Wireguard ping on IP address

jany · January 27, 2023, 3:52pm

I apologize even if this question is not related to openwrt.
Explanation of the situation

Wireguard between openwrt and lxc debian works great. When I try to ping from PC 192.168.130.209 to 192.168.1.2, the ping works correctly.
I run tcpdump on PC 192.168.1.2 and there I see that the ping is coming from IP 192.168.1.111 and that is the IP address of the wireguard server (see the picture).
How to achieve the state that the ping comes from IP 10.10.0.3.

trendy · January 27, 2023, 4:03pm

Disable masquerade/snat on the LXC.

mk24 · January 27, 2023, 4:51pm

Yes disable NAT. Since the ping replies will then be coming from the actual IP of the PC beyond LXC, you'll also need to install 192.168.1.0/24 as an allowed_ip on the OpenWrt end of the wireguard tunnel.

jany · January 27, 2023, 5:36pm

In LXC I have this

[Interface]
PrivateKey = ********************************************
Address = 10.10.0.1/32
ListenPort = 51820
PreUp = iptables -I FORWARD -i wg0 -d 0.0.0.0/0 -j REJECT
PostDown = iptables -D FORWARD -i wg0 -d 0.0.0.0/0 -j REJECT
PreUp = iptables -I FORWARD -i wg0 -d 192.168.1.0/24 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -d 192.168.1.0/24 -j ACCEPT

I don't have a snat/masquerade there

trendy · January 27, 2023, 5:46pm

iptables-save -c

jany · January 27, 2023, 5:58pm

# Generated by iptables-save v1.8.7 on Fri Jan 27 18:53:08 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A FORWARD -d 192.168.1.0/24 -i wg0 -j ACCEPT
[0:0] -A FORWARD -i wg0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Jan 27 18:53:08 2023
# Generated by iptables-save v1.8.7 on Fri Jan 27 18:53:08 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
[5316:336437] -A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Jan 27 18:53:08 2023

I use multiple wireguard networks for servers. I deleted those unimportant networks from the list.

trendy · January 27, 2023, 7:25pm

How about that?

jany · January 27, 2023, 8:03pm

But I don't have masquarade in wireguard config (wg0.conf).

lleachii · January 27, 2023, 9:29pm

Masquerade wouldn't be in a WG config. Do you have your WG interface assigned to a firewall Zone with masquerade enabled?

trendy · January 27, 2023, 10:58pm

If eth0 is the lan interface of the LXC with the 192.168.1.111, you have your answer.

jany · January 28, 2023, 8:47pm

I do not know that

jany · January 30, 2023, 7:55am

I use several WG interfaces in one LXC (wg0, wg1 ...). I use masquerade for wg0 interface and not for wg1. When I stop the wg0 interface and masquerade is not used, it works.
Ping from PC 192.168.130.209 to 192.168.1.2
tcpdump running on PC 192.168.1.2

08:40:36.242152 IP 192.168.130.209 > 192.168.1.2: ICMP echo request, id 2378, seq 37, length 64
08:40:36.242166 IP 192.168.1.2 > 192.168.130.209: ICMP echo reply, id 2378, seq 37, length 64
08:40:37.245839 IP 192.168.130.209 > 192.168.1.2: ICMP echo request, id 2378, seq 38, length 64
08:40:37.245848 IP 192.168.1.2 > 192.168.130.209: ICMP echo reply, id 2378, seq 38, length 64
08:40:38.245558 IP 192.168.130.209 > 192.168.1.2: ICMP echo request, id 2378, seq 39, length 64
08:40:38.245566 IP 192.168.1.2 > 192.168.130.209: ICMP echo reply, id 2378, seq 39, length 64

Look at my first post, last sentence
How to achieve the state that the ping comes from IP 10.10.0.3.
Is it even possible ?

trendy · January 30, 2023, 8:24am

Find where is masquerade applied on the path of the packet flow and disable it.

jany · January 30, 2023, 10:36am

I actually thought the opposite. If I set masking to openwrt (see image)

Then the IP address 192.168.130.209 should be masked as the IP address 10.10.0.3, but it doesn't work that way.
If I ping from the openwrt router and carefully check tcpdump on the other one, it's OK.

11:23:14.870503 IP 10.10.1.3 > 192.168.1.2: ICMP echo request, id 3602, seq 0, length 64
11:23:14.870513 IP 192.168.1.2 > 10.10.1.3: ICMP echo reply, id 3602, seq 0, length 64
11:23:15.896486 IP 10.10.1.3 > 192.168.1.2: ICMP echo request, id 3602, seq 1, length 64
11:23:15.896501 IP 192.168.1.2 > 10.10.1.3: ICMP echo reply, id 3602, seq 1, length 64

trendy · January 30, 2023, 10:48am

Nope, everything egressing lan zone will be NATed to source IP of the interface, in your case 192.168.130.1 .

jany · January 30, 2023, 10:56am

In tcpdump, I saw that responses always come from 192.168.130.209

trendy · January 30, 2023, 11:28am

Start a ping from 192.168.1.2 to 192.168.130.209 and check on .130.209 the tcpdump.

jany · January 31, 2023, 7:35am

ping 192.168.130.209
PING 192.168.130.209 (192.168.130.209) 56(84) bytes of data.
64 bytes from 192.168.130.209: icmp_seq=1 ttl=62 time=73.0 ms
64 bytes from 192.168.130.209: icmp_seq=2 ttl=62 time=78.1 ms

I still see the response from the real IP and not from the WG IP 10.10.0.1.

08:26:56.594351 IP 192.168.1.2 > 192.168.130.209: ICMP echo request, id 3, seq 22, length 64
08:26:56.594403 IP 192.168.130.209 > 192.168.1.2: ICMP echo reply, id 3, seq 22, length 64
08:26:57.598425 IP 192.168.1.2 > 192.168.130.209: ICMP echo request, id 3, seq 23, length 64
08:26:57.598455 IP 192.168.130.209 > 192.168.1.2: ICMP echo reply, id 3, seq 23, length 64

trendy · January 31, 2023, 8:00am

And you want it to come from 10.10.0.3? Then enable masquerade on wg0.

jany · January 31, 2023, 9:05am

When I set the masquerade in LXC to wg0, it works correctly when I ping from 192.168.1.2 to 192.168.130.209.

If I ping the other way, the answer always comes from 192.168.130.209.

If I set the masquerade look here the ping from 192.168.130.209 does not work, but in tcpdump I can see 192.168.1.2

09:32:13.920644 IP 10.10.0.3 > 192.168.1.2: ICMP echo request, id 4561, seq 21, length 64
09:32:13.920656 IP 192.168.1.2 > 10.10.0.3: ICMP echo reply, id 4561, seq 21, length 64
09:32:14.885739 IP 10.10.0.3 > 192.168.1.2: ICMP echo request, id 4561, seq 22, length 64
09:32:14.885746 IP 192.168.1.2 > 10.10.0.3: ICMP echo reply, id 4561, seq 22, length 64