[SOLVED] Ping wireguard host from client on other wireguard tunnel on different subnet

oppsig · April 21, 2019, 2:38pm

My router is running two wireguard interfaces, my problem is that i can ping server connected via WG1 interface from router.
But i cannot ping this same server interface from clients connected to the router via WG0 interface.
Suspect that this is maybe a subnet issue, since WG0 runs different subnet inside tunnel, but can I solve this with nat instead?

Ping from client connected via WG0 interface.

Ping from 10.200.200.3 -> 10.100.100.2.

ping -c1 10.100.100.2
PING 10.100.100.2 (10.100.100.2) 56(84) bytes of data.
From 10.200.200.1 icmp_seq=1 Destination Port Unreachable

--- 10.100.100.2 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

WG0:
Connection from router to computer, phone.
10.200.200.1/24, clients are at 10.200.200.2/32 and 10.200.200.3/32
I guess i could change these clients to 10.100.100.2/24 and 10.100.100.3/24 instead and everything would work, but I wanted to find another solution.

WG1:
Connection from router to external server.
10.100.100.1/24 is interface on router, 10.100.100.2/24 is interface on server.

Router, route:

default         cm-xx.xxx.xxx.1 0.0.0.0         UG    0      0        0 eth0.2
10.100.100.0    *               255.255.255.0   U     0      0        0 wg1
10.200.200.0    *               255.255.255.0   U     0      0        0 wg0
10.200.200.2    *               255.255.255.255 UH    0      0        0 wg0
10.200.200.3    *               255.255.255.255 UH    0      0        0 wg0
xx.xxx.xxx.0    *               255.255.240.0   U     0      0        0 eth0.2
zzz.zzz.zzz.zzz cm-xx.xxx.xxx.1 255.255.255.255 UGH   0      0        0 eth0.2
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan

route computer:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    600    0        0 wlp2s0
xx.xx.xxx.0     0.0.0.0         255.255.254.0   U     600    0        0 wlp2s0
zeus            0.0.0.0         255.255.255.255 UH    50     0        0 wg0

Here is my zones.

Hopefully this is enough information.

vgaetera · April 21, 2019, 2:58pm

Add a traffic forwarding from zone wg to zone wg1.

oppsig · April 21, 2019, 3:39pm

If i understand you correctly, I tried forwarding the zone like this earlier as well, but still packet loss.

vgaetera · April 21, 2019, 3:52pm

Disable the masquerading in zone wg.
Check traceroute from wg0 client to wg1 client.

oppsig · April 21, 2019, 4:01pm

So this is my new zones.
Masq for for wg zone.

traceroute 10.100.100.2
traceroute to 10.100.100.2 (10.100.100.2), 30 hops max, 60 byte packets
 1  10.200.200.1 (10.200.200.1)  25.662 ms  26.025 ms  25.967 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

vgaetera · April 21, 2019, 4:02pm

Enable the masquerading in zone wg1 .
Make sure you can ping wg1 client from the router.

oppsig · April 21, 2019, 4:14pm

OK, that actually fixed it.
Forgot to say thanks for spending time helping me fix this.

I first enabled masq on zone wg1, it worked.
then put masq back on zone wg0, worked as well.
I'm not all that sure what masq does or if i should have it on or off wg0.
But seams like i have to have it on wg1 in order for clients on wg0 to contact server on wg0.
Do you know why?

I can now ping 10.100.100.2 from clients on wg0.
But 10.100.100.2 the external server can now also ping my lan on 192.168.1.0/24 as well, i guess i have to put in some firewall reject rules for new connections from 10.100.100.2 if i want to avoid this on the router.

traceroute 10.100.100.2
traceroute to 10.100.100.2 (10.100.100.2), 30 hops max, 60 byte packets
1 10.200.200.1 (10.200.200.1) 31.993 ms 47.816 ms 53.598 ms
2 10.100.100.2 (10.100.100.2) 109.810 ms 111.070 ms 120.300 ms

oppsig · April 21, 2019, 4:21pm

I just removed the forward from WG1 zone to lan zone, that seemed to fix external server accessing lan. I guess this is acceptable?

vgaetera · April 21, 2019, 4:23pm

wg0 client has a route to wg1 client, while wg1 client has no route to wg0.
Masquerading hides wg0 subnet behind IP address of the router which can communicate with wg1 subnet.

Yes, if that solves your issue.
In fact, you can also remove the forwardings from wan zone.

oppsig · April 21, 2019, 4:28pm

Ok, I understand, thanks a lot for helping me solve this issue.

oppsig · April 22, 2019, 5:17am

Like this right?

vgaetera · April 22, 2019, 9:06am

Yes.

If don't want wg0 and wg1 clients to access wan, i.e. the internet, via your server, then you should remove those forwardings too.

tmomas · May 2, 2019, 9:06am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.