Wireguard Routing Issue

papasan · September 5, 2022, 1:44pm

hello.

having a strange routing issue with Wireguard, hoping someone can point me in the right direction. in prep for updating everything to 22.03 decided to move DNS, DHCP, Wireguard services to a secondary AP. everything is mostly working but the remote peer is unable to get to LAN hosts.

default gateway (10.0.1.1/24) has a route to the VPN segment (10.0.8.0/24), hosts on the LAN can ping remote peer (10.0.8.13). remote peer can ping WG0 (10.0.8.1) interface, can ping LAN interface (10.0.1.3) on on the Wireguard AP and also ping the main AP's LAN interface (10.0.1.1) so it seems that routing is working somewhat. a host on the LAN (10.0.1.51) can ping the remote peer (10.0.8.13) but the only IPs that the remote peer can ping off of the VPN segment are the LAN AP interfaces, the remote peer is unable to talk with the other hosts. for example, a traceroute to 10.0.1.51 ends at the WG0 interface (10.0.8.1).

currently the remote peer is setup with 0.0.0.0/0 in the allowed IPs so it should be sending everything over the tunnel. the firewall zone is setup to allow forwards in both directions (no masquerading). I've tried enabling proxy_arp on the WG0 interface but it doesn't seem to make a difference.

what else should I try?

psherman · September 5, 2022, 2:26pm

Let’s see config files for both peers.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

And the remote peer config file.

Also, what OS is on 10.0.1.151?

trendy · September 5, 2022, 2:37pm

That seems to me to be the culprit. Most likely windows blocking the non-local traffic.

papasan · September 5, 2022, 2:45pm

thanks for the responses, I appreciate he help.

x.x.1.51 example is a Windows box, but it's not an issue with that specific host on the LAN. the remote peer isn't able to talk to anything on the LAN besides the 2 OpenWRT APs. x.x.1.3 (Wireguard AP) and x.x.1.1 (default gateway AP) are both working as expected. x.x.1.8 and x.x.1.9 which are DNS servers not working, x.x.1.11 which is an IP camera not working, HomeAssistant server not working, Jellyfin server not working, etc. I am able to ping from them to the remote peer but not vice-versa. these were all responding fine before from the same sr/dst IPs when Wireguard was being run off of the default gateway.

I suspect it may be an issue that the request is going peer->WG0->host but the response is host->gateway->WG0->peer but the reverse is working fine.

I will work on anonymizing the config files to share.

trendy · September 5, 2022, 2:46pm

Disable invalid packet detection in gateway firewall.

papasan · September 5, 2022, 2:50pm

turning it off on the default gateway firewall got it, thanks!

system · September 15, 2022, 2:50pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.