the newer version.

Below is the output from the remote device. Will paste local router shortly.

root@RL-AP1A:~# ubus call system board
{
"kernel": "6.12.71",
"hostname": "RL-AP1A",
"system": "ARMv8 Processor rev 4",
"model": "COMFAST CF-WR632AX",
"board_name": "comfast,cf-wr632ax",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"firmware_url": "https://downloads.openwrt.org/",
"revision": "r33179-81b148fd38",
"target": "mediatek/filogic",
"description": "OpenWrt SNAPSHOT r33179-81b148fd38",
"builddate": "1771631391"
}
}

root@RL-AP1A:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'

config globals 'globals'
option dhcp_default_duid 'XXXXXXXXXXXXXXXXXXXXXXX'
option ula_prefix 'XXXXXXXXXXXXXXXXXXXXXXX'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan'

config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
option delegate '0'

config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '9.9.9.9'
list dns '149.112.112.112'
list dns '1.1.1.2'
list dns '1.0.0.2'

config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'

config interface 'HOME'
option proto 'wireguard'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXX'
option listen_port '1196'
list addresses '10.200.220.1/24'
option multipath 'off'

config wireguard_HOME
option description 'iPhone'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXX'
option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '10.200.220.2/32'
option route_allowed_ips '1'
option persistent_keepalive '25'

config wireguard_HOME
option description 'PC'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXX'
option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '10.200.220.3/32'
option route_allowed_ips '1'
option persistent_keepalive '25'

config wireguard_HOME
option description 'Router'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXX'
option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '10.200.220.4/32'
option route_allowed_ips '1'
option persistent_keepalive '25'

root@RL-AP1A:~# cat /etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config redirect
option target 'DNAT'
option name 'LAN SSH 22022 to Router 22'
option src 'lan'
option src_dport '22022'
option dest_port '22'
option reflection '0'

config redirect
option target 'DNAT'
option name 'WAN SSH 22022 to Router 22'
option src 'wan'
option src_dport '22022'
option dest_port '22'
option reflection '0'
option limit '3/minute'

config rule
option src 'wan'
option name 'Allow-WireGuard-WAN'
option dest_port '1196'
option target 'ACCEPT'

config zone
option name 'WireGuard'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'HOME'
list network 'lan'

config forwarding
option src 'WireGuard'
option dest 'lan'

config forwarding
option src 'lan'
option dest 'WireGuard'

root@RL-AP1A:~# wg show
interface: HOME
public key: XXXXXXXXXXXXXXXXXXXXXXX
private key: (hidden)
listening port: 1196

peer: XXXXXXXXXXXXXXXXXXXXXXX
preshared key: (hidden)
endpoint: XXXXXXXXXXXXXXXXXXXXXXX:57024
allowed ips: 10.200.220.4/32
latest handshake: 3 seconds ago
transfer: 316.43 KiB received, 1.27 MiB sent
persistent keepalive: every 25 seconds

peer: XXXXXXXXXXXXXXXXXXXXXXX
preshared key: (hidden)
endpoint: XXXXXXXXXXXXXXXXXXXXXXX:50105
allowed ips: 10.200.220.3/32
latest handshake: 6 hours, 28 minutes, 3 seconds ago
transfer: 318.72 KiB received, 2.60 MiB sent
persistent keepalive: every 25 seconds

peer: XXXXXXXXXXXXXXXXXXXXXXX
preshared key: (hidden)
allowed ips: 10.200.220.2/32
persistent keepalive: every 25 seconds

peer: XXXXXXXXXXXXXXXXXXXXXXX
preshared key: (hidden)
allowed ips: 10.200.220.5/32
persistent keepalive: every 25 seconds

And here is the X86 router. I believe I replaced all the key items with XXXXXXXXXXX but if I missed any, please obfuscate if you dont mind as it’s quite late and I have to head to sleep.

