Wireguard + mwan3 issue

It's been few days, the wireguard still doesn't work. I would be very much grateful if someone could kindly advise me on.

I have an Openwrt with 2 WANs by using mwan3. When one WAN fails, the other WAN handles all traffic and WAN_b should handle both wireguard traffic and default traffic.

Handshake is successful on both sides of the WireGuard, but unable to ping remote LAN port behand eachother, only WAN (Endpoint) can be pinged. Also, Endpoint Host is set to 9.9.9.7 on remote, but "wg" command shows 8.8.8.7. Suspecting an issue with the "rule" section of mwan3 configuration, but uncertain of the problem's location.

My side:
WAN (eth1): static 8.8.8.7 gateway:8.8.8.1
WAN_b(eth2): static 9.9.9.7 gateway:9.9.9.1


root@OpenWrt:/# wg
interface: wg0
  public key: sJou1WwZNsX7jHfV2CNkCer7uHwxs0yMXFBTwX8DznI=
  private key: (hidden)
  listening port: 51820

peer: wUi4iTCulzasw3s7mrWoXF4MuOzf6PColPoBxS3a9As=
  endpoint: 7.7.7.8:51820
  allowed ips: 192.168.100.0/24, 192.168.8.0/24
  latest handshake: 34 seconds ago
  transfer: 368 B received, 2.50 KiB sent
  persistent keepalive: every 25 seconds


root@OpenWrt:/# ping 192.168.8.1
PING 192.168.8.1 (192.168.8.1): 56 data bytes
^C
root@OpenWrt:~# ping -I 192.168.1.1 192.168.8.1
PING 192.168.8.1 (192.168.8.1) from 192.168.1.1: 56 data bytes
^C

root@OpenWrt:/# ping 7.7.7.8
PING 7.7.7.8 (7.7.7.8): 56 data bytes
64 bytes from 7.7.7.8: seq=0 ttl=63 time=1.034 ms
64 bytes from 7.7.7.8: seq=1 ttl=63 time=0.980 ms

The following are the results of the following commands
route -n
cat /etc/config/network
cat /etc/config/mwan3


root@OpenWrt:/# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         8.8.8.1         0.0.0.0         UG    10     0        0 eth1
0.0.0.0         9.9.9.1         0.0.0.0         UG    20     0        0 eth2
7.7.7.8         8.8.8.1         255.255.255.255 UGH   10     0        0 eth1
8.8.8.0         0.0.0.0         255.255.255.0   U     10     0        0 eth1
9.9.9.0         0.0.0.0         255.255.255.0   U     20     0        0 eth2
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan



root@OpenWrt:/# cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7a:61b6:b586::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth5'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'static'
        option netmask '255.255.255.0'
        option metric '10'
        option gateway '8.8.8.1'
        option ipaddr '8.8.8.7'

config interface 'wanb'
        option proto 'static'
        option device 'eth2'
        option netmask '255.255.255.0'
        option metric '20'
        option gateway '9.9.9.1'
        option ipaddr '9.9.9.7'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'EDvWgQu5GNIGKDgaPv6kVHCvEl0Y8TJk1KC3OFubzEA='
        option listen_port '51820'
        list addresses '192.168.100.3'

config wireguard_wg0
        option public_key 'wUi4iTCulzasw3s7mrWoXF4MuOzf6PColPoBxS3a9As='
        list allowed_ips '192.168.100.2/24'
        list allowed_ips '192.168.8.1/24'
        option endpoint_host '7.7.7.8'
        option persistent_keepalive '25'
        option route_allowed_ips '1'




 
root@OpenWrt:/# cat /etc/config/mwan3
config globals 'globals'
        option mmx_mask '0x3F00'

config interface 'wan'
        option enabled '1'
        option family 'ipv4'
        option initial_state 'online'
        option track_method 'ping'
        option count '1'
        option size '56'
        option max_ttl '60'
        option timeout '4'
        option interval '10'
        option failure_interval '5'
        option recovery_interval '5'
        option down '5'
        option up '5'
        option reliability '1'

config interface 'wanb'
        option family 'ipv4'
        option reliability '1'
        option enabled '1'
        option initial_state 'online'
        option track_method 'ping'
        option count '1'
        option size '56'
        option max_ttl '60'
        option timeout '4'
        option interval '10'
        option failure_interval '5'
        option recovery_interval '5'
        option down '5'
        option up '5'

config member 'wan_m1_w3'
        option interface 'wan'
        option metric '1'
        option weight '3'

