[SOLVED] Wireguard - routing or firewall problem

Hi folks,

I spend a few day trying to get wireguard up an running on two (virtual) lede-routers. Acualy the wireguard-Part seems to work. but I aint got no access to other ressources on the remote network.

The (virtual-) infrastrukture looks like this:

Host A

(LAN)                                      (not connected)
^                                              ^
I                                               I     
LAN 172.16.1.x                       LAN 172.16.2.x
WAN 192.168.100.1     <->     WAN 192.168.100.2

The wireguard-config looks like this:

Host A:

config interface 'VPN_WG0'
        option proto 'wireguard'
        option private_key 'xxxxx'
        option listen_port '51820'
        list addresses '10.0.0.1/24'

config wireguard_VPN_WG0
        option public_key 'yyyyyyyyy'
        option route_allowed_ips '1'
        option endpoint_host '192.168.100.2'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '10.0.0.0/24'
        list allowed_ips '172.16.2.0/24'

Host B:

config interface 'VPN_WG0'
        option proto 'wireguard'
        option private_key 'xxxxx'
        option listen_port '51820'
        list addresses '10.0.0.2/24'

config wireguard_VPN_WG0
        option public_key 'yyyyyyyyy'
        option route_allowed_ips '1'
        option endpoint_host '192.168.100.1'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '10.0.0.0/24'
        list allowed_ips '172.16.1.0/24'

With this configuration I am able to ping the 10.0.0.x-addresses crosswise and also the router-ip-addresses but no other address on either side.

I tryed several firewall-settings, adding the interface to the lan-zone, creating a different zone with allowing forwarding and nat-ing pritty similar to usual wan-configuration. Nothing worked out!

My prefered seting would be pure routing without nat and I cant see what holde me back from this, but actualy I might miss something.

When setting the "option route_allowed_ips '1'" it setup routes to the interfaces so what am I missing?

Thanks in advance

Tobias

You haven't allowed any other IPs. If you want a wide open VPN the allowed IPs must be 0.0.0.0/0. You also may wish to create your own routes.

@lleachii, that's correct for a VPN that forwards outgoing traffic. However, I assume his goal is to connect two internal subnets (i.e. LANs), and he sets allowed_ips to the respective other subnet, so at least that should work, which by his description doesn't.

@toxic-tonic, I have a suspicion. What is your in-kernel ip forward set to? I.e.,

cat /proc/sys/net/ipv4/ip_forward

If 0 (disabled) you can try enabling it (on both machines):

echo 1 > /proc/sys/net/ipv4/ip_forward

Hi,

right, first step is just to connect the two lans.

@takimata You got me right! :wink: I already checked that, it is set to 1.

One time I made it to activate loging and found something like that on destination Router

"source_zone=lan ; source_IP=10.0.0.2 ; dest=br-lan ; blah blah ; action=reject" (unfortunatelly the log does not persists after reboot...)

I will try to reproduce that...

Thanks so far!

Tobias

Hello toxic-tonic!

Did you resolve your problem?

I've nearly the same problem:
I'v setup IPSEC/L2tp and Wirgeguard.
On IPSEC/L2tp everything works as expected.
On Wireguard i can ping the remote lan from the client-router but not form any other host in local lan.
(to be more precise: I can ping the remote lan with source adress from the tunnel-interface)
Have tried with masquerading and snat, which works on the IPSEC/L2tp - Config but not on Wireguard.

Robert

Proxy arp should do the trick.

Hi,

Sorry, just forgot to write the solution: Actualy it was my fault. The router with wireguard was not the default-gateway, so the traffic was routet to the target (I checked that with tcpdump), but the reply go to the default-gw. All I had do do was to add the additional routes on the default-gw-router!

Thanks for your Help!

Tobias

1 Like