Wireguard access lan behind server

mfka8 · May 25, 2019, 8:08pm

Hello,

I have already searched through the forum for this issue, found similiar questions, but I am not seeing where the issue lays.

My setup is the following:

LAN <-> Openwrt router (wireguard server) <-> Internet
Internet <-> Openwrt router (wireguard client) <-> LAN

I have formed successfully a wireguard connection between the client and server. I can ping the wireguard server, and also the lan ip of the wireguard server from inside the client LAN. But I cannot reach any LAN ip behind the server router, from the wireguard client LAN.

Openwrt router (wireguard server):
10.0.0.199 br-lan
10.200.200.1 wg0

Openwrt router (wireguard client):
192.168.8.1 br-lan
10.200.200.2 wg0

Example LAN ip behind server router:
10.0.0.124

Example LAN ip behind client router:
192.168.8.2

I can ping from the LAN behind the client router to wg0 server and also the br-lan ip, both 10.0.0.199 and 10.200.200.1.

wg0 is set in firewall zone lan in the wireguard server router:

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wg0'

I also tried setting this, though it is not neccessary if lan and wg0 are same zone, right,

config forwarding
option dest 'wg0'
option src 'lan'

config forwarding
option dest 'lan'
option src 'wg0'

Problem now I cant reach any client IPs in the lan behind the wireguard server router, from the client router lan.

trendy · May 25, 2019, 9:37pm

Please post from both server and client routers the following:
cat /etc/config/network; cat /etc/config/firewall ; cat /etc/config/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru

mfka8 · May 25, 2019, 10:46pm

@trendy

server

root@wrtarm:~# cat /etc/config/network; cat /etc/config/firewall ; cat /etc/conf
ig/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '10.0.0.199'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1.2'
        option _orig_ifname 'eth1.2'
        option _orig_bridge 'false'
        option proto 'static'
        option ipaddr '192.168.2.199'
        option netmask '255.255.255.0'
        option gateway '192.168.2.1'
        option dns '1.1.1.1 1.0.0.1'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'vpn1'
        option proto 'static'
        option ifname 'tun0'
        option auto '0'
        option delegate '0'

config interface 'vpn2'
        option proto 'static'
        option ifname 'tun1'
        option auto '0'
        option delegate '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '...'
        option listen_port '...'
        list addresses '10.200.200.1/24'

config wireguard_wg0
        option public_key '...'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '10.200.200.2/24'

config rule
        option name 'Allow-wireguard'
        option src 'wan'
        option proto 'udp'
        option dest_port '...'
        option target 'ACCEPT'
        option family 'ipv4'
        option enabled '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option enabled '0'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name '11 allow'
        option src_ip '10.0.0.11'
        option family 'ipv4'
        option proto 'all'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name '112 allow'
        option src_ip '10.0.0.112'
        option family 'ipv4'
        option proto 'all'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name '22 allow'
        option src_ip '10.0.0.22'
        option family 'ipv4'
        option proto 'all'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name '239 allow'
        option src_ip '10.0.0.239'
        option family 'ipv4'
        option proto 'all'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name '240 allow'
        option src_ip '10.0.0.240'
        option family 'ipv4'
        option proto 'all'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name '241 allow'
        option src_ip '10.0.0.241'
        option family 'ipv4'
        option proto 'all'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name '242 allow'
        option src_ip '10.0.0.242'
        option family 'ipv4'
        option proto 'all'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name '243 allow'
        option src_ip '10.0.0.243'
        option family 'ipv4'
        option proto 'all'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name '244 allow'
        option src_ip '10.0.0.244'
        option family 'ipv4'
        option proto 'all'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name '245 allow'
        option src_ip '10.0.0.245'
        option family 'ipv4'
        option proto 'all'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name '246 allow'
        option src_ip '10.0.0.246'
        option family 'ipv4'
        option proto 'all'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name '247 allow'
        option src_ip '10.0.0.247'
        option family 'ipv4'
        option proto 'all'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name '248 allow'
        option src_ip '10.0.0.248'
        option family 'ipv4'
        option proto 'all'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name '249 allow'
        option src_ip '10.0.0.249'
        option family 'ipv4'
        option proto 'all'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name '250 allow'
        option src_ip '10.0.0.250'
        option family 'ipv4'
        option proto 'all'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name '251 allow'
        option src_ip '10.0.0.251'
        option family 'ipv4'
        option proto 'all'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name '252 allow'
        option src_ip '10.0.0.252'
        option family 'ipv4'
        option proto 'all'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name '9 allow'
        option src_ip '10.0.0.9'
        option family 'ipv4'
        option proto 'all'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name 'tcom http allow'
        option family 'ipv4'
        option ipset 'tcomv4'
        option proto 'tcp'
        option dest_port '80'

config rule
        option target 'ACCEPT'
        option src 'lan'
        option dest 'wan'
        option name 'tcom https allow'
        option family 'ipv4'
        option ipset 'tcomv4'
        option proto 'tcp'
        option dest_port '443'

config rule
        option src 'lan'
        option dest 'wan'
        option name 'PC reject'
        option target 'REJECT'

config redirect
        option target 'DNAT'
        option proto 'tcp udp'
        option name 'Divert DNS'
        option src 'lan'
        option src_dport '53'
        option dest_port '53'
        option enabled '1'

