Wireguard site-to-site only one site

Hello,

I have a problem and can't get any further!

I would like to set up a site-to-site Wireguard connection for my travel router
=> This works as far as I have a connection and I can access my home network from my travel router without any problems, but it doesn't work in the other direction, here I can only reach the Wireguard client (IP), but not the network behind!

For my understanding I would have to connect the VPN connection to the LAN connection, I've already tried with the Automatic script, without success!

I've already tried a lot of things, but as soon as I create my own firewall rule (VPN) with port forwarding as shown several times on the Internet, then I can no longer get a connection to the server at all!

=> if someone can help me that would be great!


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	list network 'vpn'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg_s2s_b'

config rule 'wg_s2s_51820'
	option name 'Allow-WireGuard-51820'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'vpn'
	option dest 'wan'
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd59:29ce:2039::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '1.2.3.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wwan'
	option proto 'dhcp'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'thisistheplacefortheprivatekey'
	list addresses '10.252.1.3/32'
	list dns '8.8.8.8'
	option force_link '1'
	option auto '0'

config wireguard_vpn
	option description 'trAVEller'
	option public_key 'Thepublickeycomesinhere'
	option preshared_key 'thisistheplaceforthepresharedkey'
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '15'
	option endpoint_host 'YourIPcouldbehere'
	option endpoint_port '51820'
	option private_key 'thisistheplacefortheprivatekey'
	option route_allowed_ips '1'

config interface 'wg_s2s_b'
	option proto 'wireguard'
	option private_key 'thisistheplacefortheprivatekey'
	option listen_port '51820'
	list addresses '10.252.1.3/32'
	option auto '0'

config wireguard_wg_s2s_b 's2s_vpn_site_a'
	option public_key 'Thepublickeycomesinhere'
	option preshared_key 'thisistheplaceforthepresharedkey'
	option description 'H-O-M-E'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option endpoint_host 'YourIPcouldbehere'
	option endpoint_port '51820'
	list allowed_ips '192.168.0.0/24'
	option private_key 'thisistheplacefortheprivatekey'

Now I have the VPN interface active, everything works except that I can't get from the server side to the traveler side!

If I deactivate the VPN and activate the interface wg_s2s_b, I no longer have a connection, not even to the Internet, but Wireguard looks connected!

For a site-tot-site setup both sides have to be setup like a server.

so start with placing the WG interface in the LAN firewall zone instead of the WAN zone or its own zone.

Reboot and test again.

Note both router have to be setup on a different subnet

1 Like

OK, the VPN interface placed in the LAN environment restarted

  • after the restart internet worked!
    --> then I activated the Wireguard interface (not at boot)
    -> then I had no internet and I no longer had a connection to the home network, but the Wireguard seemed to connect!

and yes both are different

traveler 1.2.3.0
Home 192.168.0.0

First your config ia a bit of a mess, remove everything you have disabled so that you have only one WG interface and one peer.

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show

Please share from both sides and do not redact local addresses e.g. 192.168.X.X and 10.X.X.X you do not need to redact

The output from the travel router when the Wireguard interface is located at WAN

The remote station is not an openWRT device

BusyBox v1.36.1 (2023-10-09 21:45:35 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.0, r23497-6637af95aa
 -----------------------------------------------------
root@trAVEller:~# ubus call system board
{
        "kernel": "5.15.134",
        "hostname": "trAVEller",
        "system": "ARMv8 Processor rev 3",
        "model": "Raspberry Pi 4 Model B Rev 1.4",
        "board_name": "raspberrypi,4-model-b",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "bcm27xx/bcm2711",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}
root@trAVEller:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd59:29ce:2039::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '1.2.3.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wwan'
        option proto 'dhcp'

