Hello,
searched the forum but did not find a solution that works ...
I have build a test environment to simulate a real environment at a friend of mine.
There are 4 main components.
- Local Area Network with LAN / WiFi running on a AVM Router. The LAN adress range is 192.168.100.0/24
The AVM router is 192.168.100.1 and I added a second adress 192.168.140.3 to the same network interface.
In the real world the AVM router is working in a similar way. But only the OpenWrt device (here the NanoPi) connected.
The local network is behind the OpenWrt device. - NanoPi R2S running openwrt. The WAN port is connected to the AVM router.
It is working as OpenVPN / Wireguard Server
WAN-IP 192.168.140.13
LAN-IP 192.168.240.3 - HP8570 Notebook connected to LAN of the R2S (Manjaro Linux).
This is the device simulating a member of the "real" local lan.
IP 192.168.240.22 - HP8560 Notebook connected to Wifi on the AVM Router (Dual Boot Windows10 / Manjaro Linux)
It is working as OpenVPN / Wireguard Client
IP 192.168.100.106
At least I want access the HP8670 from the HP8560
HP8560 -> AVM -> NanoPi -> HP8570
After starting the OpenVPN Client on the HP8560 I can ping 192.168.240.3 (NanoPi) and 192.168.240.22 (HP8570) like expected.
But when starting the Tunsafe/Wirgeuard Client on the HP8560 I can only ping the NanoPi.
What to change in the configuration to make access to the LAN possible?
Keep in mind, that I have to define multiple clients in future.
Here some info's (NanoPi)
cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf0::/64'
config interface 'lan'
option type 'bridge'
option ifname 'eth1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.240.3'
config interface 'wan'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.140.13'
option netmask '255.255.255.0'
option gateway '192.168.140.1'
list dns '192.168.140.1'
config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
option reqprefix 'auto'
option reqaddress 'try'
config interface 'wg_srv0'
option proto 'wireguard'
option private_key '...'
option listen_port '10000'
option mtu '1360'
list addresses '10.140.140.1/32'
list addresses 'fdf1::1/64'
option nohostroute '1'
config wireguard_wg_srv0
option description 'HP8560'
option public_key '...'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '10.140.140.11/32'
list allowed_ips 'fdf1::11/128'
cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
list device 'tun0'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule 'wireguard'
option name 'Allow-Wireguard'
option src 'wan'
option dest_port '10000'
option proto 'udp'
option target 'ACCEPT'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option proto 'udp'
option target 'ACCEPT'
option dest_port '11000'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option domain '....xa'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option start '150'
option ra_management '1'
option limit '25'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option name 'M283fdw'
option dns '1'
option mac '...'
option ip '192.168.240.12'
ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 192.168.140.13/24 brd 192.168.140.255 scope global eth0
valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.240.3/24 brd 192.168.240.255 scope global br-lan
valid_lft forever preferred_lft forever
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 10.168.240.1 peer 10.168.240.2/32 scope global tun0
valid_lft forever preferred_lft forever
7: wg_srv0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1360 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.140.140.1/32 brd 255.255.255.255 scope global wg_srv0
valid_lft forever preferred_lft forever
ip -4 ro
default via 192.168.140.1 dev eth0 proto static
10.140.140.11 dev wg_srv0 proto static scope link
10.168.240.0/24 via 10.168.240.2 dev tun0
10.168.240.2 dev tun0 proto kernel scope link src 10.168.240.1
159.253.112.245 via 192.168.140.1 dev eth0 proto static
192.168.140.0/24 dev eth0 proto kernel scope link src 192.168.140.13
192.168.240.0/24 dev br-lan proto kernel scope link src 192.168.240.3
uci show | grep wg
network.wg_srv0=interface
network.wg_srv0.proto='wireguard'
network.wg_srv0.private_key='...'
network.wg_srv0.listen_port='10000'
network.wg_srv0.mtu='1360'
network.wg_srv0.addresses='10.140.140.1/32' 'fdf1::1/64'
network.wg_srv0.nohostroute='1'
network.@wireguard_wg_srv0[0]=wireguard_wg_srv0
network.@wireguard_wg_srv0[0].description='HP8560'
network.@wireguard_wg_srv0[0].public_key='...'
network.@wireguard_wg_srv0[0].route_allowed_ips='1'
network.@wireguard_wg_srv0[0].persistent_keepalive='25'
network.@wireguard_wg_srv0[0].allowed_ips='10.140.140.11/32' 'fdf1::11/128'
The wireguard client config.
[Interface]
PrivateKey = ...
Address = 10.140.140.11/24
[Peer]
PublicKey = ...
AllowedIPs = 192.168.240.0/24
Endpoint = 192.168.140.13:10000
PersistentKeepalive = 25
route & tracepath
[HP8560]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default fritz.box 0.0.0.0 UG 600 0 0 wlo1
10.140.140.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.100.0 0.0.0.0 255.255.255.0 U 600 0 0 wlo1
192.168.240.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
[HP8560]$ tracepath 192.168.240.3
1?: [LOCALHOST] pmtu 1420
1: 192.168.240.3 3.397ms reached
1: 192.168.240.3 2.598ms reached
Resume: pmtu 1420 hops 1 back 1
[HP8560]$ tracepath 192.168.240.22
1?: [LOCALHOST] pmtu 1420
1: keine Antwort
Henning