Wireguard config always worked, now does not (after re-install), cant reach local subnet

wireless · January 9, 2022, 6:57pm

Hi everybody,
I spent two days to find a solution, without results. I'm really crying.
I had to reinstall a linux debian machine, I replicated the installation with a script I made in the years, but I cannot obtain a sort of site-2-site wireguard config that worked before.

The linux debian machine is used as internal node in my lan, it is directly connected to the router, but even if I can reach this linux host from outside I cannot reach other local ip (the router itself, for example). I think there is some firewall rule or similar on the router, but I do not understand why it worked before and now it does not.

The situation is:
A, the smartphone <=> B, the internet VPS <=> C, the linux debian host (via router) on the lan
The configs are:

ON VPS

[interface]
PrivateKey = 
Address = 10.0.10.1/32
ListenPort = 55610
Dns = 172.16.1.1

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

#host C linux debian
[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 10.0.10.200/32, 172.16.1.0/24

#smartphone
[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 10.0.10.2/32

On the host Linux C

# server linux C
[Interface]
PrivateKey = 
Address = 10.0.10.200/24
ListenPort = 55510
#Dns = 172.16.1.1

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE

# VPS server
[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 10.0.10.0/24 #, 172.16.1.0/24
PersistentKeepalive = 10
Endpoint = endpoint:55610

On all servers the forwarding kernel bit is at 1.

When I ping the local ip of host C from the smartphone, everything is ok.
If I try to ping other ip, it seems that host C is reached and forwarded the packet to the router, infact it seems to risolve also the pinged it to hostname, but nothing goes on.
This is what I can catch on VPS, with tcpdump -v -i wireguard_interface I'm doing from the smartphone 10.0.10.2 ping 172.16.1.100.

 IP (tos 0x0, ttl 63, id 18807, offset 0, flags [DF], proto ICMP (1), length 84)
    10.0.10.2 > 172.16.1.100: ICMP echo request, id 50, seq 20, length 64

This is what I can catch on host C, with tcpdump -v -i wireguard_interface, for the same ping I'm doing from the smartphone 10.0.10.2 ping 172.16.1.100. Please note that the router or I do not know who had to have resolved ip 172.16.1.100 to myCamHost.lan:

IP (tos 0x0, ttl 64, id 16654, offset 0, flags [DF], proto ICMP (1), length 84)
    10.0.10.2 > myCamHost.lan: ICMP echo request, id 48, seq 27, length 64

What can I check/do/change more? I do not think is a wireguard problem (even if the config on host C is strange, on some sites suggest to add local subnet in the allowedIPs hosts but if I do it I obtain an error because the route is alredy on the the machine itself...), but I do not know what to do.

psherman · January 9, 2022, 8:14pm

What changed in your setup? Where is the OpenWrt system?

wireless · January 9, 2022, 8:36pm

the router is here:
A, the smartphone <=> B, the internet VPS <=> (openWrt router <=>) C, the linux debian host
Note that when I ping the host C everything is works, is when I ping other hosts on the lan subnet (they are connected via dumb switch to another router port, so the packets should pass to the router itself).
By the way, re looking the tcpdump posted, this piece 10.0.10.2 > 172.16.1.100, i think the router will drop the packets.
I have not change anything... same wireguard config but I could miss something.
Really really thanks for you interesting.

psherman · January 9, 2022, 9:12pm

What did you reinstall?

Is the wireguard endpoint on the Debian host or is it running on the OpenWrt router?

wireless · January 9, 2022, 9:13pm

the debian host.

psherman · January 9, 2022, 9:18pm

So you have made zero changes to the OpenWrt system, right? And you have re-installed Debian on a different system? WG runs on that Debian system?

If all of that is correct, your problem is likely on the Debian host itself, and thus out of scope for these forums (which are focused on OpenWrt). Make sure that your Debian host is configured to route the WG subnet through to the upstream network. Often that is done via a NAT masquerading type operation. That said, you might be able to add a static route on your OpenWrt router to cover the WG network (basically <wg_network>/24 via <debian_host_ip> )

wireless · January 9, 2022, 9:29pm

yes, I understand, but as said I may miss something that I do not remember. It seems that ping packets are forwarded from debian to openWrt, so I need to understand if they reach this last one and if it drops them for some reason. Sorry do not understand last passage about the static route :(, where should I add it?

psherman · January 9, 2022, 9:38pm

If you want to try adding a static route, you can read here for how to do that. It is really quite simple.
Basically, the idea of a static route is this:

the router currently has no knowledge of the WG network
if packets from the WG network hit the router, the router doesn't know what to do with them -- i.e. where to route return packets... it's not unlike getting mail without a return address and no clue who actually sent the thing to you.
therefore, the static route basically says that you can reach the WG network via the Debian host's IP address.... i.e. send the return traffic related to the WG network to the IP address of the Debian host, and that host will get it where it needs to go (i.e. back to the tunnel).

If it works, you'll have solved the problem in a different way than you had previously since you said that you didn't touch the OpenWrt configuration.

Otherwise, you need to figure out what is wrong on that device. OpenWrt has nothing to do with the issue since the changes were done solely on the Debian side.

wireless · January 10, 2022, 12:02am

sorry again, what could be the best way to see if something from the smartphone arrives to the router? Packages from debian machine should be masqueraded right? There is non easy to catch them or If I just ping 172.16.1.100, with tcpdump | grep 172.16.1.100 should I catch them?

psherman · January 10, 2022, 1:09am

Wireshark on the router. Possibly also on the Debian system.

Depends on the configuration of your Debian system. Maybe, maybe not. Look at the Debian documentation or related forums about how network interfaces (specifically VPNs) are treated with respect to the routing to the main system network, and then evaluate your configuration based on what you find.