Wireguard: Connect local device through WG to routers WG peer

I want traffic from a Chromecast with Google TV (CCwGTV) to go through a RPi that I have placed on another network. Basically, I want so that it appears that the CCwGTV is located at the other network. The RPi is connected to my local network through a WG tunnel.

I only want certain applications traffic to be routed through the RPi using the possibility to list IncludedApplications in the WG config on CCwGTV. So I want to have a WG tunnel from the CCwGTV to the RPi. However, the RPi is behind a NAT so to expose the RPi to the CCwGTV it has to go through my OpenWRT router.

Unfortunately, I cannot get the CCwGTV to connect to the RPi through WG and I need some help to understand why. I am able to ping the RPi from the CCwGTV.

Unfortunately the WG application on android TV does not allow me to view the logs like on the regular android version. And raspian does not seems to allow dynamic debugging. So I am not sure why they never establish any connection.

My OpenWRT configs:

WG configuration on the RPI:

WG configuration on the CCwGTV:

You can verify the handshake between OpenWrt and the Rpi.
You can also verify that packets go in and out the tunnel with a tcpdump on the OpenWrt.

How do I do that? Is it possible to see logs on the devices in some way despite this?

I captured this with tcpdump:

root@OpenWrt:~# tcpdump -n -i vpn host 192.168.40.50 or host 192.168.9.7
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vpn, link-type RAW (Raw IP), snapshot length 262144 bytes
20:16:39.343569 IP 192.168.40.50.54633 > 192.168.9.7.51830: UDP, length 148
20:16:44.543588 IP 192.168.40.50.54633 > 192.168.9.7.51830: UDP, length 148
20:16:49.771592 IP 192.168.40.50.54633 > 192.168.9.7.51830: UDP, length 148
20:16:54.991498 IP 192.168.40.50.54633 > 192.168.9.7.51830: UDP, length 148

And this just goes on. So it looks like the pi never responds to the handshake I would guess. I am not sure why. Is my setup even possible?

I forgot about this:

$ sudo wg
interface: wg0
  public key: ---
  private key: (hidden)
  listening port: 51830

peer: OpenWRT router
  preshared key: (hidden)
  endpoint: ---:51821
  allowed ips: 192.168.9.0/24, 192.168.40.0/24, fdf1:e8a1:8d3f:9::/64
  latest handshake: 9 seconds ago
  transfer: 56.90 KiB received, 35.19 KiB sent
  persistent keepalive: every 25 seconds

peer: CCwGTV
  preshared key: (hidden)
  allowed ips: 192.168.10.0/24

So yeah, they never establish a connection to each other.

Do you see them arriving at RPi?
If they arrive but no response is sent back, I'd create a second wireguard interface to listen to a different port for the TV.

I finally got it to work. While I tried creating a second interface I could see that the packets arrived to the RPI but no handshake so I figured something was wrong with the keys. So I triple-checked my configuration files without seeing anything obvious and in the end I decided to completely redo them all. And after that I had no problem connect them to each other on another interface or on the same as interface as my first post.

I guess that some bad character with wrong encoding or something must have snuck in when I copy-pasted cause I couldn't see anything wrong with my eyes at least.

For anyone else looking to do the same as I, dont forget to enable ip forwarding (net.ipv4.ip_forward=1) on your RPI or equivalent device.

Thanks for the help by the way!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.