Wireguard client cant be reached from server

Hey together, we've been using openwrt for a few years now, and all of a sudden our config stopped working. I investigated the issue for quite some time now, but just cant figure out what could've caused this. No firmware update, no settings changed.

Nevertheless i tried starting from scratch with a new Router (Asus RT-AX53U).
Installed Openwrt version: 22.03.3
Wireguard tools installed as well.

Our setup includes an office router which is also the Wireguard server. We have a few routers for service cases, therefore they are configured to act as wireguard clients, to provide the "real" wireguard clients sitting behind them with a connection to the office router.
Handshake is successful and the connection is established.
The clients connecting through these service routers to the office router are able to access every service that they should be able to.
Even pinging everything within our office routers environment is possible.

The strange thing is that vice versa doesnt work as expected. Therefore my assumption was that it must have something to do with the firewall.

From the office router or any client below it, i can reach the service router and the wireguard interface. But not the client inside of the lan of the service router.

Routing looks good as far as i can tell. I will provide a few screenshots and hope that anybody could help me, as i really got lost a little bit.

image988×812 30.6 KB

I know that it is bad practice to use the same subnet for the vpn interface as well as the lan, but i dont see a problem there, or atleast it should'nt be as the routes are correct from my point of view.

x.x.x.x dev wg0 scope link (server within our office location)
x.x.x.x via x.x.x.x dev wlan0 (office router to service router wan)
x.x.x.x dev wlan0 scope link src x.x.x.x (this service router wan route)
192.168.10.0/24 dev wg0 scope link
192.168.19.0/24 dev wg0 scope link
192.168.30.0/24 dev wg0 scope link
192.168.230.0/24 dev br-lan scope link src 192.168.230.1
192.168.230.0/24 dev wg0 scope link src 192.168.230.10

So basically im connecting any phone hotspot to the openwrt router that this router can connect to the office router.
If you need any more information or have questions regarding my probably rather unclear illustration of the problem, just let me know and i will answer as fast as i can.

It's not bad practice. It is plain wrong. Wireguard interface is layer 3 only and cannot be bridged to another interface. Therefore you need to change the subnet to avoid the ip address overlapping.

I changed the lan subnet to 250.1 for testing purposes. Then i realised that even the service client couldnt reach the office anymore. Thats why i changed it back, because then atleast the service client could reach office environment.
But i can reconfigure it again on thursday.
Are there any other steps to keep in mind? Firewall configuration?
We had it running for 2 years without a issue. Thats why iam a bit frustrated at the moment.

It's hard to say if we don't see the configuration.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

Well i guess i dont need to anymore. I changed the subnet of the wireguard interface and connection was working after a few tries.

Im still a bit shocked, as this configuration was running for over 2 years now. I guess the routing was not working bc of the subnets beeing the same. After thinking about it, it definitly makes no sense using the same subnets.
Anyways thanks for the help! Shoulve been able to figure it out on my own. But as i declared earlier i tried changing the subnet before and it didnt work. This time it also didnt work. But i just waited and after a few tries it worked just fine.

Routing 101. Every subnet must be different.

Congratulations on solving the problem, and thank you for coming back to provide the answer.

Well, i am done now. I just cant understand the issue.The problem is like described before.
Subnets are different. I tried adding another wifi-hotspot to the service router when i noticed that i cant ping the service routers client. Also cant ping from the service router to the office environment.
I checked all routes and they seem legit. Also ip addresses look good.
Troubleshooting with ping and traceroute didnt seem to help me figuring out what is wrong.
It has to be a routing issue, because i can reach the lan interface (192.168.230.1) from my office router. But cant ping the client of the service router (192.168.230.204).

What information shall i provide you to further assist me with this problem?

Office router pinging the lan interface of the service router. But failing to reach service's client.

Route on service router is there, but ping failed to office router

image967×151 11.5 KB

The contents of /etc/config/network and /etc/config/firewall.

Make sure to redact any passwords or keys in the pasted output.

/etc/config/network

image327×801 109 KB

/etc/config/firewall:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 wwan2 wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option input 'ACCEPT'
        option name 'vpn'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'wg0 lan'

config forwarding
        option dest 'vpn'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'vpn'

config forwarding
        option dest 'wan'
        option src 'vpn'

If you trust WireGuard enough to put it in the same zone as your LAN - option network 'wg0 lan' - then don't bother creating a vpn zone. Instead, add wg0 to the lan zone and have done with it.

And the syntax to do so would be:

config zone
        option name 'lan'
        [...]
        list network 'lan'
        list network 'wg0'
        list network 'xyz...'
        [...]

And so on.

I added "list network 'wg0' to the existing lan zone, and deleted the vpn zone, as it was no longer needed.
No connection possible now. Am i missing something?

Wouldnt i need a firewall forwarding from wan to lan now?

image1043×257 12.6 KB

No.
Post the wireguard configuration from the office router as well. You are not masquerading the traffic that goes to the tunnel so the office router needs to know about the subnet of the lan behind OpenWrt.

Does it need to have the wireguard interfaces ip as "allowed ip"? I thought it would be enough to list the lan ip range as allowed ip

image1212×209 71.5 KB

In the previous post the lan IP is 192.168.220.1/24, so yes you need to allow the 192.168.220.0/24 on the office router.

Sorry my bad, i sent you the wrong VPN router config, but it is the same for the 220.

image1207×216 72.8 KB

Post again in preformatted text, not screenshots, the following from the office router and the remote router.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

For the avoidance of doubt, AllowedIPs must reference target addresses/subnets on the other side of the VPN. If you set AllowedIPs to addresses/subnets which are local to the router, then nothing will get sent down the tunnel.

For example:

Router 1:

LAN IP address is 10.0.0.1/24
WireGuard IP address is 172.16.0.1/24

AllowedIPs is 10.0.0.0/24

Router 2:

Lan IP address is 192.168.0.1/24
WireGuard IP address is 172.16.0.2/24

AllowedIPs is 192.168.0.0/24

The above example will FAIL to pass any traffic, because each router's VPN endpoint tries to redirect traffic... to itself.

Instead, this configuration will pass traffic:

Router 1:

LAN IP address is 10.0.0.1/24
WireGuard IP address is 172.16.0.1/24

AllowedIPs is 192.168.0.0/24

Router 2:

Lan IP address is 192.168.0.1/24
WireGuard IP address is 172.16.0.2/24

AllowedIPs is 10.0.0.0/24

I picked the three different RFC 1918 ranges solely for the purpose of illustrating the concept; you do not have to copy it exactly. Just make sure that your configuration follows the same method.

Service Router:
lan interface is defined multiple times in lan zone.

config zone
...
        list network 'lan'
        list network 'wg0'
        list network 'lan'

The wg0 interface should be in the 192.168.30.X range, as there is no 192.168.250.X defined in Office router wg interface or peers.
Also both versions that you are using are very old and unsupported, moreover they have security flaws and shouldn't be exposed to the internet.

But thats why i defined the 192.168.220.x as the allowed ip addresses. The wg0 interface must be allowed as well?

If you want it to be used as source or destination, it must be allowed.