Hello everybody,
I'm playing with the OpenWRT in a home lab and trying to establish site-to-site VPN between two devices using https://openwrt.org/docs/guide-user/services/vpn/wireguard/site-to-site script.
The VPN seems to be up and running (I see that the number of data received/sent is increasing on both sides), but I can't ping clients in other LAN.
What I already did - allowed forward between vpn and LAN zones. Studied [Solved] Wireguarde site2site script - firewall zone problem - #13 by mopsza and
[Solved] Routing Riddle driving me crazy topics, but without big success.
Could somebody point me where to dig further? Thanks!
Here is my setup description and config files:
- Client1 with IP 10.0.10.100/24 GW 10.0.10.1 connected to OpenWRT1 router LAN port.
- OpenWRT1 router LAN 10.0.10.1/24, WAN 192.168.0.185/24 connected to a switch.
- Plain switch, connected to other LAN and further to Internet.
- OpenWRT2 router LAN 192.168.222.1/24, WAN 192.168.0.177/24 connected to the switch.
- Client2 with IP 192.168.222.60/24 GW 192.168.222.1 connected to the OpenWRT2 router LAN port.
so, both WAN ports of the routers are connected to a switch (and not over the Internet)
On both routers in /etc/hosts defined the opposite router name:
192.168.0.177 site.router2.com on OpenWRT1 and
192.168.0.185 site.router1.com on OpenWRT2
They can ping each other.
First router info:
root@SWITCH1:~# ubus call system board
{
"kernel": "5.15.162",
"hostname": "SWITCH1",
"system": "ARMv7 Processor rev 2 (v7l)",
"model": "Linksys WRT1900AC v1",
"board_name": "linksys,wrt1900ac-v1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "mvebu/cortexa9",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
root@SWITCH1:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:9b6d::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr 'c0:56:27:60:6e:87'
config device
option name 'lan2'
option macaddr 'c0:56:27:60:6e:87'
config device
option name 'lan3'
option macaddr 'c0:56:27:60:6e:87'
config device
option name 'lan4'
option macaddr 'c0:56:27:60:6e:87'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.0.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr 'c0:56:27:60:6e:87'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wg_2switch2'
option proto 'wireguard'
option private_key 'xxx='
option listen_port '51820'
config wireguard_wg_2switch2 's2s_vpn_site_a'
option public_key 'xxxx='
option preshared_key 'xxx='
option description 'Site 2, site.router2.com'
list allowed_ips '192.168.222.0/24'
list allowed_ips 'xxxx:xxxx:0133::/48'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_host 'site.router2.com'
option endpoint_port '51820'
root@SWITCH1:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wg_2switch2'
config rule 'wg_s2s_51820'
option name 'Allow-WireGuard-51820'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'vpn'
Second router info:
root@SWITCH2:~# ubus call system board
{
"kernel": "5.15.162",
"hostname": "SWITCH2",
"system": "ARMv7 Processor rev 2 (v7l)",
"model": "Linksys WRT1900AC v1",
"board_name": "linksys,wrt1900ac-v1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "mvebu/cortexa9",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
root@SWITCH2:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:0133::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr '94:10:3e:94:10:69'
config device
option name 'lan2'
option macaddr '94:10:3e:94:10:69'
config device
option name 'lan3'
option macaddr '94:10:3e:94:10:69'
config device
option name 'lan4'
option macaddr '94:10:3e:94:10:69'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.222.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr '94:10:3e:94:10:69'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wg_2switch1'
option proto 'wireguard'
option private_key 'xxxxx='
option listen_port '51820'
config wireguard_wg_2switch1 's2s_vpn_site_b'
option public_key 'xxxx='
option preshared_key 'xxxx='
option description 'Site 1, site.router1.com'
list allowed_ips '10.0.10.0/24'
list allowed_ips 'xxxx:xxxx:9b6d::/48'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_host 'site.router1.com'
option endpoint_port '51820'
root@SWITCH2:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wg_2switch1'
config rule 'wg_s2s_51820'
option name 'Allow-WireGuard-51820'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'lan'
Thanks for reading,
Nikolai!