WireGuard site2site is up, but clients can't ping

Hello everybody,

I'm playing with the OpenWRT in a home lab and trying to establish site-to-site VPN between two devices using https://openwrt.org/docs/guide-user/services/vpn/wireguard/site-to-site script.
The VPN seems to be up and running (I see that the number of data received/sent is increasing on both sides), but I can't ping clients in other LAN.

What I already did - allowed forward between vpn and LAN zones. Studied [Solved] Wireguarde site2site script - firewall zone problem - #13 by mopsza and
[Solved] Routing Riddle driving me crazy topics, but without big success.

Could somebody point me where to dig further? Thanks!

Here is my setup description and config files:

  • Client1 with IP 10.0.10.100/24 GW 10.0.10.1 connected to OpenWRT1 router LAN port.
  • OpenWRT1 router LAN 10.0.10.1/24, WAN 192.168.0.185/24 connected to a switch.
  • Plain switch, connected to other LAN and further to Internet.
  • OpenWRT2 router LAN 192.168.222.1/24, WAN 192.168.0.177/24 connected to the switch.
  • Client2 with IP 192.168.222.60/24 GW 192.168.222.1 connected to the OpenWRT2 router LAN port.

so, both WAN ports of the routers are connected to a switch (and not over the Internet)

On both routers in /etc/hosts defined the opposite router name:
192.168.0.177 site.router2.com on OpenWRT1 and
192.168.0.185 site.router1.com on OpenWRT2
They can ping each other.

First router info:

root@SWITCH1:~# ubus call system board
{
        "kernel": "5.15.162",
        "hostname": "SWITCH1",
        "system": "ARMv7 Processor rev 2 (v7l)",
        "model": "Linksys WRT1900AC v1",
        "board_name": "linksys,wrt1900ac-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}
root@SWITCH1:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:9b6d::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr 'c0:56:27:60:6e:87'

config device
        option name 'lan2'
        option macaddr 'c0:56:27:60:6e:87'

config device
        option name 'lan3'
        option macaddr 'c0:56:27:60:6e:87'

config device
        option name 'lan4'
        option macaddr 'c0:56:27:60:6e:87'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.10.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr 'c0:56:27:60:6e:87'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wg_2switch2'
        option proto 'wireguard'
        option private_key 'xxx='
        option listen_port '51820'

config wireguard_wg_2switch2 's2s_vpn_site_a'
        option public_key 'xxxx='
        option preshared_key 'xxx='
        option description 'Site 2, site.router2.com'
        list allowed_ips '192.168.222.0/24'
        list allowed_ips 'xxxx:xxxx:0133::/48'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'site.router2.com'
        option endpoint_port '51820'
root@SWITCH1:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg_2switch2'

config rule 'wg_s2s_51820'
        option name 'Allow-WireGuard-51820'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'vpn'

Second router info:

root@SWITCH2:~# ubus call system board
{
        "kernel": "5.15.162",
        "hostname": "SWITCH2",
        "system": "ARMv7 Processor rev 2 (v7l)",
        "model": "Linksys WRT1900AC v1",
        "board_name": "linksys,wrt1900ac-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}
root@SWITCH2:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:0133::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr '94:10:3e:94:10:69'

config device
        option name 'lan2'
        option macaddr '94:10:3e:94:10:69'

config device
        option name 'lan3'
        option macaddr '94:10:3e:94:10:69'

config device
        option name 'lan4'
        option macaddr '94:10:3e:94:10:69'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.222.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr '94:10:3e:94:10:69'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wg_2switch1'
        option proto 'wireguard'
        option private_key 'xxxxx='
        option listen_port '51820'

config wireguard_wg_2switch1 's2s_vpn_site_b'
        option public_key 'xxxx='
        option preshared_key 'xxxx='
        option description 'Site 1, site.router1.com'
        list allowed_ips '10.0.10.0/24'
        list allowed_ips 'xxxx:xxxx:9b6d::/48'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'site.router1.com'
        option endpoint_port '51820'
root@SWITCH2:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg_2switch1'

config rule 'wg_s2s_51820'
        option name 'Allow-WireGuard-51820'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'lan'

Thanks for reading,
Nikolai!