Really appreciate it!

root@EM-ROUTER:~# ubus call system board
{
        "kernel": "6.12.67",
        "hostname": "EM-ROUTER",
        "system": "Intel(R) N100",
        "model": "CWWK 12th Gen N100 Mini PC",
        "board_name": "CWWK 12th Gen N100 Mini PC",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "firmware_url": "https://downloads.openwrt.org/",
                "revision": "r32783-cf84e8ee86",
                "target": "x86/64",
                "description": "OpenWrt SNAPSHOT r32783-cf84e8ee86",
                "builddate": "1769294783"
        }
}




root@EM-ROUTER:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'XXXXXXXXXXXXXXXXXXXXXXX'
        option packet_steering '2'
        option dhcp_default_duid 'XXXXXXXXXXXXXXXXXXXXXXX'

config device
        option name 'br-lan'
        option type 'bridge'
        option ipv6 '0'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        option multicast '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option netmask '255.255.252.0'
        option ipaddr '192.168.41.1'
        option force_link '0'

config interface 'wan'
        option device 'eth0'
        option proto 'pppoe'
        option username 'XXXXXXXXXXXXXXXXXXXXXXX'
        option password 'XXXXXXXXXXXXXXXXXXXXXXX'
        option ipv6 'auto'
        option peerdns '0'
        list dns '9.9.9.9'
        list dns '149.112.112.112'
        list dns '1.1.1.2'
        list dns '1.0.0.2'

config interface 'MODEM'
        option proto 'static'
        option device 'eth0'
        option auto '0'
        option ipaddr '192.168.2.2'
        option netmask '255.255.255.0'
        option defaultroute '0'
        option force_link '0'

config device
        option name 'eth3'
        option ipv6 '0'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'eth1'
        option ipv6 '0'

config device
        option name 'eth2'
        option ipv6 '0'

config interface 'home'
        option proto 'wireguard'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXX'
        list addresses '10.200.200.1/24'
        option listen_port 'XXXXXXXXXXXXXXXXXXXXXXX'
        option multipath 'off'

config wireguard_home
        option description 'iPhone'
        option public_key 'XXXXXXXXXXXXXXXXXXXXXXX'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXX'
        option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXX'
        list allowed_ips '10.200.200.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config interface 'pbr_vpn'
        option proto 'none'
        option device 'ovpnc0'

config interface 'rmt_MD'
        option proto 'wireguard'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXX'
        list addresses '10.200.210.4/32'
        option multipath 'off'

config wireguard_rmt_MD
        option description 'MD'
        option public_key 'XXXXXXXXXXXXXXXXXXXXXXX'
        option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXX'
        option persistent_keepalive '25'
        option endpoint_host 'XXXXXXXXXXXXXXXXXXXXXXX'
        option endpoint_port 'XXXXXXXXXXXXXXXXXXXXXXX'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXX'
        option route_allowed_ips '1'
        list allowed_ips '10.200.210.0/24'
        list allowed_ips '10.0.0.0/24'

config interface 'rmt_RL'
        option proto 'wireguard'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXX'
        list addresses '10.200.220.4/32'
        option multipath 'off'

config wireguard_rmt_RL
        option description 'RL'
        option public_key 'XXXXXXXXXXXXXXXXXXXXXXX'
        option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXX'
        option persistent_keepalive '25'
        option endpoint_host 'XXXXXXXXXXXXXXXXXXXXXXX'
        option endpoint_port 'XXXXXXXXXXXXXXXXXXXXXXX'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXX'
        option route_allowed_ips '1'
        list allowed_ips '192.168.23.0/24'
        list allowed_ips '10.200.220.0/24'

config interface 'rmt_AL'
        option proto 'wireguard'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXX'
        list addresses '10.200.230.4/32'
        option multipath 'off'

