Hi everybody,
I spent two days to find a solution, without results. I'm really crying.
I had to reinstall a linux debian machine, I replicated the installation with a script I made in the years, but I cannot obtain a sort of site-2-site wireguard config that worked before.
The linux debian machine is used as internal node in my lan, it is directly connected to the router, but even if I can reach this linux host from outside I cannot reach other local ip (the router itself, for example). I think there is some firewall rule or similar on the router, but I do not understand why it worked before and now it does not.
The situation is:
A, the smartphone <=> B, the internet VPS <=> C, the linux debian host (via router) on the lan
The configs are:
ON VPS
[interface]
PrivateKey =
Address = 10.0.10.1/32
ListenPort = 55610
Dns = 172.16.1.1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
#host C linux debian
[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.0.10.200/32, 172.16.1.0/24
#smartphone
[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.0.10.2/32
On the host Linux C
# server linux C
[Interface]
PrivateKey =
Address = 10.0.10.200/24
ListenPort = 55510
#Dns = 172.16.1.1
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eno1 -j MASQUERADE
# VPS server
[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.0.10.0/24 #, 172.16.1.0/24
PersistentKeepalive = 10
Endpoint = endpoint:55610
On all servers the forwarding kernel bit is at 1.
When I ping the local ip of host C from the smartphone, everything is ok.
If I try to ping other ip, it seems that host C is reached and forwarded the packet to the router, infact it seems to risolve also the pinged it to hostname, but nothing goes on.
This is what I can catch on VPS, with tcpdump -v -i wireguard_interface
I'm doing from the smartphone 10.0.10.2 ping 172.16.1.100
.
IP (tos 0x0, ttl 63, id 18807, offset 0, flags [DF], proto ICMP (1), length 84)
10.0.10.2 > 172.16.1.100: ICMP echo request, id 50, seq 20, length 64
This is what I can catch on host C, with tcpdump -v -i wireguard_interface
, for the same ping I'm doing from the smartphone 10.0.10.2 ping 172.16.1.100
. Please note that the router or I do not know who had to have resolved ip 172.16.1.100 to myCamHost.lan:
IP (tos 0x0, ttl 64, id 16654, offset 0, flags [DF], proto ICMP (1), length 84)
10.0.10.2 > myCamHost.lan: ICMP echo request, id 48, seq 27, length 64
What can I check/do/change more? I do not think is a wireguard problem (even if the config on host C is strange, on some sites suggest to add local subnet in the allowedIPs hosts but if I do it I obtain an error because the route is alredy on the the machine itself...), but I do not know what to do.