Wireguard: connection functional but peer cannot connect to any clients on the LAN

Hey guys!

So I 'expanded' my home WireGuard setup to include another peer, but something broke in my setup. I have two peers configured now, and they're both showing as connected by WireGuard:

# wg show
interface: wg0
  public key: xxxxxxx
  private key: (hidden)
  listening port: xxxxxxx

peer: xxxxxxx
  endpoint: xxxxxxx:46808
  allowed ips: 10.0.10.240/32
  latest handshake: 26 seconds ago
  transfer: 661.26 KiB received, 2.63 MiB sent
  persistent keepalive: every 25 seconds

peer: xxxxxxx
  endpoint: xxxxxxx:25916
  allowed ips: 10.0.10.250/32
  latest handshake: 2 minutes, 3 seconds ago
  transfer: 167.79 KiB received, 526.12 KiB sent
  persistent keepalive: every 25 seconds

To me at least, this bit looks OK. However, the .250 one used to be able to connect to a Linux server on the LAN, but is now throwing 'connection refused' errors. The server has iptables logging enabled, but the IP is not showing up in anything in /var/log. I can SSH into the router just fine still like I used to - and it's only listening on LAN, so WireGuard is functional. However, my firewall rules on multiple home servers allow e.g. SSH from both 10.0.10.x addresses, yet I'm not seeing anything in the server logs, so it looks like the attempts are not even reaching the servers.

The fact that my first WireGuard peer used to be able to talk to the server before suggests the issue is not with the servers' firewall (otherwise I would see access getting denied there and that's not the case).

My /etc/config/network:

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxxxx'
	option listen_port 'xxxx'
	list addresses '10.0.10.0/24'

config wireguard_wg0
	option public_key 'xxxxxx'
	option allowed_ips '10.0.10.250/32'
	option persistent_keepalive '25'
	option description 'Sony Xperia XZ1 Compact'

config wireguard_wg0
	option public_key 'xxxxxx'
	option allowed_ips '10.0.10.240/32'
	option persistent_keepalive '25'
	option description 'Dell XPS 13 9350'

My /etc/config/firewall:

config zone
	option name 'wg'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'wg0'
	option masq '1'

config forwarding
	option src 'wg'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'wg'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '8192'
	option name 'Allow-Wireguard-Inbound'
	option enabled '1'

Thank you!

Try this, it might be of help to you:
http://jodies.de/ipcalc

I'm not sure how that's helping, but thanks.

Anyone else? :slight_smile:

It looks like you're using Wireguard to connect trusted devices to your LAN? Is that correct?

If it is the case then I'd move the Wireguard interface into the LAN firewall zone rather than have it in a separate zone. That should remove any OpenWRT firewall issues from the equation.

It is indeed!

The WireGuard/LAN forwards are rather simple, and I think they're needed because I'm operating different subnets (10.0.10.x for the WireGuard peers, and 10.0.0.x for the LAN). Using the same LAN subnet for the WireGuard peers messed things up before.

You can leave them on separate subnets, just move both interfaces into the same firewall zone.

Try turning off masquearding in the firewall wg zone definition.
option masq '0'

The reason that @ZOzo was suggesting you look at the ip calculator is that they were pointing out that your wg interface address is wrong...

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxxxx'
	option listen_port 'xxxx'
	list addresses '10.0.10.0/24'

You currently have the network defined, but not the actual address. The list addresses in this stanza should have a value of 10.0.10.1/24 (or really anything other than .0 and .255).

FWIW, I personally like having my VPN defined as a separate firewall zone -- the forwaridngs you have setup should do the trick, although you might also want to add wg > wan if you want to use the tunnel for internet access through your OpenWrt router while you are remote (i.e. bypass geo restrictions, additional security when on public networks, etc.).

If those two things don't fix the problem, please post your remote peer side configuration.

Thanks @psherman, but 10.0.10.0 is perfectly valid for WireGuard - the /24 indicates you're defining a subnet. Like I said, I can perfectly ping the peer (the OpenWrt router) from the remote peer (my laptop). I can SSH into it too, and SSH is only listening on the LAN on the router (10.0.0.1). So the LAN <-> WireGuard zone forwarding is working.

I have the exact same setup working on another network, and this used to work here too. I don't need internet access, just LAN access for the WireGuard connection. What is peculiar though is I am seeing my laptop trying to talk to my MPD server, and that gets filtered out by the MPD server's firewall, so maybe I should be specifying an interface?

Jun 16 10:43:46 epimetheus kernel: [735464.684662] iptables denied: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:xx:a4:xx:d9:xx:6e:xx:08:00 SRC=10.0.10.240 DST=10.0.0.20 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=50983 DF PROTO=TCP SPT=54612 DPT=6600 WINDOW=64860 RES=0x00 SYN URGP=0

Edit: Disabling masquerading seems to do the trick, thanks. What's even weirder though is that masquerading is enabled on my second WireGuard setup and seems to cause no problems there :thinking:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.