[Solved] Wireguard bridge with lan

finch · November 4, 2019, 1:32pm

Asking again for your help. I've problems accessing private LAN using wireguard on a macOS.
I've installed wireguard server part on raspberry pi and I'm forwarding wireguard port 500 on my edge router to it.

wg0 interface on raspi has IP: 10.200.200.1
eth0 (LAN) interface on raspi has IP: 192.168.81.19

From client (macOS) I can ping both 10.200.200.1 and 192.168.81.19 but no other address, like edge router 192.168.81.1. I've tried to two configurations.

added wg0 to same zone as lan (this seemed to work for a while)
created new zone for wg0 and set interzone forwarding to lan zone + masquerading

Current route table on raspi:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.81.1    0.0.0.0         UG    0      0        0 eth0
10.200.200.0    *               255.255.255.0   U     0      0        0 wg0
10.200.200.15   *               255.255.255.255 UH    0      0        0 wg0
10.200.200.111  *               255.255.255.255 UH    0      0        0 wg0
10.200.200.123  *               255.255.255.255 UH    0      0        0 wg0
192.168.81.0    *               255.255.255.0   U     0      0        0 eth0

cat /proc/sys/net/ipv4/ip_forward
1

cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpn'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option network 'vpntun'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option name 'Allow-Wireguard-Inbound'
	option dest_port '500'

config zone
	option name 'wireguard'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'wg0'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option dest 'wireguard'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'wireguard'

Current situation is that I can connect from macOS client but only access raspi IPs and no other IPs in my LAN.

mikma · November 4, 2019, 1:56pm

If you haven't added a static route to 10.200.200.0/24 via 192.168.81.19 as gateway on your router then the router and other LAN devices won't know how to send return traffic to your client.
If you don't add a static route then you may need to use IP masquerade for your wireguard clients.

finch · November 4, 2019, 2:01pm

That's good point. I believe I've setup masquerade on raspi (which is wireguard server).

config zone
	option name 'wireguard'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'wg0'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option dest 'wireguard'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'wireguard'

But not sure how I test if the masquerade is working. I have tcpdump installed if that helps.

lleachii · November 4, 2019, 3:30pm

Then you need to setup NATs to reach services if you desire to use masquerade. Otherwise ensure you've correctly routed all traffic on your Mac through the WG Interface (0.0.0.0/0).

finch · November 4, 2019, 4:08pm

I believe I also had NAT setup in fw config (it's in my previous comment).
Anyway, I don't know what happened, but after restarting firewall daemon it's working now.

Many thanks.

tmomas · November 4, 2019, 7:02pm

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.