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'privatkey'
        list addresses '10.252.1.3/32'
        list dns '8.8.8.8'
        option force_link '1'

config wireguard_vpn
        option description 'trAVEller.conf'
        option public_key 'publickey'
        option preshared_key 'presharedkey'
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '15'
        option endpoint_host 'HOMEIP'
        option endpoint_port '51820'
        option private_key 'privatkey'
        option route_allowed_ips '1'

root@trAVEller:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
        list network 'vpn'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule 'wg_s2s_51820'
        option name 'Allow-WireGuard-51820'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

root@trAVEller:~# ip route show
default dev vpn scope link
1.2.3.0/24 dev br-lan scope link  src 1.2.3.1
172.31.179.0/24 dev phy0-sta0 scope link  src 172.31.179.7
---IP--- via 172.31.179.1 dev phy0-sta0
root@trAVEller:~# wg show
interface: vpn
  public key: publicKEY
  private key: (hidden)
  listening port: 32781

peer: keyBlaBla
  preshared key: (hidden)
  endpoint: ---IP---:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 12 seconds ago
  transfer: 352.40 KiB received, 186.61 KiB sent
  persistent keepalive: every 15 seconds
root@trAVEller:~#

and here is the output if the Wireguard interface is located under the LAN

=> As I said, I can't get a connection to home or the internet here

BusyBox v1.36.1 (2023-10-09 21:45:35 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.0, r23497-6637af95aa
 -----------------------------------------------------
root@trAVEller:~# ubus call system board
{
        "kernel": "5.15.134",
        "hostname": "trAVEller",
        "system": "ARMv8 Processor rev 3",
        "model": "Raspberry Pi 4 Model B Rev 1.4",
        "board_name": "raspberrypi,4-model-b",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "bcm27xx/bcm2711",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}
root@trAVEller:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd59:29ce:2039::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '1.2.3.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wwan'
        option proto 'dhcp'

config interface 'vpn'
        option proto 'wireguard'
        option private_key '-----'
        list addresses '10.252.1.3/32'
        list dns '8.8.8.8'
        option force_link '1'

config wireguard_vpn
        option description 'trAVEller.conf'
        option public_key '------'
        option preshared_key '----'
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '15'
        option endpoint_host '----'
        option endpoint_port '51820'
        option private_key '-----'
        option route_allowed_ips '1'

root@trAVEller:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule 'wg_s2s_51820'
        option name 'Allow-WireGuard-51820'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

root@trAVEller:~# ip route show
default dev vpn scope link
1.2.3.0/24 dev br-lan scope link  src 1.2.3.1
172.31.179.0/24 dev phy1-sta0 scope link  src 172.31.179.7
--IP-- via 172.31.179.1 dev phy1-sta0
root@trAVEller:~# wg show
interface: vpn
  public key: ----
  private key: (hidden)
  listening port: 37393

peer: ---------
  preshared key: (hidden)
  endpoint: --IP--:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 51 seconds ago
  transfer: 24.50 KiB received, 330.69 KiB sent
  persistent keepalive: every 15 seconds
root@trAVEller:~#

First of all you can not use a random address for the LAN subnet you have to use a private IP address according to RFC1918
So you can use e.g. 192.168.4.1 as ip address for the router.
Make sure it is different from the other side

To make sure you can connect from the other side you have to open up the firewall so place the vpn interface in the firewall LAN zone.

Minor detail, change the WG address from 10.252.1.3/32 to 10.252.1.3/24

On the other side you have to add the routers subnet (now changed to 192.168.4.0/24) as allowed IPs besides the existing 10.252.1.3/32

1 Like

OK, I changed to 192.168.99.1

adapted in Home and Traveler

If I place the VPN in the LAN environment, I can't get a connection from either side, only I can ping the 10.252.1.3 from home!

I don't have an internet connection from Treveller, but Wireguard is connected as usual!

I just tested it again! I just have no connection from the laptop from the traveler side!
I can ping the other side (Home) and also the internet directly on the Rasperry (trAVEller)!
From Home I can only ping the Wireguard IP from the other side!

