WireGuard connecting hosts WAN<->LAN

krazeh · March 15, 2020, 11:16am

Get rid of the B-C tunnel. It's not doing anything productive and just complicates matters.

Either add wg0 to the LAN firewall zone, or add it as a new zone and allow forwarding to LAN and WAN. You'll also need to open whichever port you're using for Wireguard on B. Such as:

config rule
        option target 'ACCEPT'
        option src 'wan'
        option dest_port '51820'
        option name 'Wireguard'
        option proto 'udp'

Caterpillar01 · March 15, 2020, 3:10pm

No, actually I will have a simplified situation, but let's talk about this later.
The problem is that now I don't manage to let A and B communicate through wireguard. I tried to add wg to lan firewall zone, then wan firewall zone, then to "unspecified" firewall zone, but the situation does not change, even adding your config rule to /etc/config/firewall

trendy · March 15, 2020, 8:36pm

Verify that there are hits on the firewall
iptables-save -c | grep 51820

Caterpillar01 · March 15, 2020, 8:47pm

[0:0] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: Wireguard" -j ACCEPT

From various tests, I can reach B wireguard interface only from the LAN, not WAN

trendy · March 15, 2020, 10:13pm

Verify that host A is using the correct address to reach router B, as there are no hits on the firewall.

Caterpillar01 · March 15, 2020, 11:26pm

How can I check firewall hits?

trendy · March 17, 2020, 8:37am

The numbers in the beginning are both zero.

Caterpillar01 · March 17, 2020, 11:09am

I solved the problem, but since I made a ton of different tries, I will just describe the one I think is the most significative.
I have setted up a new host (D), with a similar configuration of A.
I connected D to B endpoint foo.bar.baz by using my mobile phone tethering, so D had an IP that had nothing to do with my LAN. Everything worked, I could ping B, C. Then I disconnected D from the tethering and I connected it to the LAN. I restarted D wg interface and I tried to connect to B Wireguard endpoint foo.bar.baz, but when trying to ping B and C wg IP, I did not receive any reply.
Then I rebooted OpenWRT router to clear all routes, etc. and I have done the viceversa, first connecting to endpoint foo.bar.baz while being connected to the LAN. As soon I moved to tethering connection, I received no reply from B, C.

I am really exausted and I don't want to run tests about NAT options etc. except if this could help OpenWRT / Wireguard developers if they think there maybe any kind of problem.
A guy sent me this Wireguard discussion URL that reminds me of my situation

Thank you everybody for the support

trendy · March 17, 2020, 11:12am

Tunnels don't work from inside the LAN, because you advertise the same IPs that the device already has on its interface.

system · March 27, 2020, 11:12am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.