Wireguard clients can't access entire network

jayache80 · June 19, 2023, 8:08am

Hello. I have a network with two routers: router1 is the main router, and has its WAN port connected to the internet. The "downstream" router2 has its WAN port connected to one of the LAN ports of router1.

network

Devices on network1 can access devices on network2 because I've added a static route:

config route
        option interface 'lan'
        option target '192.168.2.0'
        option netmask '255.255.255.0'
        option gateway '192.168.1.7'

router2 has its WAN interface statically assigned to 192.168.1.7

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'static'
        option broadcast '192.168.1.255'
        option gateway '192.168.1.1'
        list ipaddr '192.168.1.7/24'

With this setup all devices on network1 (like server1) can access all devices on network2 (like server2).

I've set up wireguard peers between router1 and some devices (phone, laptop, etc.). When a peer from the internet connects to router1, it can access all devices on network1, but it cannot access any devices on network2.

On router1, one of the peer's configuration is as follows:

config interface 'wg0'
        option proto 'wireguard'
        option private_key <redacted>
        option listen_port '51820'
        list addresses '192.168.9.1/24'

config wireguard_wg0 'wgclientphone'
        option description 'phone'
        option public_key <redacted>
        list allowed_ips '0.0.0.0/0'

I've tried to add static routes for wireguard peers to access the 192.168.2.0 network (network2) but I have not succeeded.

Does anyone know what my config is missing to allow wireguard peers of router1 to access devices on network2?

The following is the output of running

uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;

on router1:

output

package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd87:0b98:8a51::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr '00:31:92:da:80:f8'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'
        list dns '208.67.222.222'
        list dns '208.67.220.220'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2620:119:35::35'
        list dns '2620:119:53::53'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'wg0'
        option proto 'wireguard'
        option private_key <redacted>
        option listen_port '51820'
        list addresses '192.168.9.1/24'

config interface 'wg1'
        option proto 'wireguard'
        option private_key <redacted>
        option listen_port '51821'
        list addresses '192.168.10.1/24'

config wireguard_wg0 'wgclientphone'
        option description 'phone'
        option public_key <redacted>
        list allowed_ips '0.0.0.0/0'

config wireguard_wg1 'wgclientlaptop'
        option description 'laptop'
        option public_key <redacted>
        list allowed_ips '0.0.0.0/0'

config route
        option interface 'lan'
        option target '192.168.2.0'
        option netmask '255.255.255.0'
        option gateway '192.168.1.7'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid <redacted>
        option encryption 'psk2'
        option key <redacted>

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid <redacted>
        option encryption 'psk2'
        option key <redacted>

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wg0'
        list network 'wg0'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wg1'
        list network 'wg1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'wg0'
        option dest 'lan'

config forwarding
        option src 'wg0'
        option dest 'wan'

config forwarding
        option src 'wg1'
        option dest 'lan'

config forwarding
        option src 'wg1'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config rule 'wg0'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg1'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51821'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'autosubapi'
        option src 'wan'
        option src_dport '5443'
        option dest_ip '192.168.1.5'
        option dest_port '5443'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet <redacted WAN IP>/22 brd <redacted>.255 scope global eth0.2
       valid_lft forever preferred_lft forever
19: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
21: wg1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 192.168.10.1/24 brd 192.168.10.255 scope global wg1
       valid_lft forever preferred_lft forever
22: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 192.168.9.1/24 brd 192.168.9.255 scope global wg0
       valid_lft forever preferred_lft forever
default via <redacted>.1 dev eth0.2  src <redacted WAN IP>
<redacted>.0/22 dev eth0.2 scope link  src <redacted WAN IP>
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.2.0/24 via 192.168.1.7 dev br-lan
192.168.9.0/24 dev wg0 scope link  src 192.168.9.1
192.168.10.0/24 dev wg1 scope link  src 192.168.10.1
broadcast <redacted>.0 dev eth0.2 table local scope link  src <redacted WAN IP>
local <redacted WAN IP> dev eth0.2 table local scope host  src <redacted WAN IP>
broadcast <redacted>.255 dev eth0.2 table local scope link  src <redacted WAN IP>
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1
broadcast 192.168.9.0 dev wg0 table local scope link  src 192.168.9.1
local 192.168.9.1 dev wg0 table local scope host  src 192.168.9.1
broadcast 192.168.9.255 dev wg0 table local scope link  src 192.168.9.1
broadcast 192.168.10.0 dev wg1 table local scope link  src 192.168.10.1
local 192.168.10.1 dev wg1 table local scope host  src 192.168.10.1
broadcast 192.168.10.255 dev wg1 table local scope link  src 192.168.10.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