Is the WG interface really working?

wg show

(from both devices, please)

I don't have time to go through the entire config at the moment, but the thing that stands out is that you don't have an address on the WG interface on either device:

There should be 3 distinct subnets:

  1. subnet of site 1
  2. subnet of site 2
  3. tunnel subnet

add addresses to the interfaces like this, as well as the allowed IPs for the other side of the tunnel:

config interface 'wg_2switch2'
        option proto 'wireguard'
        option private_key 'xxx='
        option listen_port '51820'
        list addresses '10.0.200.1/24'

config wireguard_wg_2switch2 's2s_vpn_site_a'
        option public_key 'xxxx='
        option preshared_key 'xxx='
        option description 'Site 2, site.router2.com'
        list allowed_ips '192.168.222.0/24'
        list allowed_ips '10.0.200.2/32'
        list allowed_ips 'xxxx:xxxx:0133::/48'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'site.router2.com'
        option endpoint_port '51820'

For site 2:

config interface 'wg_2switch1'
        option proto 'wireguard'
        option private_key 'xxxxx='
        option listen_port '51820'
        list addresses '10.0.200.2/24'

config wireguard_wg_2switch1 's2s_vpn_site_b'
        option public_key 'xxxx='
        option preshared_key 'xxxx='
        option description 'Site 1, site.router1.com'
        list allowed_ips '10.0.10.0/24'
        list allowed_ips '10.0.200.1/32'
        list allowed_ips 'xxxx:xxxx:9b6d::/48'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'site.router1.com'
        option endpoint_port '51820'

Restart both routers and then test again.

1 Like

Please also show from both routers: wg show

Note that the LAN clients will usually not allow traffic from other subnets.
So you have to tweak the local firewall of the LAN clients to allow traffic coming from the other subnet

1 Like

Thanks for the help! I'll try to check it today.

Small question - the VPN and LAN are different FW zones. I don't want to place WG interface to the LAN zone as I want to filter/limit traffic in vpn. So, do I need to add a specific FW rule(s) to pass traffic between the LAN and VPN zones or option input 'ACCEPT', option output 'ACCEPT', and option forward 'ACCEPT' is enough?

Nikolai

Hi,

Sounds a bit strange for me - I have the same configuration with ISA2006 as a firewall and client works fine with the default Windows FW rules. I'll double check that, but I guess it's not the case. Thanks for the info!

You need to add these rules just like you did:

Windows by default will only allow traffic from its own subnet so will not allow traffic coming from the other routers subnet.
You can work around this by SNAT the traffic but you will loose logging and access control

Looks like that. First command when the one router is off (no received packets) and second one after both routers up (both send and receive packets):

root@SWITCH2:~# wg show
interface: wg_2switch1
  public key: xxx=
  private key: (hidden)
  listening port: 51820

peer: xxx=
  preshared key: (hidden)
  endpoint: 192.168.0.185:51820
  allowed ips: 10.0.10.0/24, xxxx:xxxx:9b6d::/48
  transfer: 0 B received, 1.01 KiB sent
  persistent keepalive: every 25 seconds

root@SWITCH2:~# wg show
interface: wg_2switch1
  public key: xxx=
  private key: (hidden)
  listening port: 51820

peer: xxx=
  preshared key: (hidden)
  endpoint: 192.168.0.185:51820
  allowed ips: 10.0.10.0/24, xxxx:xxxx:9b6d::/48
  latest handshake: 3 seconds ago
  transfer: 180 B received, 1.42 KiB sent
  persistent keepalive: every 25 seconds

I'll add IPs to the wg interface and display all info again.
Nikolai

The results are quite funny :slight_smile:

  • When I disabled Windows firewall on both clients - the ping started to work.
  • When I enable back Windows firewall on both clients - ping doesn't reply, but iperf3 successfully tested throughput (BTW, 134Mbps for the given hardware).
  • When I removed IP addresses from the WG (and rebooted openwrts), the iperf3 still works and even reached 171Mbps :slight_smile:

Conclusion:

  1. Seems that the original instruction is correct (except for the manually added
config forwarding
        option src 'vpn'
        option dest 'lan'
config forwarding
        option src 'lan'
        option dest 'vpn'
  1. The IP for the WG interface seems to be not necessary and maybe even harmful.
  2. MS ISA2006 handles site-to-site VPN somehow differently, so there the ping replies from other site without changes in the Windows Firewall. Maybe it's related to the 'Domain' profile, hard to say.

Sorry that disturbed you guys on weekend, and many many thanks to @egc and @psherman!

I'll check more if own IP on WG really slows down the throughput and what changes are necessary on Windows FW to reply on ping command.
Cheers!

In theory an IP address for the WG interface is not necessary, but this can lead to strange situations so using an IP address for the WG interface is something I would always do

@egc
I repeated the iperf3 tests (with a longer time interval) and can say that the IP address on the WG interface doesn't harm the throughput.
So, it reached 180-185Mbps.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.