WG, Peer to Server works, Server to Peer does not

Hi,

I have such setup:

I can access all from 192.168.2.0 to 192.168.1.0 and ping every PC in this LAN.
But not the other way around. So 192.168.1.1 can not ping 192.168.2.1, only 192.168.9.2

Peer (192.168.2.1):

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
    option device 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fda6:1437:3194::/48'

config interface 'wan'
    option device 'eth0.1'
    option proto 'dhcp'
    option ifname 'usb0'

config interface 'wan6'
    option device 'eth0.1'
    option proto 'dhcpv6'
    option ifname 'usb0'

config device
    option name 'br-lan'
    option type 'bridge'
    list ports 'eth0.2'

config interface 'lan'
    option device 'br-lan'
    option proto 'static'
    option ipaddr '192.168.2.1'
    option netmask '255.255.255.0'
    option ip6assign '60'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0 8t'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '1 2 3 4 8t'

config interface 'TetheringWAN'
    option proto 'dhcp'
    option device 'usb0'

config interface 'WG0'
    option proto 'wireguard'
    option listen_port '51820'
    option private_key '+AQB/l00='
    list addresses '192.168.9.2/24'
    list addresses 'df1:e8a1:8d3f:9::2/64'

config wireguard_WG0
    option public_key '='
    option preshared_key '9Q7F4WJSwT1++='
    list allowed_ips '0.0.0.0/0'
    list allowed_ips '::/0'
    option endpoint_host '194.127.'
    option endpoint_port '51820'
    option persistent_keepalive '25'
    option route_allowed_ips '1'
    
root@OpenWrt:~# cat /etc/config/firewall

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    list network 'lan'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    list network 'wan'
    list network 'wan6'
    list network 'TetheringWAN'
    list network 'WG0'

config forwarding
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option proto 'icmp'
    option family 'ipv4'
    option target 'ACCEPT'
    list icmp_type 'echo-request'
    option src 'wan'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-IPSec-ESP'
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option name 'Allow-ISAKMP'
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config rule
    option name 'Support-UDP-Traceroute'
    option src 'wan'
    option dest_port '33434:33689'
    option proto 'udp'
    option family 'ipv4'
    option target 'REJECT'
    option enabled '0'

config include
    option path '/etc/firewall.user'

config rule
    option name 'Allow-WireGuard'
    list proto 'udp'
    option dest_port '51820'
    option target 'ACCEPT'
    option src 'wan'

Server (192.168.1.1):

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
    option device 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fdc9:5bf2:c819::/48'

config device
    option name 'br-lan'
    option type 'bridge'
    list ports 'eth0.1'

config interface 'lan'
    option device 'br-lan'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'

config device
    option name 'eth0.2'
    option macaddr '6c:b0:ce:1b:95:db'

config interface 'wan'
    option device 'eth0.2'
    option proto 'dhcp'

config interface 'wan6'
    option device 'eth0.2'
    option proto 'dhcpv6'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '1 2 3 4 0t'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '5 0t'

config interface 'vpn'
    option proto 'wireguard'
    option private_key '='
    option listen_port '51820'
    list addresses '192.168.9.1/24'
    list addresses 'fdf1:e8a1:8d3f:9::1/64'

config wireguard_vpn 'wgclient'
    option public_key '+='
    option preshared_key '++='
    list allowed_ips '192.168.9.2/32'
    list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'
    option route_allowed_ips '1'

config wireguard_vpn 'wglaptop'
    option public_key '//g+C6BcLsK2k='
    option preshared_key '++4c='
    list allowed_ips '192.168.9.3/32'
    list allowed_ips 'fdf1:e8a1:8d3f:9::3/128'

config wireguard_vpn 'wgmobile'
    option public_key '+='
    option preshared_key '8aHc4r/='
    list allowed_ips '192.168.9.4/32'
    list allowed_ips 'fdf1:e8a1:8d3f:9::4/128'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option synflood_protect '1'

config zone 'lan'
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    list network 'lan'
    list network 'vpn'

config zone 'wan'
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option masq '1'
    option mtu_fix '1'
    list network 'wan'
    list network 'wan6'
    option forward 'REJECT'

config forwarding 'lan_wan'
    option src 'lan'
    option dest 'wan'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fc00::/6'
    option dest_ip 'fc00::/6'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-IPSec-ESP'
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option name 'Allow-ISAKMP'
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config rule
    option name 'Support-UDP-Traceroute'
    option src 'wan'
    option dest_port '33434:33689'
    option proto 'udp'
    option family 'ipv4'
    option target 'REJECT'
    option enabled '0'

config include
    option path '/etc/firewall.user'

config redirect
    option target 'DNAT'
    option name 'WEB_443'
    list proto 'tcp'
    option src 'wan'
    option dest 'lan'
    option dest_ip '192.168.1.7'
    option dest_port '443'
    option src_dport '443'

config redirect
    option target 'DNAT'
    option name 'WEB_80'
    list proto 'tcp'
    option src 'wan'
    option src_dport '80'
    option dest 'lan'
    option dest_ip '192.168.1.7'
    option dest_port '81'

config rule 'wg'
    option name 'Allow-WireGuard'
    option dest_port '51820'
    option proto 'udp'
    option target 'ACCEPT'
    option src 'wan'

I am out of ideas and have no idea what search for anymore...

The reason you can only ping one way is twofold...

  1. you have your remote peer side WG network associated with the firewall wan zone which is firewall restricted and also masqueraded. You should remove it from the wan zone and then add it to either to the lan firewall zone, or create a new zone (call it wg) and then allow wg > lan and lan > wg forwarding.

  2. your server side doesn't know how to reach 192.168.2.0/24. So you need a static route on your server side: 192.168.2.0/24 via 192.168.9.2

1 Like

Thank you for the tipps!

I tried to add the WG0 interface at the peer to the lan zone. But then internet on the peer was broken.
Need to check again. And how does the peer know when I ping 192.168.1.1 from 192.168.2.1 that it must go through 192.168.9.1 to reach 192.168.1.1 as example?

hmmm... it just occurred to me that you do need masquerading enabled on the WG network for your internet to work through the tunnel... let me think about this a bit more.

The remote peer sends all of its traffic through the tunnel, so it doesn't really need to know anything other than the fact that the tunnel becomes the default gateway. It is the other direction that requires the route information (where the 'server' side doesn't send traffic through the tunnel by default, except for the traffic that is responding to connections initiated from the remote peer).

1 Like

Masquerade to the Internet would occur at the server. The two LANs should be symmetrically routed. This means add a route back to 192.168.2.0 via 192.168.9.2 at the server, which would be done by adding .2.0/24 to the allowed_ips in the client's config on the server, and setting route_allowed_ips at the server side.

The LAN router's default route to the Internet is the server end of the tunnel 192.168.9.1. A request for the Internet from a .2.X LAN machine would be received at the server with that IP unchanged (since there is no masquerade in the LAN router) and NATd to the Internet using the server's public IP. Then the reply would be routed back to 192.168.2.X via 192.168.9.2.

1 Like

So add

list allowed_ips '192.168.2.0/24'

at config wireguard_vpn 'wgclient' on server config?

route_allowed_ips is already set.

And move the WG0 interface at the peer to lan zone?

Sorry, it's not my main item and I am easy confused by all the possibilities and options everywhere :innocent:.

Nice catch! As I read this initially, it was not making sense to me, but then I realized it should work since the key is symmetric routing! If the symmetric routing is not configured, then the client side would need to use masquerading on the wg zone. But as long as the routing is symmetric, masquerading is only required on the server side WAN.