Wireguard site-to-site routing issue

ssdnvv · May 13, 2025, 5:17pm

Hello,

I know there are a lot of similiar threads, but they didn't help me on my specific problem:
I can reach the router interfaces via the wireguard-IPs (192.168.1.1 and 192.168.1.5; ping/SSH/luci work without problems), but I cannot access the network behind the routers (192.168.22.0/24 and 192.168.21.0/24) or the router-IPs (192.168.22.1 and 192.168.21.1).
Do I need additional firewall-rules? I would guess not, because wg0 is part of each lan-zone.

I have setup the following:

Router A: WAN-connection via fibre (semi-permanent IPv6, /56-prefix)
1.1 etc/config/network

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.21.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '<private_key Router_A>'
	option listen_port '27'
	list addresses '192.168.1.1/24'
	option ip6assign '64'

config wireguard_wg0
	option description '<Router_B>'
	option public_key '<public_key Router_B>'
	option preshared_key '<preshared_key>'
	list allowed_ips '192.168.22.0/24'
	list allowed_ips '192.168.1.5/32'
	option route_allowed_ips '1'
	option endpoint_host '<wg0.router_b.mydomain.tld>'
	option endpoint_port '27'
	option persistent_keepalive '25'

1.2 etc/config/firewall

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config rule
	option name 'wireguard input wg0'
	option src '*'
	option dest_port '27'
	option proto 'udp'
	option target 'ACCEPT'

1.3 IPv4-routes:

root@Router_A:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         100.84.0.1      0.0.0.0         UG    0      0        0 wan
100.84.0.0      *               255.255.0.0     U     0      0        0 wan
192.168.1.0     *               255.255.255.0   U     0      0        0 wg0
[...]
192.168.1.5     *               255.255.255.255 UH    0      0        0 wg0
[...]
192.168.21.0    *               255.255.255.0   U     0      0        0 br-lan
192.168.22.0    *               255.255.255.0   U     0      0        0 wg0
[...]

1.4. wg show

root@Garti_Router:~# wg show
interface: wg0
  public key: <public_key Router_A>
  private key: (hidden)
  listening port: 27

peer: <public_key Router_B>
  preshared key: (hidden)
  endpoint: [<IPv6 Router_B>]:27
  allowed ips: 192.168.22.0/24, 192.168.1.5/32
  latest handshake: 1 minute, 22 seconds ago
  transfer: 43.01 MiB received, 4.11 MiB sent
  persistent keepalive: every 25 seconds

Router B: WAN-connection via 4G/5G (dynamic IPv6, /64-prefix)
2.1 etc/config/network

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.22.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	list ip6class 'local'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '<private_key Router_B>'
	option listen_port '27'
	list addresses '192.168.1.5/24'
	option ip6assign '64'
	option ip6class 'local'

config wireguard_wg0
	option description 'Router_A'
	option public_key '<public_key Router_A>'
	option preshared_key '<preshared_key>'
	list allowed_ips '192.168.21.0/24'
	list allowed_ips '192.168.1.1/32'
	option route_allowed_ips '1'
	option endpoint_host '<wg0.router_a.mydomain.tld>'
	option endpoint_port '27'
	option persistent_keepalive '25'

2.2 etc/config/firewall

config zone
	option name 'lan'
	list network 'lan'
	list network 'wg0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config rule
	option name 'wireguard wg0 input'
	option src '*'
	option dest_port '27'
	option proto 'udp'
	option target 'ACCEPT'

2.3 IPv4-routes:

root@Router_B:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.123.182.181  0.0.0.0         UG    0      0        0 wwan0
10.123.182.176  *               255.255.255.248 U     0      0        0 wwan0
192.168.1.0     *               255.255.255.0   U     0      0        0 wg0
192.168.1.1     *               255.255.255.255 UH    0      0        0 wg0
[...]
192.168.21.0    *               255.255.255.0   U     0      0        0 wg0
192.168.22.0    *               255.255.255.0   U     0      0        0 br-lan
[...]

2.4. wg show

root@Garti_Router:~# wg show
interface: wg0
  public key: <public_key Router_B>
  private key: (hidden)
  listening port: 27

peer: <public_key Router_A>
  preshared key: (hidden)
  endpoint: [<IPv6 router A>]:27
  allowed ips: 192.168.21.0/24, 192.168.1.1/32
  latest handshake: 1 minute, 46 seconds ago
  transfer: 3.56 MiB received, 37.97 MiB sent
  persistent keepalive: every 25 seconds

Thanks - at least for reading,
ssdnvv

egc · May 13, 2025, 5:24pm

Both routers might not have a public ip address
Site A looks like cgnat and site B is behind another router

Does wg show shows a connection?

See the WireGuard Server Setup guide

ssdnvv · May 13, 2025, 5:56pm

They both do have a public IP and as I wrote above I can reach each router when being connected to the other router. So the connection is established.

_bernd · May 13, 2025, 6:29pm

Please give ip route show.

At a first glance it looks like your allowed up and add allowed address route are off

Try to specifi only the wireguard address and the whole local subnet . You have 192.168.1.0/24 in both sides or just a single address overlap?

