Okay, after changing that (2) was unreachable. No idea why... But i was thinking i can simplify it by changing the vpn endpoint.
Basically the same as before - but instead a tunnel between (1) and (2) i make one between (1) and (3). (2) is a dumb accesspoint and gives (3) a ip-adress from the router. So far so good, but the situation is not better...
From C i can reach only the wg addresses from 3 and 1, not S and not I
From S i can reach also the wg addresses and also I, but not C
From 1 i can ping the same as from S
From 3 i can reach everything
Again the configuration: from 1
ubus call system board
{
"kernel": "5.15.150",
"hostname": "OpenWrt",
"system": "Atheros AR9344 rev 2",
"model": "TP-Link CPE510 v1",
"board_name": "tplink,cpe510-v1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "ath79/generic",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '<hidden>'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config interface 'lan'
option device 'eth1'
option proto 'static'
option ipaddr '192.168.97.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config interface 'vpn'
option proto 'wireguard'
option private_key '<hidden>'
option listen_port '24365'
list addresses '192.168.9.1/24'
list addresses 'fd00:9::1/64'
config wireguard_vpn 'wgclient'
option public_key '<hidden>'
option preshared_key '<hidden>'
list allowed_ips '192.168.9.2/32'
list allowed_ips '192.168.98.0/24'
list allowed_ips '192.168.99.0/24'
list allowed_ips 'fd00:9::2/128'
option description 'LinkZurAntenne'
cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
list network 'lan'
list network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '24365'
option proto 'udp'
option target 'ACCEPT'
ip route show
default via 192.168.101.1 dev eth0 src 192.168.101.50
192.168.9.0/24 dev vpn scope link src 192.168.9.1
192.168.97.0/24 dev eth1 scope link src 192.168.97.1
192.168.101.0/24 dev eth0 scope link src 192.168.101.50
wg show
interface: vpn
public key: <hidden>
private key: (hidden)
listening port: 24365
peer: <hidden>
preshared key: (hidden)
endpoint: <hidden>:50577 <- his own public ip?
allowed ips: 192.168.9.2/32, 192.168.98.0/24, 192.168.99.0/24, fd00:9::2/128
latest handshake: 1 minute, 5 seconds ago
transfer: 1.63 MiB received, 289.13 KiB sent
from 3
ubus call system board
{
"kernel": "5.15.150",
"hostname": "<hidden>",
"system": "Atheros AR9344 rev 2",
"model": "TP-Link CPE510 v3",
"board_name": "tplink,cpe510-v3",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "ath79/generic",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
}
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '<hidden>'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.99.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'bridge'
option proto 'dhcp'
config interface 'vpn'
option proto 'wireguard'
option private_key '<hidden>'
list addresses '192.168.9.2/24'
config wireguard_vpn 'wgserver'
option public_key '<hidden>'
option preshared_key '<hidden>'
option endpoint_host '<hidden>'
option endpoint_port '24365'
option persistent_keepalive '25'
option route_allowed_ips '1'
list allowed_ips '192.168.9.1/24'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
list allowed_ips '192.168.97.0/24'
cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vpn'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'bridge'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
ip route show
default dev vpn scope link
<hidden> via 192.168.101.1 dev phy0-sta0
192.168.9.0/24 dev vpn scope link
192.168.99.0/24 dev br-lan scope link src 192.168.99.1
192.168.101.0/24 dev phy0-sta0 scope link src 192.168.101.57
wg show
interface: vpn
public key: <hidden>
private key: (hidden)
listening port: 50577
peer: <hidden>
preshared key: (hidden)
endpoint: <hidden>:24365
allowed ips: 0.0.0.0/0, ::/0, 192.168.9.0/24
latest handshake: 13 seconds ago
transfer: 264.61 KiB received, 1.47 MiB sent
persistent keepalive: every 25 seconds