on router2:

output

package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd52:12ee:c650::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'static'
        option broadcast '192.168.1.255'
        option gateway '192.168.1.1'
        list ipaddr '192.168.1.7/24'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr '98:da:c4:7c:15:73'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'netvpn'
        option proto 'none'
        option ifname 'tun0'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'
        option disabled '0'
        option channel '48'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option key <redacted>
        option encryption 'psk2'
        option ssid <redacted>

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option htmode 'HT20'
        option disabled '0'
        option channel '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key <redacted>
        option ssid <redacted>

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,193.138.218.74'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'wan'
        option dest 'lan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping-LAN'
        option src 'lan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'netvpn'

config forwarding
        option src 'lan'
        option dest 'vpn'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.7/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
335: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet <redacted>/16 brd <redacted>.255.255 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via <redacted>.1 dev tun0
default via 192.168.1.1 dev eth0.2
<redacted>.0/16 dev tun0 scope link  src <redacted>
128.0.0.0/1 via <redacted>.1 dev tun0
169.150.203.41 via 192.168.1.1 dev eth0.2
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.7
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1
broadcast <redacted>.0 dev tun0 table local scope link  src <redacted>
local <redacted> dev tun0 table local scope host  src <redacted>
broadcast <redacted>.255.255 dev tun0 table local scope link  src <redacted>
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.1.0 dev eth0.2 table local scope link  src 192.168.1.7
local 192.168.1.7 dev eth0.2 table local scope host  src 192.168.1.7
broadcast 192.168.1.255 dev eth0.2 table local scope link  src 192.168.1.7
broadcast 192.168.2.0 dev br-lan table local scope link  src 192.168.2.1
local 192.168.2.1 dev br-lan table local scope host  src 192.168.2.1
broadcast 192.168.2.255 dev br-lan table local scope link  src 192.168.2.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Thank you very much.

vgaetera · June 19, 2023, 8:16am

For each WireGuard peer config section on OpenWrt, fix the option allowed_ips to match the IP configured on the respective VPN client.

jayache80 · June 21, 2023, 1:53am

Thanks for your response. Sorry, I'm not quite sure I understand; both the "server" (router1) peer configuration and the "client" (phone, laptop) peer configuration have allowed IPs set to 0.0.0.0/0 to match. My understanding was that this would allow each peer to access a device of any IP address (so the "client" could access the internet, as well as the LANs connected to router1).

Are these incorrect settings for allowed_ips, and instead I should use different allowed IPs to accomplish what I'd like?

Here's the wireguard configuration on my phone:

INTERFACE
---------
Name: home
Public key: <redacted>
Addresses: 192.168.9.2/24
DNS servers: 192.168.1.1

PEER
----
Public key: <redacted>
Endpoint: <WAN IP of router1>
Allowed IPs: 0.0.0.0/0
Persistent Keepalive: every 30 seconds

Thanks.

psherman · June 21, 2023, 2:09am

On your OpenWRT configuration, in the peer config for this device, the allowed ips should be this address with a /32.

192.168.9.2/32

jayache80 · June 21, 2023, 7:48am

Thank you. I've set the allowed_ips to 192.168.9.2/32 for that peer config on the router1 OpenWRT configuration as you suggest, and it allows me the same connectivity as when I had that set to 0.0.0.0/0 (I can access all devices on network1, and the internet) but unfortunately I still can't access devices on network2.

egc · June 21, 2023, 8:07am

Does router 2 allow traffic from WG e.g. from 192.168.9.0/24?

jayache80 · June 24, 2023, 8:01am

Does router 2 allow traffic from WG e.g. from 192.168.9.0/24?

