Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
No, i do not specify an adress. i did not know which and for what purpose.
192.168.112.2 is a NAS in Network B.
This router (192.168.0.195) is in Network A.
I can connect to all devices from Network A via wireguard to Network B.
Just this one address -192.168.112.2- is sent from the router back to the standard Gateway. I saw it in traceroute and then in the routing table ...
Is this tunnel traversing the internet at large? In other words, are networks A and B separated by the internet, or is there a physically local link between them?
That was my proposed edit based on an assumption that the local address of that device should be 192.168.112.2. (note that it is in a code formatting, but not a quote). However, that was not a valid assumption, so just ignore it.
It looks like your endpoint_host, e.diskstation.me is improperly resolving to that. endpoint_host needs to be the public IP of the other site (The name is misleading because it is often a router not an endpoint). Wireguard will install a /32 route to that IP to be sure that encrypted packets leave by the regular wan route instead of being routed into the tunnel. This can be prevented by setting hostroute to 0 but you should almost never need to do that.
Sorry .. I understand a little bit what you say, but not enough to take some action / try to edit something. my endpoint 'e.diskstation.me' resolvs to a public ip. All traffic sent from 192.168.0.0/24 to 192.168.112.0/24 works perfect. Only one IP is doing different - the 192.168.112.2 . Please see this traceroutes:
C:\Users\m>tracert 192.168.112.30
Routenverfolgung zu JSZE2-120J [192.168.112.30]
über maximal 30 Hops:
1 <1 ms <1 ms <1 ms fritz.lan [192.168.0.1]
2 <1 ms <1 ms <1 ms 192.168.0.195
3 12 ms 11 ms 11 ms 192.168.112.1
4 12 ms 11 ms 11 ms JSZE2-120J [192.168.112.30]
Ablaufverfolgung beendet.
-----------------------------------------------------------------------------------
C:\Users\m>tracert 192.168.112.2
Routenverfolgung zu 192.168.112.2 über maximal 30 Hops
1 <1 ms <1 ms <1 ms fritz.lan [192.168.0.1]
2 <1 ms <1 ms <1 ms 192.168.0.195
3 1 ms <1 ms <1 ms fritz.lan [192.168.0.1]
4 * * * Zeitüberschreitung der Anforderung.
5 * ^C
C:\Users\yo sepp>
you see? in the second case, the router is sending the packet back to the Standard Gateway ..
You specify an endpoint, WireGuard will take that endpoint and route it via its WAN to escape the tunnel that is the normal modus operandi.
I concur with @psherman that it could be the endpoint not resolving to a public IP address.
Alternatively your WG interface does not have an address (I know there are some which say you do not need it and sometimes it will work without but I have seen strange things coming from the lack of an IP address)
Maybe it is the lack of the IP address which is causing you this trouble?
I would start by giving your WG interface on both side an ip address: list addresses '10.10.10.1/24' on one side and list addresses '10.10.10.2/24' on the other side (the WG subnet must be different from all other subnets on both sides)
You should also allow 10.10.10.2/32 on the ip address 10.10.10.1/24 side
(list allowed_ips '10.10.10.2/32) and 10.10.10.1/32 on the 10.10.10.2/24 side (list allowed_ips '10.10.10.1/32)
Reboot afterwards.
If that does not help than remove the endpoint, you actually only need an endpoint on one side.
If that solves the problem it is the endpoint not properly resolving.
Riddle is unsolved,
but I reached my goal and could make it working:
Took a backup of the router 192.168.0.195 from a time before experimenting with the site2site WG Script -> no problem in the Routing Table present
Run the Wg site2site scipt on the router, and took more or less the firewall and network config after all changes you adviced me to try (learned a lot!, thank you):
own VPN Firewall Zone with Forwarding to Lan
IP Adress für WG Interface / allowed IPs
some clean up (bridge, switch)
--> Router works as designed in a nice clean setup.
--> No wired routing table
thx 2 everybody that tried to solve and made my setting / knowledge better!
I post the whole config of the working router, i cant see any difference to the non working case, besides the routing table now looking good. the other router (WG Point) setting is unchanged to last post
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 23.05.0, r23497-6637af95aa
-----------------------------------------------------
root@szne_nighthawk1_rumpel_195:~#
root@szne_nighthawk1_rumpel_195:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default fritz.lan 0.0.0.0 UG 0 0 0 br-lan
10.10.10.0 * 255.255.255.0 U 0 0 0 wg_s2s_amopsz
10.10.10.1 * 255.255.255.255 UH 0 0 0 wg_s2s_amopsz
82.218.250.45 fritz.lan 255.255.255.255 UGH 0 0 0 br-lan
192.168.0.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.112.0 * 255.255.255.0 U 0 0 0 wg_s2s_amopsz
192.168.195.0 * 255.255.255.0 U 0 0 0 wifi_bridge
root@szne_nighthawk1_rumpel_195:~# ubus call system board
{
"kernel": "5.15.134",
"hostname": "szne_nighthawk1_rumpel_195",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "Netgear Nighthawk X4S R7800",
"board_name": "netgear,r7800",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.0",
"revision": "r23497-6637af95aa",
"target": "ipq806x/generic",
"description": "OpenWrt 23.05.0 r23497-6637af95aa"
}
}
root@szne_nighthawk1_rumpel_195:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option ipv6 '0'
option proto 'static'
option netmask '255.255.255.0'
option gateway '192.168.0.1'
option ipaddr '192.168.0.195'
list dns '192.168.0.171'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '6t 4 3 2 1 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '0t'
config interface 'guest1'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.195.1'
option device 'wifi_bridge'
config device
option type 'bridge'
option name 'wifi_bridge'
config interface 'wg_s2s_amopsz'
option proto 'wireguard'
option private_key 'OBRE='
option listen_port '51823'
list addresses '10.10.10.2/24'
config wireguard_wg_s2s_amopsz 's2s_vpn_site_bmopsz'
option public_key '6TRg='
option preshared_key '4sxx='
option description 'Site B, e.diskstation.me'
list allowed_ips '192.168.112.0/24'
list allowed_ips 'fdee:eeee:efff::/48'
list allowed_ips '10.10.10.1/32'
option persistent_keepalive '25'
option endpoint_host 'e.diskstation.me'
option endpoint_port '51823'
option route_allowed_ips '1'
root@szne_nighthawk1_rumpel_195:~#
root@szne_nighthawk1_rumpel_195:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option forward 'ACCEPT'
list network 'lan'
config zone 'guest'
option name 'guest'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'guest1'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option src_port '68'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config forwarding
option dest 'lan'
config forwarding
option src 'guest'
option dest 'lan'
config rule
option name 'dhcp ok'
option dest 'lan'
option dest_port '53'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'dns ok'
list dest_ip '192.168.0.1'
list dest_ip '192.168.0.171'
option dest_port '67'
option target 'ACCEPT'
option dest 'lan'
option enabled '0'
config rule
option dest 'lan'
option target 'DROP'
option name 'drop all guest traffic'
option enabled '0'
config rule
option name 'drop guest'
option src 'guest'
list src_ip '192.168.195.0/24'
option dest 'lan'
list dest_ip '192.168.0.0/24'
option target 'REJECT'
list proto 'all'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wg_s2s_amopsz'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'vpn'