You have to add 192.168.99.0/24 to the allowed IPs of the other side. Otherwise the other side will not allow traffic from your travel router

Please share the setup/screenshots of the setup of the other side because that it looks like to be the problem

1 Like

I entered it in my home
Allowed IPs
10.252.1.0/24 192.168.99.0/24

Reboot both routers, and check in your home if WG is setup correctly with:
wg show and ip route show

1 Like

wg show
interface: wg0
  public key: ------
  private key: (hidden)
  listening port: 51820

peer: ------
  preshared key: (hidden)
  endpoint: ---IP----:38772
  allowed ips: 10.252.1.0/24
  latest handshake: 22 seconds ago
  transfer: 3.69 KiB received, 4.14 KiB sent

peer: ------
  preshared key: (hidden)
  allowed ips: 10.252.1.1/32

peer: -----
  preshared key: (hidden)
  allowed ips: 10.252.1.2/32

It's strange that the trAVEller doesn't appear here with the IP 10.252.1.3

All others who are not currently connected will be displayed!

peer: ---------
  preshared key: (hidden)
  allowed ips: 10.252.1.3/32

Now this is also displayed but I had to change it back to /32 instead of /24!

peer: ------------
  preshared key: (hidden)
  endpoint: ---IP---:38772
  allowed ips: 10.252.1.3/32
  latest handshake: 2 seconds ago
  transfer: 372 B received, 284 B sent

This is also wrong

You cannot have overlapping peers
So no 10.252.1.X/24

For the travel peer I do not see 192.168.99.0/24 as Allowed IP please check

1 Like

OK the problem with the 10.252.1.0/24 seems to have been solved by changing /24 to /32 (possibly) that was just an incorrect output instead of .0 it is now .3!

192.168.99.0/24 is entered for the trAVEller in the home server

and does it show if you do wg show and is it visible if you do ip route show ?

1 Like

From the trAVEller I can currently ping everything in the home network and also have internet there, all devices that connect to the trAVEller via WiFi have no connection to the home or the internet!

From the Home Wireguard server I can only ping the Wireguard IP 10.252.1.3 but no other devices from the trAVEller LAN

"route show" => shows me nothing but the help

wg show
trAVEller: looks good => allowed ips 0.0.0.0/0
HOME: is connected but allowed ips only 10.252.1.3/32

without adding 192.168.99.0/24 as allowed IPs it is not going to work.
So the Home router has to have two allowed IPs:
10.252.1.3/32 and 192.168.99.0/24

If it is not possible you can try with only 192.168.99.0/24

Your travel clients have e.g. 192.168.99.X as ip address and without allowing that on your Home server you cannot connect from these travel clients

1 Like

OK

peer: peerzeug
  preshared key: (hidden)
  endpoint: ---IP---:38772
  allowed ips: 192.168.99.0/32, 10.252.1.3/32
  latest handshake: 22 seconds ago
  transfer: 3.10 KiB received, 2.89 KiB sent

wenn i ping 192.168.99.1 from Home Wireguard server

ping 192.168.99.1
PING 192.168.99.1 (192.168.99.1) 56(84) bytes of data.
From 192.168.0.1: icmp_seq=2 Redirect Host(New nexthop: 192.168.0.198)
From 192.168.0.1: icmp_seq=3 Redirect Host(New nexthop: 192.168.0.198)
From 192.168.0.1: icmp_seq=4 Redirect Host(New nexthop: 192.168.0.198)
From 192.168.0.1: icmp_seq=5 Redirect Host(New nexthop: 192.168.0.198)
From 192.168.0.1: icmp_seq=6 Redirect Host(New nexthop: 192.168.0.198)
From 192.168.0.1: icmp_seq=8 Redirect Host(New nexthop: 192.168.0.198)

ping Wireguard IP

ping 10.252.1.3
PING 10.252.1.3 (10.252.1.3) 56(84) bytes of data.
64 bytes from 10.252.1.3: icmp_seq=1 ttl=64 time=5.55 ms
64 bytes from 10.252.1.3: icmp_seq=2 ttl=64 time=2.20 ms
64 bytes from 10.252.1.3: icmp_seq=3 ttl=64 time=2.13 ms
64 bytes from 10.252.1.3: icmp_seq=4 ttl=64 time=2.98 ms