<Device 1 local IP> <--------> <Route 2 public IP> <---Internet---> <Router 1 Public IP>
I would like to have to 2 wireguard links.
one on subnet 10.2.2.x - And this one is working. In this case <Router 1 Public IP> is server and <Device 1> is client. Also 5 other devices are working fine.
Second subnet 10.3.3.x - I would like to have <Device 1 local IP> as server so I set port forwarding on <Route 2 public IP> and <Router 1 Public IP> as clinet.
Handshake is fine but ping is not working. And strange thing is that server is seen client on incorrect port:
On server side:
root@OpenWrtMiWiFiMini:~# wg show wg1
interface: wg1
public key: <key>
private key: (hidden)
listening port: 60024
peer: <key>
endpoint: <Router 1 Public IP>:1097
allowed ips: 10.3.3.2/32
latest handshake: 2 minutes, 21 seconds ago
transfer: 2.93 KiB received, 2.05 KiB sent
persistent keepalive: every 25 seconds
root@OpenWrtMiWiFiMini:~#
On client side:
root@Xiaomi3G:~# wg show wg1
interface: wg1
public key: <key>
private key: (hidden)
listening port: 60027
peer: <key>
endpoint: <Router 2 Public IP>:60024
allowed ips: (none)
latest handshake: 1 minute, 22 seconds ago
transfer: 2.26 KiB received, 3.50 KiB sent
persistent keepalive: every 25 seconds
But the port forwarding is on <Route 2 public IP>. Does iptables have to be enable on <Device 1 local IP> ?
I have firewall off - to be sure that is not blocking any connection ?
port forwarding is on <Route 2 public ip> and device <Device 1 local IP> behind this NAT (port forwarding from externat 60024 to 60024 local IP address)
@kofec, I honestly think you're confusing the WG network and the LANs you're trying to route to. It's quite confusing when you continue to speak of port forwarding and NAT, before you clarify my inquiry about masquerading.
I won't be able to help you until you can clearly articulate what you're trying to do.
Fix the allowed IP section
You should allow the entire subnet at the other end of the connection
You need to make a route to the network at the other end of the connection.
If you do not have masquerade on, then you must route, not port forward
root@OpenWrtMiWiFiMini:~# ip r
default via 192.168.4.1 dev eth0.2 proto static src 192.168.4.12
10.3.3.0/24 dev wg1 proto kernel scope link src 10.3.3.1
10.3.3.2 dev wg1 proto static scope link
<Router 1 Public IP> via 192.168.4.1 dev eth0.2 proto static
192.168.4.0/24 dev eth0.2 proto kernel scope link src 192.168.4.12
192.168.111.0/24 dev br-lan proto kernel scope link src 192.168.111.1
Routes on <Router 1 Public IP>
default via 91.90.x.x dev eth0.2 proto static
10.2.2.0/24 dev wg0 proto kernel scope link src 10.2.2.1
10.2.2.2 dev wg0 proto static scope link
10.2.2.3 dev wg0 proto static scope link
10.2.2.4 dev wg0 proto static scope link
10.2.2.5 dev wg0 proto static scope link
10.2.2.6 dev wg0 proto static scope link
10.2.2.7 dev wg0 proto static scope link
10.2.2.8 dev wg0 proto static scope link
10.2.2.9 dev wg0 proto static scope link
10.2.2.10 dev wg0 proto static scope link
10.2.2.254 dev wg0 proto static scope link
10.3.3.0/24 dev wg1 proto kernel scope link src 10.3.3.2
<Route 2 public IP> via 91.90.x.x dev eth0.2 proto static
91.90.176.128/25 dev eth0.2 proto kernel scope link src 91.90.176.163
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.11.0/24 via 192.168.1.10 dev br-lan proto static
I'm not sure is it bug or per design. But if I would like to have more peers connected to one peer. I have to change configuration like below (change mask from 24 to 32):
Interesting...I only allow single /32 IPs anyway on the peers (or "clients," as you say)...but it makes sense, because the IPs can't exist "everywhere."