config member 'wanb_m1_w3'
        option interface 'wanb'
        option metric '1'
        option weight '3'

config policy 'wan_only'
        list use_member 'wan_m1_w3'
        option last_resort 'unreachable'

config policy 'wanb_only'
        option last_resort 'unreachable'
        list use_member 'wanb_m1_w3'

config policy 'balanced'
        list use_member 'wan_m1_w3'
        list use_member 'wanb_m1_w3'
        option last_resort 'unreachable'

config rule 'wg'
        option family 'ipv4'
        option proto 'udp'
        option dest_port '51820'
        option use_policy 'wanb_only'
        option sticky '0'

config rule 'https'
        option proto 'tcp'
        option dest_port '443'
        option sticky '1'
        option use_policy 'balanced'

config rule 'all'
        option proto 'all'
        option dest_ip '0.0.0.0/0'
        option sticky '0'
        option use_policy 'balanced'


Remote side:
WAN(eth0): static 7.7.7.8 gateway:7.7.7.1

The following are the results of the following commands
route -n
cat /etc/config/network



root@GL-MV1000:~# wg
interface: wg0
  public key: wUi4iTCulzasw3s7mrWoXF4MuOzf6PColPoBxS3a9As=
  private key: (hidden)
  listening port: 51820

peer: sJou1WwZNsX7jHfV2CNkCer7uHwxs0yMXFBTwX8DznI=
  endpoint: 8.8.8.7:51820               <---it should be 9.9.9.7,Please see screenshot below
  allowed ips: 192.168.100.0/24, 192.168.1.0/24
  latest handshake: 49 seconds ago
  transfer: 6.18 KiB received, 1.71 KiB sent


root@GL-MV1000:~# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
^C

root@GL-MV1000:~# ping -I 192.168.8.1 192.168.1.1
PING 192.168.1.1 (192.168.1.1) from 192.168.8.1: 56 data bytes
^C


root@GL-MV1000:~# ping 8.8.8.7
PING 8.8.8.7 (8.8.8.7): 56 data bytes
64 bytes from 8.8.8.7: seq=0 ttl=63 time=0.745 ms
64 bytes from 8.8.8.7: seq=1 ttl=63 time=0.902 ms
^C
root@GL-MV1000:~# ping 9.9.9.7
PING 9.9.9.7 (9.9.9.7): 56 data bytes
64 bytes from 9.9.9.7: seq=0 ttl=63 time=0.514 ms
64 bytes from 9.9.9.7: seq=1 ttl=63 time=1.001 ms
^C

root@GL-MV1000:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         7.7.7.1         0.0.0.0         UG    10     0        0 wan
7.7.7.0         0.0.0.0         255.255.255.0   U     10     0        0 wan
ip address show dev eth19.9.9.7         7.7.7.1         255.255.255.255 UGH   10     0        0 wan
192.168.8.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan

root@GL-MV1000:~# cat /etc/config/network
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd3:1356:9fcc::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'lan0 lan1 usb0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option hostname 'GL-MV1000-298'
        option ipaddr '192.168.8.1'

config interface 'wan'
        option ifname 'wan'
        option ipv6 '0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '7.7.7.8'
        option gateway '7.7.7.1'
        option metric '10'

config interface 'lan0'
        option ifname 'lan0'
        option macaddr '94:83:c4:0a:42:99'

config interface 'lan1'
        option ifname 'lan1'
        option macaddr '94:83:c4:0a:42:99'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '6G+8SN2C4v0yWd2O4C5jCa5LPK8D7S3PuVrMQK3VbWg='
        option listen_port '51820'
        list addresses '192.168.100.2'

config wireguard_wg0
        option public_key 'sJou1WwZNsX7jHfV2CNkCer7uHwxs0yMXFBTwX8DznI='
        list allowed_ips '192.168.100.1/24'
        list allowed_ips '192.168.1.0/24'
        option endpoint_host '9.9.9.7'




Hello

in your case and apologies if i missed this can you ping the remote wiregaurd only from the router or also from the LAN behind the router what this means is from your side

can you ping 192.168.100.3 via device connect to the lan or only from the openwrt device

Maybe check your routing on your OpenWRT to make sure you have routes for the remote LANs on both ends via wireguard endpoint IP.

create static routes openwrt.
So route your side for 192.168.8.0/24 via gateway 192.168.100.3
and router on remote side going back to 192.168.1.0/24 via 192.168.100.2

so the router knows how it must route the traffic between the two endpoints