config wireguard_rmt_AL
        option description 'AL'
        option public_key 'XXXXXXXXXXXXXXXXXXXXXXX'
        option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXX'
        option persistent_keepalive '25'
        option endpoint_host 'XXXXXXXXXXXXXXXXXXXXXXX'
        option endpoint_port 'XXXXXXXXXXXXXXXXXXXXXXX'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXX'
        option route_allowed_ips '1'
        list allowed_ips '192.168.20.0/24'
        list allowed_ips '10.200.230.0/24'



root@EM-ROUTER:~# cat /etc/config/firewall

config defaults
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option input 'REJECT'
        option flow_offloading '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'home'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'homevpn'
        list device 'tun0'
        option masq '1'

config zone
        option name 'Friendlies'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'rmt_MD'
        list network 'rmt_RL'
        list network 'rmt_AL'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'DROP'
        option forward 'DROP'
        list network 'MODEM'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434-33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'DROP'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule
        option name 'Allow-VPN-WAN'
        option src 'wan'
        option dest_port 'XXXXXXXXXXXXXXXXXXXXXXX'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-WireGuard-WAN'
        option src 'wan'
        option target 'ACCEPT'
        option dest_port 'XXXXXXXXXXXXXXXXXXXXXXX'

config include 'qcanssecm'
        option type 'script'
        option path '/etc/firewall.d/qca-nss-ecm'

config forwarding
        option dest 'lan'
        option src 'homevpn'

config forwarding
        option src 'lan'
        option dest 'homevpn'

config zone
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        list device 'ovpnc0'
        list device 'ovpnc1'
        option mtu_fix '1'
        option name 'windscrbvpn'

config forwarding
        option src 'lan'
        option dest 'windscrbvpn'

config rule
        option src 'lan'
        option dest 'wan'
        option target 'REJECT'
        list src_ip '192.168.40.0/25'
        option name 'IoT No Internet (192.168.40.0 to 127)'

config forwarding
        option src 'Friendlies'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'Friendlies'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'



root@EM-ROUTER:~# wg show
interface: home
  public key: XXXXXXXXXXXXXXXXXXXXXXX
  private key: (hidden)
  listening port: XXXXXXXXXXXXXXXXXXXXXXX

peer: XXXXXXXXXXXXXXXXXXXXXXX
  preshared key: (hidden)
  allowed ips: 10.200.200.2/32
  persistent keepalive: every 25 seconds

peer: XXXXXXXXXXXXXXXXXXXXXXX
  preshared key: (hidden)
  allowed ips: 10.200.200.3/32
  persistent keepalive: every 25 seconds

peer: XXXXXXXXXXXXXXXXXXXXXXX
  preshared key: (hidden)
  allowed ips: 10.200.200.4/32
  persistent keepalive: every 25 seconds

peer: XXXXXXXXXXXXXXXXXXXXXXX
  preshared key: (hidden)
  allowed ips: 10.200.200.5/32
  persistent keepalive: every 25 seconds

interface: rmt_MD
  public key: XXXXXXXXXXXXXXXXXXXXXXX
  private key: (hidden)
  listening port: XXXXXXXXXXXXXXXXXXXXXXX

peer: XXXXXXXXXXXXXXXXXXXXXXX
  preshared key: (hidden)
  endpoint: XXXXXXXXXXXXXXXXXXXXXXX
  allowed ips: 10.200.210.0/24, 10.0.0.0/24
  latest handshake: 1 minute, 37 seconds ago
  transfer: 270.52 KiB received, 124.45 KiB sent
  persistent keepalive: every 25 seconds

interface: rmt_RL
  public key: XXXXXXXXXXXXXXXXXXXXXXX
  private key: (hidden)
  listening port: XXXXXXXXXXXXXXXXXXXXXXX

peer: XXXXXXXXXXXXXXXXXXXXXXX
  preshared key: (hidden)
  endpoint: XXXXXXXXXXXXXXXXXXXXXXX
  allowed ips: 192.168.23.0/24, 10.200.220.0/24
  latest handshake: 52 seconds ago
  transfer: 1.25 MiB received, 291.94 KiB sent
  persistent keepalive: every 25 seconds