Best practices is and also to avoid headaches:

No address overlap on each side
The tunnel uses a dedicated network
Allowed ips contain the tunnel address and the remote network

Ps: route is deprecated in Linux since 2012 iirc. And should be not be used since Kernel 4.x which was around 2016 or something....

ssdnvv · May 13, 2025, 8:46pm

root@Router_A:~# ip route show
default via 100.84.0.1 dev wan proto static src 100.84.91.236
100.84.0.0/16 dev wan proto kernel scope link src 100.84.91.236
192.168.1.0/24 dev wg0 proto kernel scope link src 192.168.1.1
[...]
192.168.1.5 dev wg0 proto static scope link
[...]
192.168.21.0/24 dev br-lan proto kernel scope link src 192.168.21.1
192.168.22.0/24 dev wg0 proto static scope link
[...]

root@Router_B:~# ip route show
default via 10.123.182.181 dev wwan0 proto static
10.123.182.176/29 dev wwan0 proto kernel scope link src 10.123.182.180
192.168.1.0/24 dev wg0 proto kernel scope link src 192.168.1.5
[...]
192.168.21.0/24 dev wg0 proto static scope link
192.168.22.0/24 dev br-lan proto kernel scope link src 192.168.22.1
[...]

There is no overlapping as can be seen in my first post:
IP-range wireguard: 192.168.1.0/24
IP wireguard Router_A: 192.168.1.1
IP wireguard Router_B: 192.168.1.5
IP-range lan Router_A: 192.168.21.0/24
IP lan Router_A: 192.168.21.1
IP-range lan Router_B: 192.168.22.0/24
IP lan Router_A: 192.168.22.1

This is the case as can be seen in my first post.

_bernd · May 13, 2025, 9:31pm

Yes I see. 182.168.1.0/24 is only on wg.

How did you added the wireguard interface to the lan zone? Please show etc config firewall.

Edit. I see it in your first post... Lgtm.

In your first post we see transmitted data on the wireguard interface...

_bernd · May 13, 2025, 9:37pm

Could you elaborate how do you test, and what exactly?

Like I said in my previous post, the network and firewall config looks good so far.

Before you do another test could you please do a reboot so we can also see the traffic counter easily when to try to reach the network behind the tunnel.

egc · May 14, 2025, 6:09am

Note that your local lan clients by default only allow traffic from their own subnet and not from other subnets so not from the other side.
So either tweak the firewall of your local Lan clients to allow traffic from the other side or if that is not feasible then set the WG interface on its own firewall zone and enable Masquerade on the LAN zone for the subnet of the other side.

ssdnvv · May 14, 2025, 6:10am

How I do the testing:

when connected to Router_A (192.168.21.0/24-network), I can ping 192.168.1.5 and reach luci via Firefox/Chrome on 192.168.1.5 as well as ssh into the Router_B
vice versa the same when being connected to Router_B, I can reach 192.168.1.1 with the above mentioned methods
I cannot reach the routers via their lan-IPs (ssh: connection refused, luci just times out, ping packages lost)

I will try the rest you wrote this evening, thanks!

ssdnvv · May 14, 2025, 6:12am

This was my first thinking as well - but shouldn't that be solved with

config zone
	option name 'lan'
	list network 'lan'
	list network 'wg0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

?

egc · May 14, 2025, 6:18am

No, traffic is allowed this way but your local LAN clients e.g. on router with subnet 192.168.21.0/24 will not allow traffic coming from the other router which has subnet 192.168.22.0/24.

ssdnvv · May 14, 2025, 6:51am

Ok.
So how do I allow traffic between 192.168.22.0/24 and 192.168.21.0/24 in both directions?
Shouldn't this be done by "allowed_ips" in wireguard config (see first post)?

_bernd · May 14, 2025, 6:55am

To state the question a little bit different. Do you have excluded that a firewall on your client system is not open for connections from outside the local lan?

egc · May 14, 2025, 7:34am

Traffic in both directions is allowed but your local lan client might not allow traffic from other subnets.
To solve this either tweak the firewall of your local lan clients or set the WG interface on its own firewall zone and enable Masquerading on the LAN zone

To set the WireGuard interface for a server on its own zone and allow the necessary forwardings see: WireGuard Server Setup guide

ssdnvv · May 14, 2025, 7:35am

I didn't do that actively - but I must confess my set of firewall rules has grown during the last 10 years of using OpenWrt.
I will post my complete etc/config/firewall this evening.

ssdnvv · May 14, 2025, 7:48am

Thanks, I will try setup masquerading for lan.

_bernd · May 14, 2025, 9:17am

Please no. Please no nat between local networks. It is just pain in the long run.
If you have no address conflicts it should be plain and simple routing.

Check and fix the firewall but clueing nat on it is not for greater good. Please

mk24 · May 14, 2025, 10:45am

The config looks like it should work. Run tcpdump to see if forwarded packets are leaving the lan interface but not being answered by the LAN machine. That would mean the LAN machine is firewalling them itself.

ahuman · May 14, 2025, 7:55pm

You need a special firewall rule to allow ping from the WG interface to the LAN, right? The default firewall rule for allowing inbound ping only applies for WAN->router.

And as soon as you start using LAN IPs, you're going WG->LAN.

EDIT: Huh, nevermind, it seems like having both interfaces in the same zone with forward=accept should theoretically work...

_bernd · May 14, 2025, 9:00pm

The openwrt firewall is primarily concerned about the ZONE where an interface is assigned to.