Hello,
I've this configuration:
- My openWRT Firewall act as a VPN-Server and is embedded within an existing network (which has its own firewall).
- The OpenWRT-Device has the IP Address 192.168.50.70/24, the Gateway (3rd-party-firewall) is at 192.168.50.1
- There are devices attached to the network (ex. 192.168.50.2), but also a 192.168.1.0/24 what is reachable trough the gateway IP 192.168.50.1
- I've created a S2S VPN to connect a remote network 172.31.1.0/24
- The S2S Tunnel uses the internal IP Net 172.30.55.0/24
It's all working like a charm - when I enable masquerading in the lan > wireguard/wan interface i can ping clients from each side, and I can reach the 192.168.1.0/24 network from the 172.31.1.0/24 - net.
The 3rd-party firewall also has its route to 172.31.1.0/24 via 192.168.50.70.
My problem is that behind the subnet 172.31.1.0/24 are devices attached what cannot really interact with NAT, there are some UDP packages sent, where NAT is a problem - so I want to prevent this and check if it's possible to disable masquerading.
But then I've this behaviour:
- Access from 192.168.1.0/24 to 172.31.1.0/24 -> working
- Access from 172.31.1.0/24 to 192.168.50.70 (openwrt firewall) -> working
- Access from 172.31.1.0/24 to 192.168.50.1 -> not working
- Access from 172.31.1.0/24 to 192.168.1.2 -> not working
When I make a traceroute I see that the packages goes trough 172.30.55.1 and stops there - this is the internal VPN S2S IP from the OpenWrt Device.
When I SSH into the OpenWRT I can still ping 192.168.50.1 and 192.168.50.1 (but not if I use the wg1 as source interface).
Is this possible without nat? What am I missing? Does 192.168.50.1 needs to know the route to 172.30.55.0/24?
Here Is some of my config from my VPN-Server:
root@VPNGW:/etc/config# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 532
link/ether 94:83:c4:03:b3:b3 brd ff:ff:ff:ff:ff:ff
3: wan@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN group default qlen 1000
link/ether 94:83:c4:03:b3:b3 brd ff:ff:ff:ff:ff:ff
4: lan0@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN group default qlen 1000
link/ether 94:83:c4:03:b3:b4 brd ff:ff:ff:ff:ff:ff
5: lan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether 94:83:c4:03:b3:b4 brd ff:ff:ff:ff:ff:ff
11: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.0.0.1/24 scope global wg0
valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 94:83:c4:03:b3:b4 brd ff:ff:ff:ff:ff:ff
inet 192.168.50.70/24 brd 192.168.50.255 scope global br-lan
valid_lft forever preferred_lft forever
21: wg1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 172.30.55.1/32 scope global wg1
valid_lft forever preferred_lft forever
root@VPNGW:/etc/config# ip r
default via 192.168.50.1 dev br-lan proto static
10.0.0.0/24 dev wg0 proto kernel scope link src 10.0.0.1
172.30.55.2 dev wg1 scope link metric 80
172.31.1.0/24 dev wg1 scope link metric 80
192.168.50.0/24 dev br-lan proto kernel scope link src 192.168.50.70
root@VPNGW:/etc/config# ip ru
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@VPNGW:/etc/config# wg
interface: wg1
public key: ****=
private key: (hidden)
listening port: 51830
peer: ******=
endpoint: ___.____.___.___:49586
allowed ips: 172.31.1.0/24, 172.30.55.2/32
latest handshake: 1 minute, 25 seconds ago
transfer: 7.97 MiB received, 5.34 MiB sent
root@VPNGW:/etc/config#
Firewall is on accept-all for test reasons.