This is perhaps the issue, but I haven't figured out how to rectify. I tried to add firewall rules to router2 to accept 192.168.9.0/24 traffic:

iptables -A INPUT -i eth0.2@eth0 -s 192.168.9.0/24 -p tcp -j ACCEPT
iptables -A OUTPUT -o eth0.2@eth0 -d 192.168.9.0/24 -p tcp -j ACCEPT
iptables -A INPUT -i br-lan -s 192.168.9.0/24 -p tcp -j ACCEPT
iptables -A OUTPUT -o br-lan -d 192.168.9.0/24 -p tcp -j ACCEPT

But those had no effect.

I also tried to add a static route on router2 for 192.168.9.0, as well as assign an 196.168.9.* IP address to the WAN interface, but haven't had any success yet.

egc · June 24, 2023, 10:10am

As a test you can just enable MASQUERADING over the LAN interface of router 1.

If that works it is a route/firewall issue.

To allow traffic you have to also use the FORWARD chain and not only tcp traffic but all traffic.
INPUT is only for the router 2 itself not for the clients behind it.

For testing just use:
iptables -I FORWARD -s 192.168.9.0/24 -j ACCEPT
iptables -I INPUT -s 192.168.9.0/24 -j ACCEPT

jayache80 · June 25, 2023, 12:13am

Thank you very much for your assistance and patience.

As a test you can just enable MASQUERADING over the LAN interface of router 1.

Indeed, when enabling MASQUERADING for "lan => wan" zone forwarding on router1 (using LuCI GUI) the wireguard client was suddenly able to access router2 and all devices on network2. So, yes, a routing/firewall issue, and while I'm not very good at this yet, I'm guessing it's routing.

Here is the output of route on router1:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         <WAN gateway>   0.0.0.0         UG    0      0        0 eth0.2
<redacted>      *               255.255.252.0   U     0      0        0 eth0.2
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.2.0     192.168.1.7     255.255.255.0   UG    0      0        0 br-lan
192.168.9.0     *               255.255.255.0   U     0      0        0 wg0
192.168.10.0    *               255.255.255.0   U     0      0        0 wg1

And here is the output of route on router2:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.11.0.1       128.0.0.0       UG    0      0        0 tun0
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0.2
10.11.0.0       *               255.255.0.0     U     0      0        0 tun0
128.0.0.0       10.11.0.1       128.0.0.0       UG    0      0        0 tun0
<redacted>      192.168.1.1     255.255.255.255 UGH   0      0        0 eth0.2
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0.2
192.168.2.0     *               255.255.255.0   U     0      0        0 br-lan

For testing just use:

iptables -I FORWARD -s 192.168.9.0/24 -j ACCEPT
iptables -I INPUT -s 192.168.9.0/24 -j ACCEPT

These had no obvious effect when I tried (wireguard client was still unable to reach router2 and devices on network2).

I'd prefer not to use masquerading because I noticed it made all my server logs unusable (every client looked the same: always the IP of router1 )

I'm guessing it's a routing issue on router1 because the wireguard client cannot ping 192.168.1.7 (the WAN interface of router2).

egc · June 25, 2023, 5:46am

The MASQUERADING indeed has drawbacks as you noticed.

I do not think it is a routing issue, from the wg clients which want to route to router 2 the traffic comes out in router1 and that has already a route to router 2.
On the way back from router 2 to the wg client it should use the default route to router 1 and this router has a route to the wg client.

My guess is that it is firewall related.

Did you set the firewall rules on router 2?

If your clients on router 2 also have their own firewall then these clients also should allow WG traffic.

jayache80 · June 25, 2023, 9:00am

My guess is that it is firewall related.

Yes, probably.

Did you set the firewall rules on router 2?

Yes. Here is a complexity I had hoped I didn't need to dive into: I have router2 set up to be an openvpn client and to send internet-bound traffic from devices on network2 through an openvpn tunnel. Because devices directly on network1 have no problem accessing devices on network2, I assumed the same access should be enjoyed by wireguard clients because they should be "virtually" on network1. But perhaps this is not true, and traffic cannot get back to to the wireguard client because it's getting routed through said openvpn tunnel to la la land.

Side note: Devices on network2 can't directly access devices on network1, but I don't mind that, as long as devices on network1 can access devices on network2.

