I would like to ask for assistance to troubleshoot my Wireguard Site-to-Site configuration between 2 sites (Home and Work), both sites:
- have a public static IP address
- have Wireguard configured on OpenWrt routers, which act as access points behind the ISP routers (no double NAT)
The configuration works partially, in fact the Wireguard tunnel is working, since
- there is a handshake between the 2 sites
- when SSHing into Work OpenWrt router, I can then ssh, curl and ping devices behind the Home OpenWrt router successfully
- but when connecting to the WiFi network set up on Work OpenWrt router with my laptop, I cannot reach devices behind the Home OpenWrt router (not even ping works)
So I have the feeling that this may be related to wrong firewall or masquerading settings on the Work OpenWrt router, but I have tried so many different configurations and finally run out of ideas on what else to try, so I am here asking for suggestions.
A few additional details for Home:
- Home Public Static IP Address (redacted): 80.0.0.1
- Home Local Network: 192.168.5.0/24
- Home OpenWrt Wireguard Interface configured on an OpenWrt router at 192.168.5.2
- Home OpenWrt Wireguard IP is 10.14.0.1 and listening port is 1234
- Port Forwarding is configured on the ISP router so that UDP requests on port 1234 are forwarded to the OpenWrt router at 192.168.5.2
Then a few details for Work:
- Work Public Static IP Address (redacted): 90.0.0.1
- Work Local Network: 192.168.1.0/24
- Work OpenWrt Wireguard Interface configured on an OpenWrt router at 192.168.1.253
- Work OpenWrt Wireguard IP is 10.14.0.7 and listening port is 33350
- Port Forwarding is configured on the ISP router so that UDP requests on port 33350 are forwarded to the OpenWrt router at 192.168.1.253
The Wireguard Home configuration for Work Peer is:
- Allowed IPs are 10.14.0.7/32 and 192.168.1.0/24
- Routing for Allowed IPs is active
- Endpoint Host is 90.0.0.1 @ port 33350
Work Wireguard configuration for Home Peer is:
- Allowed IPs are 10.14.0.1/32 and 192.168.5.0/24
- Routing for Allowed IPs is active
- Endpoint Host is 80.0.0.1 @ port 1234
On both routers I've added the Wireguard interface to the LAN firewall zone without much other customizations.
As I said, I can reach devices behind Home OpenWrt router while SSHing into Work OpenWrt router, but not the other way around. Also, I cannot reach Home OpenWrt devices while connected to the WiFi network of Work OpenWrt router.
Following the advice in other posts (and also some suggestions from ChatGPT...), I've tried setting a SNAT rule on Work OpenWrt router so that traffic from any source to any destination gets rewritten to Work OpenWrt router IP (192.168.1.253), but that didn't work.
I've run tcpdump on the Work OpenWrt router Wireguard interface: tcpdump -i wg. I noticed that only traffic originating from within the Work OpenWrt router (that is, pinging a device behind the Home OpenWrt router in the 192.168.0.5/24 range while SSHing into Work router) gets captured by tcpdump. Other pings to "Home" from devices connected to the WiFi network setup on the Work router (in the 192.168.1.0/24 range) do not show up on tcpdump.
Again, I would say that the issue is in the configuration of Masquerading or Firewall of Work OpenWrt router. It seems like that requests to devices in the 192.168.0.5/24 range are not "forwarded" to Wireguard interface in the Work router. I am out of ideas now.
Thanks for any suggestions that you may provide!