[Solved] [wireguard | site-to-site] unable to reach OpenWrt router that is behind the tunnel

wireless · March 25, 2021, 5:42pm

Hi,
I've seen other topics but they do not seem to have my same problem. Maybe this is not a really openWRT thread but here I have seen lot of expert!
I have configured a tunnel as described here

gist.github.com

https://gist.github.com/insdavm/b1034635ab23b8839bf957aa406b5e39

WireGuard-site-to-site.md

# WireGuard Site-to-Site

*Accessing a subnet that is behind a WireGuard client using a site-to-site setup*

#### Problem Summary

We want to access a local subnet remotely, but it is behind a NAT firewall and we can't setup port forwarding.  Outgoing connections work, but all incoming connections get DROPPED by the ISP's routing policy.

#### Solution Summary

This file has been truncated. show original

and shown in the following picture.

Please note that:

openWRT router is not used as wireguard tunnel node: infact I'm using a more powerful x86 linux based machine to do this. I just want to access to the router and other machines behind the tunnel.
wireguard lan site node A is physically connected directly to the router: I think the router itself drops down the packets and do not answer when I try to connect to it from the otherside;
if I connect to services exposed on the wireguard lan node A, using the lan ip (not the wireguard one), I can reach them;
the tcpdump -i wg0 on the wireguard node A produce the following lines, it seems to forward data to the router... so, it is the router that do not accept them because they come from wireguard node B ip 10.0.0.1? How can they be translated? I actived the forwarding and masquerating rule on wireguard node A...

tcpdump -i wg0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
18:05:40.697381 IP 10.0.0.1.40924 > router1.lan.https: Flags [S], seq 2141972520, win 65535, options [mss 1240,sackOK,TS val 438081211 ecr 0,nop,wscale 9], length 0
18:05:40.962499 IP 10.0.0.1.40926 > router1.lan.https: Flags [S], seq 2731689407, win 65535, options [mss 1240,sackOK,TS val 438081467 ecr 0,nop,wscale 9], length 0
18:05:41.767663 IP 10.0.0.1.40924 > router1.lan.https: Flags [S], seq 2141972520, win 65535, options [mss 1240,sackOK,TS val 438082280 ecr 0,nop,wscale 9], length 0
18:05:42.003119 IP 10.0.0.1.40926 > router1.lan.https: Flags [S], seq 2731689407, win 65535, options [mss 1240,sackOK,TS val 438082520 ecr 0,nop,wscale 9], length 0
18:05:43.772652 IP 10.0.0.1.40924 > router1.lan.https: Flags [S], seq 2141972520, win 65535, options [mss 1240,sackOK,TS val 438084281 ecr 0,nop,wscale 9], length 0
18:05:44.000681 IP 10.0.0.1.40926 > router1.lan.https: Flags [S], seq 2731689407, win 65535, options [mss 1240,sackOK,TS val 438084520 ecr 0,nop,wscale 9], length 0
18:05:47.770006 IP 10.0.0.1.40924 > router1.lan.https: Flags [S], seq 2141972520, win 65535, options [mss 1240,sackOK,TS val 438088281 ecr 0,nop,wscale 9], length 0
18:05:47.999470 IP 10.0.0.1.40926 > router1.lan.https: Flags [S], seq 2731689407, win 65535, options [mss 1240,sackOK,TS val 438088521 ecr 0,nop,wscale 9], length 0
18:05:55.769834 IP 10.0.0.1.40924 > router1.lan.https: Flags [S], seq 2141972520, win 65535, options [mss 1240,sackOK,TS val 438096281 ecr 0,nop,wscale 9], length 0
18:05:56.003046 IP 10.0.0.1.40926 > router1.lan.https: Flags [S], seq 2731689407, win 65535, options [mss 1240,sackOK,TS val 438096520 ecr 0,nop,wscale 9], length 0

This is the wireguard config on node A:

 cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.0.0.186/32
PrivateKey = the_KEY
DNS = 1.1.1.1

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enol -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enol -j MASQUERADE

[Peer]
PublicKey = the_KEY
#AllowedIPs =0.0.0.0/0
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 10
Endpoint = VPS_PUBLIC_IP:51820

vgaetera · March 25, 2021, 6:10pm

Add static routes to the WG network and the other site network via the WG peer on OpenWrt.
Everything else is not really related to this forum since OpenWrt is barely involved in your setup.

wireless · March 25, 2021, 7:41pm

Hi, I dont undestand what I need to do... May you detail it a little more? The link I posted says nothing else to do, I replicate it more or less but without success.
On the openWRT there is not wireguard.
10.0.0.1 is the wireguard vps ip.
Maybe I explain worse myself because the config it is strange. The tunnel uses a machine behind the router (i need it for several reason) but I want to connect from outside to the router itself, with its ip, passing through the tunnel.
Something like:
Smartphone 10.0.0.x - vps node B of the wireguard tunnel - (router) - x86 node A of the wireguard tunnel - router 172.x.x.x

wireless · March 26, 2021, 5:16pm

solved by myself, damned me!
The interface in my postUp rules is eno1 no enol.
On bash they look like the same!

system · April 5, 2021, 5:17pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.