interface: rmt_AL
  public key: XXXXXXXXXXXXXXXXXXXXXXX
  private key: (hidden)
  listening port: XXXXXXXXXXXXXXXXXXXXXXX

peer: XXXXXXXXXXXXXXXXXXXXXXX
  preshared key: (hidden)
  endpoint: XXXXXXXXXXXXXXXXXXXXXXX
  allowed ips: 192.168.20.0/24, 10.200.230.0/24
  latest handshake: 54 seconds ago
  transfer: 3.55 MiB received, 767.49 KiB sent
  persistent keepalive: every 25 seconds

On your x86 router...

You can change the address to a /24 in the interface definition and then remove the 10.200.220.0/24 allowed IPs in the peer section:

Importantly, has anything changed with the 192.168.23.0/24 subnet? the remote side has the lan set as DHCP client -- are you certain that the lan has an IP in that subnet?

Meanwhile, masquerading should not be enabled in these firewall zones:

Again, not related, but usually this interface should be handled with a device alias, not the direct device. So it would be @eth0 rather than just eth0:

Also, I see that you appear to have a bunch of VPNs, including windscribe... you probably should be defining all of your desired routes within PBR instead of using the route_allowed_ips -- it's quite likely that stuff is egressing via the wrong routes.

This is from the Comfast device, and it's unusual....

I see the wan defined as dhcp client with a list of preferred DNS servers. That part is normal. But why is the lan also a DHCP client?? That's rather unusual unless this is not the main router. And, if it's not the main router, then how are things connected (also, what is the upstream subnet)?

There is an issue here with the firewall -- the lan network is defined here and also in the lan firewall zone. A network can only be a member of a single zone. Delete the lan network from this zone. [quote="Edrikk, post:3, topic:246743"]

config zone
option name 'WireGuard'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'HOME'
list network 'lan'

[/quote]

I was going to say that you should turn off masquerading, too, but it occurs to me that this might be necessary since this is probably not the main router at that location. And, with that in mind, if the upstream router has the ability to set static routes, that's probably the best option. If not, masquerading will be required on that side, but it does mean that there is no way for the devices on the comfast side to initiate connections to the x86 side (this may be acceptable, of course).

While not part of the problem, this is not recommended, especially because you have a VPN. There is no need to expose the ssh server to the internet. Additionally, whey are there two nearly identical rules?

In addition to the above advice

Remove network 'lan'
This is already in its own zone

P.S. my site-to-site is working well.

Hi again,

Thank you so much (as you always do) for taking the time; Your patience comes across in your writing.

I will take some time later tonight to make adjustments on the working firmware with kernel .67 and if it’s still working try on the newer kernel again.

I will explain the topology a little:

I control my side fully. OpenWRT is running as router (X86) and a couple of APs.

The remote sides I’m afraid I don’t control as much. Specifically, the router devices are ISP provided and are not very good. eg they don’t provide local lan name resolution etc.

However, as I don’t have regular physical access, and the remote side has changed ISPs (and hence routers), I’ve setup OpenWRT as APs only. For much the same reason (as each of the 2 ISPs they’ve had uses a different local IP range), I’ve setup the APs to get their LAN IPs via DHCP. It makes getting things going very easy.

I have a script running on the relevant APs that every X hours checks and forwards the appropriate port(s) from the router to the AP running WireGuard server. I have SSH server running as well (accepting only key) as a backup.

Some of the answers to the questions:

* No there have not been any changes to the remote side topology or config at all.

* Yes I can access the remote via WireGuard initiated from my Windows PC when my X86 is upgraded and not able to pass traffic although connected. I can see that it has an IP assigned to it in that LAN’s subnet. In fact that is how I connect to it …. Using that subnet’s IP not the WireGuard IP as it is much easier to remember for me.

