I spent two days to find a solution, without results. I'm really crying.
I had to reinstall a linux debian machine, I replicated the installation with a script I made in the years, but I cannot obtain a sort of site-2-site wireguard config that worked before.
The linux debian machine is used as internal node in my lan, it is directly connected to the router, but even if I can reach this linux host from outside I cannot reach other local ip (the router itself, for example). I think there is some firewall rule or similar on the router, but I do not understand why it worked before and now it does not.
The situation is:
A, the smartphone <=> B, the internet VPS <=> C, the linux debian host (via router) on the lan
The configs are:
[interface] PrivateKey = Address = 10.0.10.1/32 ListenPort = 55610 Dns = 172.16.1.1 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE #host C linux debian [Peer] PublicKey = PresharedKey = AllowedIPs = 10.0.10.200/32, 172.16.1.0/24 #smartphone [Peer] PublicKey = PresharedKey = AllowedIPs = 10.0.10.2/32
On the host Linux C
# server linux C [Interface] PrivateKey = Address = 10.0.10.200/24 ListenPort = 55510 #Dns = 172.16.1.1 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE # VPS server [Peer] PublicKey = PresharedKey = AllowedIPs = 10.0.10.0/24 #, 172.16.1.0/24 PersistentKeepalive = 10 Endpoint = endpoint:55610
On all servers the forwarding kernel bit is at 1.
When I ping the local ip of host C from the smartphone, everything is ok.
If I try to ping other ip, it seems that host C is reached and forwarded the packet to the router, infact it seems to risolve also the pinged it to hostname, but nothing goes on.
This is what I can catch on VPS, with
tcpdump -v -i wireguard_interface I'm doing from the smartphone 10.0.10.2
IP (tos 0x0, ttl 63, id 18807, offset 0, flags [DF], proto ICMP (1), length 84) 10.0.10.2 > 172.16.1.100: ICMP echo request, id 50, seq 20, length 64
This is what I can catch on host C, with
tcpdump -v -i wireguard_interface, for the same ping I'm doing from the smartphone 10.0.10.2
ping 172.16.1.100. Please note that the router or I do not know who had to have resolved ip 172.16.1.100 to myCamHost.lan:
IP (tos 0x0, ttl 64, id 16654, offset 0, flags [DF], proto ICMP (1), length 84) 10.0.10.2 > myCamHost.lan: ICMP echo request, id 48, seq 27, length 64
What can I check/do/change more? I do not think is a wireguard problem (even if the config on host C is strange, on some sites suggest to add local subnet in the allowedIPs hosts but if I do it I obtain an error because the route is alredy on the the machine itself...), but I do not know what to do.