[Wiregard] Router's downstream devices cannot access VPN IPs

Hi I have my main Home (Site A) and holiday LTE modem (Site B).

I have wiregard configured on Site A. I'm already using it on many devices to provide access to my NAS.

I've recently acquired an LTE router that is running OpenWrt. I've created a new peer on Site A. And I've configured Site B to connect to Site A and enabled the routes for the peer.
The router is able to ping, and communicate with the devices of Site A via the VPN but the clients connected downstream of the 4G router aren't.§

Below the configuration:

# Site A: 
# Subnet 192.168.1.0/24
# Gateway: 192.168.1.254
# WG Subnet: 192.168.48.254/24

root@OpenWrt:~# wg show
interface: VPN
  public key: (hidden)
  private key: (hidden)
  listening port: 51820

peer: (hidden) # Site B
  endpoint: (hidden):21002
  allowed ips: 192.168.42.31/32, 192.168.31.0/24
  latest handshake: 2 minutes, 17 seconds ago
  transfer: 500.06 KiB received, 5.35 KiB sent
  
peer: (hidden) # My Phone
  endpoint: (hidden):22457
  allowed ips: 192.168.42.69/32
  latest handshake: 7 hours, 50 minutes, 4 seconds ago
  transfer: 24.09 MiB received, 230.37 MiB sent
  persistent keepalive: every 25 seconds

... more peers here omitted ...
root@OpenWrt:~#
# Site B:
# Subnet 192.168.31.0/24
# Gateway: 192.168.31.1
# WG Subnet: 192.168.48.31/24

root@OpenWrt:~# wg show
interface: VPN
  public key: (hidden)
  private key: (hidden)
  listening port: 41561

peer: (hidden)
  endpoint: XXX.XXX.XXX.XXX:51820
  allowed ips: 192.168.42.0/24, 192.168.1.0/24
  latest handshake: 1 minute ago
  transfer: 156 B received, 2.04 KiB sent
  persistent keepalive: every 25 seconds
  
root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         100.105.197.32  0.0.0.0         UG    0      0        0 wwan0
100.105.197.0   *               255.255.255.192 U     0      0        0 wwan0
XXX.XXX.XXX.XXX 100.105.197.32  255.255.255.255 UGH   0      0        0 wwan0
192.168.1.0     *               255.255.255.0   U     0      0        0 VPN
192.168.31.0    *               255.255.255.0   U     0      0        0 br-lan
192.168.42.0    *               255.255.255.0   U     0      0        0 VPN

root@OpenWrt:~# ping 192.168.1.254
PING 192.168.1.254 (192.168.1.254): 56 data bytes
64 bytes from 192.168.1.254: seq=0 ttl=64 time=51.405 ms
64 bytes from 192.168.1.254: seq=1 ttl=64 time=48.367 ms
64 bytes from 192.168.1.254: seq=2 ttl=64 time=48.143 ms
64 bytes from 192.168.1.254: seq=3 ttl=64 time=47.788 ms
^C
--- 192.168.1.254 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 47.788/48.925/51.405 ms

root@OpenWrt:~# ping 192.168.1.55
PING 192.168.1.55 (192.168.1.55): 56 data bytes
64 bytes from 192.168.1.55: seq=0 ttl=63 time=60.120 ms
64 bytes from 192.168.1.55: seq=1 ttl=63 time=50.823 ms
^C
--- 192.168.1.55 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 50.823/55.471/60.120 ms

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdab:7e70:908d::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.31.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'LWAN'
	option proto 'qmi'
	option device '/dev/cdc-wdm0'
	option auth 'none'
	option pdptype 'ipv4'
	option apn 'mobile.vodafone.it'
	option pincode '5473'

config interface 'VPN'
	option proto 'wireguard'
	option private_key '(hidden)'
	list addresses '192.168.42.31/24'

config wireguard_VPN
	option description 'Site-A VPN'
	option public_key '(hidden)'
	option endpoint_host 'site-a.mydomain.net'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	list allowed_ips '192.168.42.0/24'
	list allowed_ips '192.168.1.0/24'

root@OpenWrt:~# traceroute 192.168.1.55
traceroute to 192.168.1.55 (192.168.1.55), 30 hops max, 46 byte packets
 1  192.168.42.254 (192.168.42.254)  60.958 ms  49.965 ms  31.657 ms
 2  192.168.1.55 (192.168.1.55)  39.817 ms  74.387 ms  44.273 ms
root@OpenWrt:~#

Downstream device traceroute fails:

nicolo@peppy:~$ traceroute 192.168.1.55
traceroute to 192.168.1.55 (192.168.1.55), 30 hops max, 60 byte packets
 1  OpenWrt.lan (192.168.31.1)  1.474 ms  1.409 ms  1.385 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
nicolo@peppy:~$

For simplicity on both sites the VPN network is inside the LAN Zone of the firewall.

What am I missing here?

On site B, move the wireguard interface to the wan firewall zone or create the following SNAT rule.

uci add firewall nat
uci set firewall.@nat[-1].name='SNAT-to-Home'
uci set firewall.@nat[-1].src='lan'
uci set firewall.@nat[-1].target='SNAT'
uci set firewall.@nat[-1].snat_ip='192.168.42.31'
uci set firewall.@nat[-1].dest_ip='192.168.1.0/24'
uci commit firewall
/etc/init.d/firewall restart

You could also on site A add the lan subnet of site B to the list of allowed_ips.

EDIT:

Sorry, looks like it's already done...

1 Like

On site A have you Enabled the Route Allowed IPs for each peer?

If not that should do the trick to route traffic from 192.168.31.0/24 back, you already have that in the Allowed IPs but without Enabling Route Allowed IPs there will be no route back

peer: (hidden) # Site B
  endpoint: (hidden):21002
  allowed ips: 192.168.42.31/32, 192.168.31.0/24

NAtting traffic from Side B is also a viable option, you will loose access control and logging as all traffic will come from the router but in a soho setting that usually is not a problem

2 Likes

Damn, I've thought I had the flag set.
Dumb me, probably doing VPN configuration at 2AM is not the best and this morning I didn't catch the issue either.

It makes perfectly sense why only on the gateway is working!

@pavelgl
Cool idea to use SNAT if you don't want to mess with Site-A routing.

In future would be cool to have IP mapping so I dont have to have different LAN subnet, but a bigger range in the wiregard subnet. For example: 10.0.1.0/24 is a site and 10.0.31.0/24 is another. each IP is mapped 1:1 with its LAN subnet.

In this way all host on the VPN will have a common IP range and with basic fw rules I can whitelist some of the IPs on each site.

Useful to share some services with friends without messing up with their network configuration and without having to configure WG on each node.

Thanks guys!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.