WireGuard site-to-site and subnet routing

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi, I have setup a WG s2s tunnel on 3 Openwrt routers between 3 sites. I am able to ping the remote router IP between the sites. In addition to the router in each site, I also have multiple dumb APs on the same subnet as the router. The problem I am having is not able to reach the APs from the remote peers. Any suggestion on the route(s) I need to add on each router in order to allow remote clients access to the remote APs?

Below are network and firewall information for each site:

WireGuard: Subnet 10.0.0.0/24 (fw zone = s2s)

Site A:

  • Router Subnet 10.10.0.1/24 (fw zone = admin)
  • APs: 10.10.0.2/24 and 10.10.0.3/24 (fw zone = admin)
  • WG: 10.0.0.1/24 (fw zone = s2s)
    -- Peer1: A <=> B, AllowIPs: 10.0.0.2/32, 10.11.0.0/24
    -- Peer2: A <=> C, AllowIPs: 10.0.0.3/32, 10.12.0.0.0/24

Site B:

  • Router Subnet 10.11.0.1/24 (fw zone = admin)
  • APs: 10.11.0.2/24 and 10.11.0.3/24 (fw zone = admin)
  • WG: 10.0.0.2/24 (fw zone = s2s)
    -- Peer1: B <=> A, AllowIPs: 10.0.0.1/32, 10.10.0.0/24
    -- Peer2: B <=> C, AllowIPs: 10.0.0.3/32, 10.12.0.0.0/24

Site C:

  • Router Subnet 10.12.0.0.1/24 (fw zone = admin)
  • APs: 10.12.0.2/24 and 10.12.0.3/24 (fw zone = admin)
  • WG: 10.0.0.3/24 (fw zone = s2s)
    -- Peer1: C <=> A, AllowIPs: 10.0.0.1/32, 10.10.0.0/24
    -- Peer2: C <=> B, AllowIPs: 10.0.0.2/32, 10.11.0.0.0/24

Each of the sites have a WG peer connection to the other 2 remote sites and their subnet is Allowed to route via their respective tunnel.

For example, I can traceroute between site A <=> B router IP, but not to the APs.

# traceroute -i s2s -n -m 3 10.11.0.1
traceroute to 10.11.0.1 (10.11.0.1), 3 hops max, 46 byte packets
 1  10.11.0.1  20.214 ms  28.036 ms  20.985 ms
# traceroute -i s2s -n -m 3 10.11.0.2
traceroute to 10.11.0.2 (10.11.0.2), 3 hops max, 46 byte packets
 1  10.0.0.2  27.619 ms  16.970 ms  24.249 ms
 2  *  *  *
 3  *  *  *

# traceroute -i s2s -n -m 3 10.10.0.1
traceroute to 10.10.0.1 (10.10.0.1), 3 hops max, 46 byte packets
 1  10.10.0.1  22.750 ms  18.325 ms  18.161 ms
# traceroute -i s2s -n -m 3 10.10.0.2
traceroute to 10.10.0.2 (10.10.0.2), 3 hops max, 46 byte packets
 1  10.0.0.1  20.067 ms  26.074 ms  30.318 ms
 2  *  *  *
 3  *  *  *

I am also able to reach the remote routers from my laptop, which is connected on the admin subnet on site A. But I cannot reach the remote APs.

❯ traceroute -n -m 3 10.11.0.1
traceroute to 10.11.0.1 (10.11.0.1), 3 hops max, 52 byte packets
 1  10.10.0.1  8.509 ms  3.722 ms  3.319 ms
 2  10.11.0.1  24.745 ms  23.895 ms  45.486 ms

❯ traceroute -n -m 3 10.11.0.2
traceroute to 10.11.0.2 (10.11.0.2), 3 hops max, 52 byte packets
 1  10.10.0.1  10.572 ms  3.742 ms  3.442 ms
 2  10.0.0.2  24.944 ms  22.956 ms  30.087 ms
 3  * * *

The FW zones are setup as followed on each site:

fw-zones
fw-zones1920×292 54.6 KB

The default FW is set to drop by default:
fw-default
fw-default1366×382 28.5 KB

The goal is to only allow any devices on the admin zone access to remote peers' devices on the admin zone via the s2s tunnel only.

Any help to achieve the above would be much appreciated.

2

Shouldn't you allow forwarding from the s2s zone to the admin zone?

1 Like
3

It is easier to add the WG interface to the Admin zone.

But if you do not want that then follow @pavelgl's advice.

Furthermore MASQUERADING on the s2s zone is not necessary.

Note that your local LAN clients can have their own firewall and will not allow traffic from other subnets by default, so if necessary tweak firewall of the local lan clients to allow other subnets.
As a test if this is a problem you can enable MASQUERADING on the LAN zone.

4

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.