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option drop_invalid '0'
        option synflood_protect '0'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option network 'wan wan6'

config include
        option path '/etc/firewall.user'

config ipset
        option name 'tcomv4'
        option match 'dest_ip'
        option storage 'hash'
        option family 'IPv4'

config ipset
        option name 'tcomv6'
        option match 'dest_ip'
        option storage 'hash'
        option family 'IPv6'

config ipset
        option name 'nlv4'
        option match 'dest_ip'
        option storage 'hash'
        option family 'IPv4'

config ipset
        option name 'usav4'
        option match 'dest_ip'
        option storage 'hash'
        option family 'IPv4'

config zone
        option name 'vpn'
        option network 'vpn1 vpn2'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding
        option dest 'vpn'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'lan'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'bcp38'
        option type 'script'
        option path '/usr/lib/bcp38/run.sh'
        option family 'IPv4'
        option reload '1'

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option nonwildcard '1'
        option noresolv '1'
        #option resolvfile '/tmp/resolv.conf.auto'
        option resolvfile '/root/resolv-crypt.conf'
        list server '127.0.0.1#5353'
        list server '127.0.0.1#5354'
        list server '/zattoo.com/127.0.0.1#53003'
        list server '/zattoo.de/127.0.0.1#53003'
        list server '/netflix.com/127.0.0.1#53003'
        list server '/netflix.de/127.0.0.1#53003'
        list server '/nflxvideo.net/127.0.0.1#53003'
        #option serversfile '/tmp/adb_list.overall'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.0.0.199/24 brd 10.0.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
14: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.2.199/24 brd 192.168.2.255 scope global eth1.2
       valid_lft forever preferred_lft forever
15: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.200.200.1/24 brd 10.200.200.255 scope global wg0
       valid_lft forever preferred_lft forever
16: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 172.21.28.32/23 brd 172.21.29.255 scope global tun0
       valid_lft forever preferred_lft forever
default via 192.168.2.1 dev eth1.2 proto static
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.199
10.200.200.0/24 dev wg0 proto kernel scope link src 10.200.200.1
172.21.28.0/23 dev tun0 proto kernel scope link src 172.21.28.32
192.168.2.0/24 dev eth1.2 proto kernel scope link src 192.168.2.199
0:      from all lookup local
32739:  from 10.0.0.112 lookup telekom
32740:  from 10.0.0.9 lookup telekom
32742:  from 10.0.0.247 lookup telekom
32743:  from 10.0.0.246 lookup telekom
32744:  from 10.0.0.245 lookup telekom
32745:  from 10.0.0.244 lookup telekom
32746:  from 10.0.0.243 lookup telekom
32747:  from 10.0.0.242 lookup telekom
32748:  from 10.0.0.241 lookup telekom
32749:  from 10.0.0.240 lookup telekom
32750:  from 10.0.0.239 lookup telekom
32751:  from 10.0.0.33 lookup telekom
32752:  from 10.0.0.23 lookup vpn1
32759:  from 10.0.0.22 lookup telekom
32760:  from 10.0.0.11 lookup telekom
32763:  from all fwmark 0x3 lookup vpn2
32764:  from all fwmark 0x2 lookup vpn1
32765:  from all fwmark 0x1 lookup telekom
32766:  from all lookup main
32767:  from all lookup default
root@wrtarm:~#

client

root@GL-MT300N-V2:~# cat /etc/config/network; cat /etc/config/firewall ; cat /et
c/config/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '...'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option macaddr '...'
        option default_macaddr '...'
        option hostname '...'
        option ipaddr '192.168.8.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option hostname '...'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr '...'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

config interface 'guest'
        option ifname 'guest'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wwan'
        option proto 'dhcp'
        option metric '20'


config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 wwan'

config forwarding
        option src 'lan'
        option dest 'wan'
        option enabled '0'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'
        option reload '1'

config zone 'guestzone'
        option name 'guestzone'
        option network 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'

config forwarding 'guestzone_fwd'
        option src 'guestzone'
        option dest 'wan'
        option enabled '0'

config rule 'guestzone_dhcp'
        option name 'guestzone_DHCP'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule 'guestzone_dns'
        option name 'guestzone_DNS'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

config include 'glfw'
        option type 'script'
        option path '/usr/bin/glfw.sh'
        option reload '1'

config include 'glqos'
        option type 'script'
        option path '/usr/sbin/glqos.sh'
        option reload '1'

config include 'mwan3'
        option type 'script'
        option path '/var/etc/mwan3.include'
        option reload '1'

config rule 'glservice_rule'
        option name 'glservice'
        option dest_port '83'
        option proto 'tcp udp'
        option src 'wan'
        option target 'ACCEPT'
        option enabled '0'

config rule 'AllowWireguard'
        option name 'Allow-Wireguard'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp tcp'
        option family 'ipv4'
        option dest_port '...'