Here is what the firewall settings in the GUI looks like for router2:

Here is the output of iptable -L on router2:

output

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
input_rule  all  --  anywhere             anywhere             /* !fw3: Custom input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
zone_lan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_vpn_input  all  --  anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP)
target     prot opt source               destination
forwarding_rule  all  --  anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_vpn_forward  all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
output_rule  all  --  anywhere             anywhere             /* !fw3: Custom output rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_vpn_output  all  --  anywhere             anywhere             /* !fw3 */

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_vpn_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination

Chain input_lan_rule (1 references)
target     prot opt source               destination

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_vpn_rule (1 references)
target     prot opt source               destination

Chain input_wan_rule (1 references)
target     prot opt source               destination

Chain output_lan_rule (1 references)
target     prot opt source               destination

Chain output_rule (1 references)
target     prot opt source               destination

Chain output_vpn_rule (1 references)
target     prot opt source               destination

Chain output_wan_rule (1 references)
target     prot opt source               destination

Chain reject (3 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
DROP       all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_dest_ACCEPT (5 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
target     prot opt source               destination
forwarding_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan forwarding rule chain */
zone_vpn_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone lan to vpn forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
target     prot opt source               destination
input_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan input rule chain */
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request /* !fw3: Allow-Ping-LAN */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_lan_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
target     prot opt source               destination
output_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan output rule chain */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_vpn_dest_ACCEPT (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_vpn_dest_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_vpn_forward (1 references)
target     prot opt source               destination
forwarding_vpn_rule  all  --  anywhere             anywhere             /* !fw3: Custom vpn forwarding rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_vpn_dest_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_vpn_input (1 references)
target     prot opt source               destination
input_vpn_rule  all  --  anywhere             anywhere             /* !fw3: Custom vpn input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_vpn_src_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_vpn_output (1 references)
target     prot opt source               destination
output_vpn_rule  all  --  anywhere             anywhere             /* !fw3: Custom vpn output rule chain */
zone_vpn_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_vpn_src_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_ACCEPT (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (1 references)
target     prot opt source               destination
forwarding_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan forwarding rule chain */
zone_lan_dest_ACCEPT  esp  --  anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
zone_lan_dest_ACCEPT  udp  --  anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone wan to lan forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (1 references)
target     prot opt source               destination
input_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan input rule chain */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request /* !fw3: Allow-Ping */
ACCEPT     igmp --  anywhere             anywhere             /* !fw3: Allow-IGMP */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_wan_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (1 references)
target     prot opt source               destination
output_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan output rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_ACCEPT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

I ran tcpdump on router1, and on server2, and then pinged server2 from a remote wireguard client. I see the ICMP echo requests from 192.168.9.2 coming through router1 and into server2, but I do not see replies on router1, so traffic back to 192.168.9.2 is either disallowed by router2's firewall rules or perhaps getting diverted to the openvpn tunnel.

If your clients on router 2 also have their own firewall then these clients also should allow WG traffic.

Client devices on network2 (like server2) don't have firewall enabled.

egc · June 25, 2023, 9:35am

That could well be the problem as the default route on router 2 is probably going through the vpn.

Usually there is a route to the next hop e.g router 1 and that is why it is working for traffic from router 1.

What you can try is to set a static route on router 2 to route the wireguard traffic to router 1

jayache80 · July 4, 2023, 5:13am

I'm trying to do this, but have not succeeded. For example, here's an attempt to give traffic destined for 192.168.9.2 a route via 192.168.1.7, which is the address of the router2's WAN interface (connected to router1's network).

Here's the output of ip route:

0.0.0.0/1 via 10.11.0.1 dev tun0
default via 192.168.1.1 dev eth0.2
10.11.0.0/16 dev tun0 scope link  src 10.11.0.3
128.0.0.0/1 via 10.11.0.1 dev tun0
<redacted> via 192.168.1.1 dev eth0.2
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.7
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1
192.168.9.2 via 192.168.1.7 dev eth0.2

With this in place, when 192.168.9.2 pings a host on router2's network it still cannot receive replies.

egc · July 4, 2023, 8:22am

Try the whole network:
192.168.9.0/24 via 192.168.1.1 dev eth0.2

The problem is router 2 has a default route via tun0 the above route should circumvent this and send traffic for 192.168.9.0/24 to router 1.

Otherwise you should use PBR

system · July 22, 2023, 8:49am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.