* Regarding masquerading, you’re an absolutely correct in your second part of your comment. These are not main routers on the remote side, and I want to be able to access them using their local LAN IPs as well.

* The upstream subnet of the remote APs is 192.168.23.0/24 while my local side is 192.168.40.0/22

* I did not know that a network could only be a part of one zone. I will adjust. Curious as to why Luci allows multi-select though? And config respects that and creates “option list”…

* The SSH is a backup, and only accepts key based authentication. The two rules different unless I’m mistaking. I don’t expose port 22 out. I have in this case selected port 22022. Just to keep things straight in my head, the first rule redirects LAN side AP port 22022 to the same AP’s port 22. The second does the same if the src is WAN. I’ve done it this way because I prefer to keep the default port 22 locallly the same so that other services/devices don’t have to be adjusted to use a different port than default 22.

@egc thank you. However removing ‘lan’ from the WireGuard zone on the Comfast results in inability to connect to other devices on the remote network. I reverted that back. This is likely due to the fact that I want to keep masquerading on for this zone (while it is disabled for lan itself)

(on the unrelated item about @eth0 rather than eth0, I dont have an @eth0 device to select in the dropdown)

A network cannot be in two zones.
If this is setup as an AP your setup is wrong.

You should masquerade on the lan zone and not on the wg zone and remove the lan network from the wg zone.

I am traveling so cannot look in detail.

But will do when at home but probably Peter will already have provided the solution

I am going to be out of the house for several hours, so I won't have time to make any additional comments of substance until a bit later...

but yes, @egc is correct:

Did you make any other changes to the configs on either or both sides? If so, please repost the latest.

How I setup a WireGuard server
WireGuard Server Setup Guide
There is a paragraph about setting up on a Bridged AP
Also a paragraph about a site-to-site setup

But the basics have already been covered

For the record how I setup a WireGuard client
WireGuard Client Setup Guide

If you control the other side and have setup a sit-to-site setup (with Allowed IPs of the other sides subnet and enable route Allowed IPS) you should not need Masquerading but that is not a shwo stopper so take your time investigating that

Edit: I saw it is already solved, good job

Hi @psherman and @egc

Thank you both very much again for taking the time.

I made a few cleanup updates, implemented your suggestion, did another update. It is now working, but it could have been any of these changes (all relevant, so I’ll list them):

• Per your suggestion, on the remote sides I updated the firewall to remove lan from the WireGuard zone, leaving only HOME - I turned on IPv4 Masquerading on the lan zone so that I could still jump to other devices on the remote LAN.
  [EDIT] After things were working I did a test by reverting this change, and was still able to transmit data. It’s possible that the fix noted below (likely) or the interface name shortening is what solved it.
• Whether correct or not, AI said that the max length of of an interface is 15 characters, which is exactly what one of my remote interface names were (minus the wg_ that gets prefixed before the interfaces comes up). To be safe I shortened the interface names.
  Note that I had shortened this in the config that I shared above because they had people’s names previously (e.g. rmt_persons_name).
• My “Friendlies” firewall zone did not have MSS Clamping turned on. I turned this on, although it does not impact the end result as I tested it once working with both MSS Clamping on as well as off.

I also updated to build openwrt-204af1f10c3f from openwrt-204af1f10c3f on the X86 router (only). Noting this as well as It is possible that commit 2256cfa resolved it.

My guess is that that one is the culprit. Newer builds will not take it lightly if you place a network in two firewall zones.

But glad it is fixed

SO I just did a sanity check by reverting this change (put lan back and turned off masquerading on the lan). I restarted the wireguard interface on my side “just in case”. I can still talk to the remote side.

It’s at this point leading me to think it was either that commit that fixed it, or shortening the interface names on the X86 Router.

The issue had/has to be on the local X86 router given that using WireGuard client on a Windows device allowed that Windows device to talk to the remote site… Hmm…

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.