Yeah she's still connected, see above message I posted just a moment before you.
Yeah samba/nfs are dead, different subnet, not reachable now.
ok... so this is probably an issue with routes.
What is the address you are using to connect to her computer (via ssh)? What is the WG address that this system holds?
her machine gets the address 10.0.0.5 and I'm connecting from openwrt with 10.0.0.1. Her machine still can't load the sites and she's cut off from the file server.
It is almost certainly a routing issue on her computer.... it doesn't understand what is on the other side.
Since you can ssh into her computer, let's see the WG config that is setup on that system.
[Interface]
Address = 10.0.0.5/32
ListenPort = 42523
PrivateKey =
[Peer]
PublicKey =
PresharedKey =
AllowedIPs = 10.0.0.0/8
Endpoint = [no]:51820
PersistentKeepalive = 25
For the record I have also tried AllowedIPs = 10.0.0.0/8, 192.168.0.0/24 no dice.
What is the lan address of the computer at issue?
Why /8?
How about trying two different options here:
AllowedIPs = 10.0.0.0/24, 192.168.0.0/24
Or if that doesn't work, try:
AllowedIPs = 0.0.0.0/0
^ this will send all traffic via the tunnel, which may not be desired, but will guarantee that it sends everything via the tunnel.
You mean her LAN IP on her side?
What is wrong with /8 (I have tried others /24 /0 for when I was trying to forward everything, no changes)
I can try...
I've done that, full traffic forward, doesn't help. Wireguard clients get the 10 subnet and are locked out of any / all local anything without all the firewall zone forwarding. This also means ssh and then they still can't access the websites.
Yes.
You have your OpenWrt WG interface defined as a /24. There is no reason to have a larger allowed IPs on the remote peer than is actually used.
Her address class on her side is the same as here 192.168.0.x
Again just trying everything and the kitchen sink, I read docs, I followed guides, nothing worked so I started flining ____ at the wall to see what stuck. Unfortunately what you see is the mess left behind from weeks of trying stupid crap read on the internet because what the docs said would work didn't work. Hell I even asked some moronic Ai when the searches turned up nothing and that just resulted in a "fountain of youth" i.e. it felt like I was 15 and needed to put my first through a wall. LLM: Set X to Y ME: did did that, no change LLM: Here is a bullet proof one liner to fix this, set X to Y ME: WHERE IS THE NEAREST RAGE ROOM!?
Still trying to see if I can get the changes to stick over ssh via trickery. Same same, looks like the wg changes are good on her end but without the zone forwarding nothing works, with the zone forwarding sites still don't work.
This is your problem. 100%
You need to have 3 unique and non-overlapping subnets.
- your local lan
- wg interface
- the remote lan
Her computer cannot reach resources on your network (including replying to a host that is trying to connect via ssh) because that system sees its local subnet and tries to access the resources locally (it doesn't go through the tunnel).
You need to change either her lan or yours... yours will be much easier to do.
This is why her wg0.conf didn't have 192.168.0.0/24 in it. This is why I had a forward to push 10.0.0.0 to the file server but you said to delete it. Again wg clients are 10 lan on both side are 192, they can't "see" each other without the zone forwards I had set. But now I don't have that and the websites are still not usable. So I'm less than back at square one.
Mine subnet will be much MUCH worse to do. Either way neither is getting changed. I will readd all the stupidity that at least made what I had working and give up on the rest, this is clearly not a workable solution. The solutions I had in place were/are jank but they worked, the remaining problem is the fact connected clients refuse to load web resources despite the fact they should be transacting the same as if there was no wireguard tunnel.
Right... but until this comment (in post 29):
... I didn't know that her lan overlapped yours.
With the information I had available, this looked entirely wrong.
You still had some errors in the original config (including that you had the wg network in 2 zones), but the reason things were kind of working was the separate wireguard zone with the masquerading enabled. I had suggested that you delete the wg network from the lan zone and then you could have kept the wg zone (and I also suggested that you disable masquerading because the relevant information only came much later).
This will make it hard to achieve your goals and produces a very sub-optimal solution. It may be possible with masquerading by putting the wg network (exclusively) in a new zone with masquerading enabled. Then the port forwards might work...
