Strange issues with wireguard and routing

Krazta · November 22, 2022, 1:18am

I want to use wireguard to allow my win11 laptop to access my lan (and to use it as a proxy) while im away from home.

I setup a test scenario with laptop connected to my cellphone as a hotspot thats connecting to the cellular service.

I first followed the guide here (https://openwrt.org/docs/guide-user/services/vpn/wireguard/server) and it lets me a establish a connection, but there are some issues.

I can RDP laptop-> desktop machine
I cannot ping laptop->desktop
I cannot access laptop->desktop samba share
I can ping desktop->laptop

I tried a few different firewall configs, both setting up a seperate zone for wg and simply adding it to the lan zone, and the results were the same for both.

any advice on stuff I could try would be greatly appreciated.

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'x='
	option listen_port '51820'
	list addresses '192.168.9.1/32'

config wireguard_wg0
	option public_key 'x='
	option preshared_key 'x='
	list allowed_ips '192.168.9.2/24'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

last used firewall config


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	list network 'wg0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'

config rule
	option name 'allow-wg'
	option src 'wan'
	option proto 'udp'
	option dest_port '51820'
	option target 'ACCEPT'

psherman · November 22, 2022, 5:37am

Change the above to 192.168.9.1/24

The allowed ips should be 192.168.9.2/32 and remove the second line (0.0.0.0/0).

Let’s see your laptop wg config.

If this still persists after the changes above, check the firewall on the desktop system, especially if it is windows (by default, they have the firewall set to not allow connections from hosts on a different subnet).

Krazta · November 22, 2022, 6:06am

Thanks, I was iterating on so many different things I left them on those erroneous values.

For the client config

[Interface]
PrivateKey = x=
Address = 192.168.9.2/32

[Peer]
PublicKey = x=
PresharedKey = x=
AllowedIPs = 192.168.1.0/24
Endpoint = ip.ip.ip.ip:51820

Correcting those server side values changed nothing sadly, I can still rdp into my desktop, and the desktop can ping 192.168.9.2, but laptop cannot ping anything internal other then 192.168.1.1

Both of these machines are newish windows11 installs so I find it strange that if it was a windows issue that it would manifest in the desktop being able to ping, but the laptop not being able to.

Anddddd that was it?
Went to firewall rules and edited
File and Printer Sharing (Echo Request - ICMPv4-In)
added the 192.168.9.0/24 subnet and suddenly i get ping responses
So strange that i could ping one way but not the other cross subnets

psherman · November 22, 2022, 6:10am

Glad it is working now!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

system · December 2, 2022, 6:11am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.