config zone 'wireguard'
        option name 'wireguard'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option device 'wg0'

config forwarding 'wireguard_wan'
        option src 'wireguard'
        option dest 'wan'

config forwarding 'wireguard_lan'
        option src 'wireguard'
        option dest 'lan'

config forwarding 'lan_wireguard'
        option src 'lan'
        option dest 'wireguard'

config forwarding 'guest_wireguard'
        option src 'guestzone'
        option dest 'wireguard'

config forwarding 'wireguard_guest'
        option src 'wireguard'
        option dest 'guestzone'


config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option nonwildcard '1'
        option localservice '1'
        option noresolv '1'
        list server '127.0.0.1#53535'
        option resolvfile '/tmp/resolv.conf.vpn'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option dhcpv6 'server'
        option ra 'server'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain 'localhost'
        option name 'console.gl-inet.com'
        option ip '192.168.8.1'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
10: apcli0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    inet 192.168.0.100/24 brd 192.168.0.255 scope global apcli0
       valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.8.1/24 brd 192.168.8.255 scope global br-lan
       valid_lft forever preferred_lft forever
15: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.200.200.2/24 scope global wg0
       valid_lft forever preferred_lft forever
0.0.0.0/1 dev wg0 scope link
default via 192.168.0.1 dev apcli0 proto static src 192.168.0.100 metric 20
10.200.200.0/24 dev wg0 proto kernel scope link src 10.200.200.2
WIREGUART_SERVER_IP via 192.168.0.1 dev apcli0
128.0.0.0/1 dev wg0 scope link
192.168.0.0/24 dev apcli0 proto static scope link metric 20
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1
0:      from all lookup local
1002:   from all iif apcli0 lookup main
2002:   from all fwmark 0x200/0x3f00 lookup 2
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
32766:  from all lookup main
32767:  from all lookup default
root@GL-MT300N-V2:~#


config proxy
	option main_server 'Wireguard-Home'
	option enable '1'
	option host '...'

config peers 'wg_peer_8386'
	option name 'Wireguard-Home'
	option address '10.200.200.2/24'
	option listen_port '...'
	option private_key '...'
	option end_point '...'
	option public_key '...'
	option persistent_keepalive '25'
	option allowed_ips '0.0.0.0/0'
	option dns '10.200.200.1'

trendy · May 26, 2019, 6:31pm

In client there is no wireguard interface.
In server you allow only 10.200.200.2 so anything else will not be allowed. You need to allow all IPs that will traverse the WG tunnel. This means also the LAN subnet.
Also I can see some routing tables there, like telekom and vpn1. Make sure they have route for the tunnel.
As a sidenote the ULA IPv6 prefix is private, no need to hide it from the config files.

mfka8 · May 26, 2019, 6:50pm

What? As I said, the wireguard connection is working, so there is obviously a wireguard interface. I also can ping from client lan both the wireguard server and also the different subnet br-lan server ip, but just not the lan ips behind server. So what is your suggestion on how to fix this? Of course I just allow 10.200.200.2, as a client. As I said, wireguard connection is working, I can surf from client lan over server tun0 connection, works well, works great. Just not the server lan I can reach. Not sure what that apcli0 device is though on client and how it works, but it works.

trendy · May 26, 2019, 7:16pm

Check what you have pasted from the client's network configuration file and let me know if you see any wireguard interface...

mfka8 · May 26, 2019, 8:30pm

15: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.200.200.2/24 scope global wg0

Stop looking on issues which arent there (I did not ask for), as I said, the wireguard connection is etablished and working. Lan behind wireguard client router surfes through the tun0 (openvpn) connection of wireguard server, all is working, dont worry. The only thing not working is I cant reach lan behind wireguard server from lan of wireguard client router.

I posted the included config file at the end of the wireguard client config. This router doesnt use the wiregurd config in network but wireguard config file.

config proxy
	option main_server 'Wireguard-Home'
	option enable '1'
	option host '...'

config peers 'wg_peer_8386'
	option name 'Wireguard-Home'
	option address '10.200.200.2/24'
	option listen_port '...'
	option private_key '...'
	option end_point '...'
	option public_key '...'
	option persistent_keepalive '25'
	option allowed_ips '0.0.0.0/0'
	option dns '10.200.200.1'

trendy · May 26, 2019, 8:46pm

Apologies, I didn't scroll all the way down.
As I said in my second post you have not allowed the lan subnet of the client, nor routed it.
Good luck fixing that.

mfka8 · May 26, 2019, 9:16pm

How is that important? So setting option allowed_ips '0.0.0.0/0' on the server should fix this? I dont think so. I can reach internet from the client lan.... through the server, I can ping br-lan. How would this then work? I want to reach the other way around... pinging from the client router itself also doesnt work, so this is not the root of the issue.

mfka8 · May 28, 2019, 5:38am

I noticed that I can ping 10.0.0.124 the first moment I connect the wireguard connection, but then after about 15 seconds of initiating it stops working, reconnecting doesnt solve this but just restarting the wireguard server... as if the wireguard server is doing something in the first 10 seconds messing up the firewall rules or routes.

trendy · July 11, 2021, 2:23pm

There is no need to revive a 2 year old dead thread, you can start your own.

tmomas · July 21, 2021, 2:24pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.