First I would like to describe why I am looking for a solution.
I have 2 family locations (site100 and site200) that are connected to the internet via the same and only possible provider (Deutsche Glasfaser = DG). Normally, the DG assigns each site a public IPv6 and a private IPv4 address. For some reason assigning the IPv6 address to site100 doesn't work reliably, but the DG is not interested in finding a solution
As a consequence, site100 cannot be reached directly from the Internet.
Since both locations can be reached via the private IPv4 addresses because they are both in the DG network, I set up a wireguard tunnel between the locations with IPv4 instead of IPv6.
It works so far. Any device in site100 can reach any device in site200 and vice versa. Accessing devices in remote VLAN's (with different subnets) works too.
In addition a roadwarrior (smartphone, LTE, ipv6) who connects to site200 via the public IPv6 address through wireguard can also access all devices in site200.
However, the roadwarrior cannot access devices in site100.
Why is that? And how do I find out which of the 3 instances involved is causing the problem.
Here is the roadwarrior.conf
As I have understood it so far, only all subnets that are to be accessed must be specified under allowed ip's.
[Interface]
Address = 172.16.0.201/32
DNS = 192.168.200.1
PrivateKey = ***
[Peer]
AllowedIPs = 192.168.200.0/24, 192.168.203.0/24, 192.168.100.0/24, 192.168.103.0/24, 192.168.106.0/24
Endpoint = site200.dynv6.net:22222
PublicKey = ***
When running tcpdump on openwrt router on site200 (dns=R2S.dry.lan ip=192.168.200.1), I can see that a ping from roadwarrior to ip 192.168.200.1 works as expected.
But ping to the openwrt router on site100 (dns=R2S.faro.xa ip=192.168.100.1) is visible on interface wg0. DNS resolution works well.
But finaly the request did not get an answer.
root@R2S:~# tcpdump -i wg0 host 172.16.0.201
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
20:18:13.501481 IP 172.16.0.201 > R2S.dry.lan: ICMP echo request, id 59, seq 1, length 64
20:18:13.501803 IP R2S.dry.lan > 172.16.0.201: ICMP echo reply, id 59, seq 1, length 64
20:18:16.383566 IP 172.16.0.201.42376 > R2S.dry.lan.53: 18487+ AAAA? ssl.google-analytics.com. (42)
20:18:16.404331 IP R2S.dry.lan.53 > 172.16.0.201.42376: 18487 NXDomain 0/0/0 (42)
...
20:18:19.974469 IP 172.16.0.201 > R2S.faro.xa: ICMP echo request, id 60, seq 1, length 64
20:18:19.974723 IP 172.16.0.201 > R2S.faro.xa: ICMP echo request, id 60, seq 1, length 64
That leads me to assume that the configuration of the roadwarrior is correct and that the error is in site100 or site200.
root@R2S:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fcc0:a8:c8::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config device
option name 'eth1'
option macaddr '***'
config interface 'lan'
option proto 'static'
option ip6assign '60'
option device 'br-lan.1'
list ipaddr '192.168.200.1/24'
config device
option name 'eth0'
option macaddr '***'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth1:u*'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'eth1:t'
config interface 'Jail'
option proto 'static'
option device 'br-lan.3'
option ipaddr '192.168.203.1'
option netmask '255.255.255.0'
option delegate '0'
config interface 'wg0'
option proto 'wireguard'
option listen_port '22222'
list addresses '172.16.0.200/32'
option private_key '***'
option public_key '***'
option peerdns '0'
option mtu '1412'
config wireguard_wg0
option description 'site100'
option public_key '***'
option private_key '***'
option route_allowed_ips '1'
option endpoint_port '22122'
option persistent_keepalive '25'
option endpoint_host 'rr21-ipv4.dynv6.net'
list allowed_ips '172.16.0.100/32'
list allowed_ips '192.168.100.0/24'
list allowed_ips '192.168.103.0/24'
list allowed_ips '192.168.106.0/24'
config wireguard_wg0
option description 'roadwarrior'
list allowed_ips '172.16.0.201/32'
option route_allowed_ips '1'
option private_key '***'
option public_key '***'
config wireguard_wg0
option description 'roadwarrior2'
list allowed_ips '172.16.0.101/32'
option route_allowed_ips '1'
option private_key '***'
option public_key '***'
root@R2S:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 100.113.0.1 0.0.0.0 UG 0 0 0 eth0
100.73.73.102 100.113.0.1 255.255.255.255 UGH 0 0 0 eth0
100.113.0.0 * 255.255.0.0 U 0 0 0 eth0
100.114.141.10 100.113.0.1 255.255.255.255 UGH 0 0 0 eth0
172.16.0.100 * 255.255.255.255 UH 0 0 0 wg0
172.16.0.101 * 255.255.255.255 UH 0 0 0 wg0
172.16.0.201 * 255.255.255.255 UH 0 0 0 wg0
192.168.100.0 * 255.255.255.0 U 0 0 0 wg0
192.168.103.0 * 255.255.255.0 U 0 0 0 wg0
192.168.106.0 * 255.255.255.0 U 0 0 0 wg0
192.168.200.0 * 255.255.255.0 U 0 0 0 br-lan.1
192.168.203.0 * 255.255.255.0 U 0 0 0 br-lan.3
How to go on to find the config error ?
Henning