[Solved] Wireguard clients cannot ping each other, OpenWrt as Server

sampson · January 7, 2022, 4:28am

My TP-Link WDR3600v1 is running WireGuard as Server (with a public IP that WireGuard Clients can connect to).

I defined three different clients, each of them can connect to WDR3600v1, and can ssh into a host on the LAN side.

From WDR3600v1, I can ping both 44woa and 22n9 .

But 22n9 cannot ping 44woa and vice versa.

What I should look further to allow all WireGuard clients to communicate with each other?

Details below:

WireGuard Server OpenWrt version

WireGuard Server Config

config interface 'wg2a'
        option proto 'wireguard'
        option private_key 'privatekey'
        option listen_port '#####'
        list addresses '10.2.2.1/24'

config wireguard_wg2a
        option description '22n9'
        option persistent_keepalive '25'
        option public_key 'publickey'
        list allowed_ips '10.2.2.22/32'

config wireguard_wg2a
        option description '33dv'
        option public_key 'publickey'
        list allowed_ips '10.2.2.33/32'
        option persistent_keepalive '25'

config wireguard_wg2a
        option description '44woa'
        option public_key 'publickey'
        list allowed_ips '10.2.2.44/32'
        option persistent_keepalive '25'

44woa is running wireguard-arm64-0.5.3.msi on Windows 11 on Arm64

Tunnel Definition at 44woa

[Interface]
PrivateKey = privatekey
Address = 10.2.2.44/32

[Peer]
PublicKey = publickey
AllowedIPs = 10.2.2.0/24, 192.168.102.0/24
Endpoint = hostname:port
PersistentKeepalive = 25

22n9 is running Wireguard 1.0.20211029 on Android 11 on Nokia 8.1

Tunnel Definition at 22n9

[Interface]
Address = 10.2.2.22/32
PrivateKey = privatekey

[Peer]
AllowedIPs = 10.2.2.0/24, 192.168.102.0/24
Endpoint = hostname:port
PersistentKeepalive = 25
PublicKey = publickey

10.2.2.1 ping both 10.2.2.22 & 10.2.2.44

Ping from 10.2.2.1

root@owrt2:~# ping 10.2.2.44
PING 10.2.2.44 (10.2.2.44): 56 data bytes
64 bytes from 10.2.2.44: seq=0 ttl=128 time=43.027 ms
64 bytes from 10.2.2.44: seq=1 ttl=128 time=92.644 ms
^C
--- 10.2.2.44 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 43.027/67.835/92.644 ms
root@owrt2:~# ping 10.2.2.22
PING 10.2.2.22 (10.2.2.22): 56 data bytes
64 bytes from 10.2.2.22: seq=0 ttl=64 time=202.035 ms
64 bytes from 10.2.2.22: seq=1 ttl=64 time=127.184 ms
^C
--- 10.2.2.22 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 127.184/164.609/202.035 ms

Both 10.2.2.22 & 10.2.2.44 can ping/ssh to 192.168.102.11

But 10.2.2.44 cannot ping 10.2.2.22 and vice versa.

psherman · January 7, 2022, 4:31am

On the OpenWrt side, try adding to each peer:

        option route_allowed_ips '1'

psherman · January 7, 2022, 4:33am

Also, is there a reason you are running snapshot? Probably best to run a stable release version (21.02.1 is current as of right now) unless you need/want snapshot for a specific reason.

sampson · January 7, 2022, 4:50am

Thank you

OpenWrt rebooted. Same as before.

C:\Users\user>ping 10.2.2.22

Pinging 10.2.2.22 with 32 bytes of data:
Reply from 10.2.2.1: Destination port unreachable.
Reply from 10.2.2.1: Destination port unreachable.
Reply from 10.2.2.1: Destination port unreachable.

Will try again with stable version 21.02.1 tonight.

psherman · January 7, 2022, 5:07am

keep in mind that not all devices will respond to pings.

You might try a standard computer (Mac/linux/windows) and ping that from a mobile device. You might need to disable the local firewall for it to work, too.

sampson · January 7, 2022, 5:50am

Thank your for the reminder.

I double checked that from OpenWrt router, I can ping both Wireguard Clients.

psherman · January 7, 2022, 7:06am

I'm seeing the same thing -- connected to a remote OpenWrt based WG endpoint with 2 devices (Mac and iPhone)... they cannot ping each other, despite having everything configured the way I would expect it to work. If I have some time, I'll investigate why pings don't work between 2 'client' peers on the same WG 'server' interface. Maybe someone else will have some ideas.

sampson · January 7, 2022, 7:15am

Thanks for sharing.

Do you management to get other traffic work across Peers? Like ssh, https, etc.

psherman · January 7, 2022, 7:17am

I didn’t try. Only tested pings.

pavelgl · January 7, 2022, 7:27am

Try the following:

iptables -I FORWARD -i wg2a -o wg2a -j ACCEPT

psherman · January 7, 2022, 7:34am

It just occurred to me that I have the wireguard interface assigned to a zone that has forward=reject. I think that if I change it to accept, it may work. But I can’t try that until tomorrow.

I don’t speak iptables, but I suspect that @pavelgl is suggesting exactly the same thing, just at a lower level than the high level ZBF controls.

sampson · January 7, 2022, 11:29am

Yes - after applying that comamnd, ping among Peers are OK now.

@psherman, after I change the zone setting which the wg2a interface is in, from
reject, accept, reject to
reject, accept, accept

Then ping works. (As tested with the official 21.02.1 version. Will test with the snapshot build again.)

Thank you very much to all the inputs!

system · January 17, 2022, 11:29am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.