Well to back things up, things worked, it might have been stupid, ugly and jank but it worked, the ONLY issue I had was the fact she can't resolve my websites. This thread has turned away from that and more into cleaning up what was already working (despite the jank and problems) heh.
The only reason I posted here for help was figuring out how/why from her machine tracepath, dig shows the right stuff, I can ping the domain and it returns the correct public IP but she can't load the sites with wireguard enabled. This is the ONLY thing I had hoped to get help with.
I'm guessing that is still not resolved, though...
I understand why you would say this, but it was all in service of resolving your original issue. If you are able to change one of the subnets and then use the 'clean up' that I suggested, things will very likely work properly.
No, none of this addressed it. It just tore down what I had duct taped together hehe.
The subnets will not change. Her end is dictated by her ISP and can not be changed. Her "modem/router" has no user facing controls. My end has WAY too much that would require adapting and I'm already fed up. I'm kinda at the pour lighter fluid on it, toss a match and go live in a cave stage of life heh.
Dude I KNOW you know what you're talking about and I tried what you mentioned for two reasons. #1 it might clear a conflict I wasn't catching and #2 I know it was messy. The result though is it just tore things down and I have to rejankify to get most of it working again heh. I just can't figure out from either side why she can say load fark but not my sites. Every damned tool I could think of to see WHERE this was failing says it should be working. I've read so many stupid sites, tried so many things, and again asked several Ai (I'm not a violent guy but Ai makes me wish I still had a heavy bag)...
I just had another "wtf" in trying to think this through about the address classes. I mean if someone is working from a hotel and the local hotel uses the same subnet this kinda makes wireguard trash if various network conditions can randomly screw over your access. Expecting a client to ALWAYS have a unique subnet is really some wishful thinking...
Fair enough. There is actual a simple solution... insert a router between the ISP modem/router and her devices. If you do that, you can easily change her subnet to something non-overlapping without the restrictions of the ISP router. Of course, depending on how many devices she has, this might be annoying (most probably use DHCP, but you'd need to associate them with a new SSID) unless you can actually simply disable the ISP's wifi and use the same SSID/passphrase on the new router.
We all know that AI very rarely solves issues like this...
it's failing because of the overlapping subnet issue. I don't think AI could have given you that answer, and even in the disucssion here, it wasn't obvious until quite a bit later in the conversation what the issue was. Now we know, but it seems that your solution just going be janky.
What you can try...
- Delete the wg network from the lan firewall zone
- Create a new zone for the wg network (all three zone rules = accept is fine)
- enable masquerading on that new zone
- allow forwarding from lan > wg zone
- Create port forwards from wg zone > lan (at the specific addresses)
Then on her side, have her try to access the sites by the wg address on your router (i.e. 10.0.0.1).
Yes I would like this for other reasons but this requires money and technical know how...something she does not have hence why I need ssh to help her with various things. That said see my above statement about expecting each side to always have a unique subnet is not very sensible.
Yes but thanks to it search sucks more and more forcing you to deal with it's stupidity, how do I change a lightbulb, by sticking a banana in the fence of course.
Why would this be the case at no point does the site resolve to a local (to either subnet) IP?! Her machine can not see the address class her physical interface has everything was forwarded from 10.0.0.x for what IS sent over wireguard, web IS NOT sent over.
This isn't unique to wireguard.... this would be true for all VPN protocols.
The primary way to address this is to setup your local subnet(s) to use uncommon ones... that is: avoid 192.168.0.0/24, 192.168.1.0/24, and 192.168.2.0/24, as well as 10.0.0.0/24 and 10.0.1.0/24. If you use something like 10.42.213.0/24 (i.e. a seemingly random /24 from within the RCF1918 range), it's relatively unlikely that it will conflict with any given location, but you cannot be certain that it will always be clear.
Another approach is to bring a travel router with you. If you do that, even if the upstream does collide, you can mitigate that by running a non-overlapping subnet on the lan of your own travel router, thus making it possible to connect back using the VPN client on your phone/computer/tablet. (You can run your VPN directly on the travel router which is really useful, but it will have issues if the subnets collide, but your devices behind your router will still be able to connect).
How was she accessing your site? Was she using an IP address or a domain name? If IP, was it the public IP on your wan? or was it the IP of the device on your lan? Or the IP of your wg interface on your router?