need a hand with WG setup

Dimitar Vassilev dimitar.vassilev at gmail.com
Sun Sep 1 13:03:18 CEST 2019 

На ср, 28.08.2019 г. в 13:56 ч. Dimitar Vassilev <dimitar.vassilev at gmail.com>
написа:

> Hi Kalin,
>
> 1. Disable the FW and test.
>>
> Tried - disabling one fw shows wg traffic flowing.
>
>
>> 2. Try ping from one router to the other using the configured public IP
>> address
>>
>> That works as well with the default fw config on OpenWRT/LEDE/LibreCMC
>
>
>> 3. Ping the other using the WG IP address
>>
>> my problem is that ping between the WG IP addresses is not working. I see
> some PostUp and Postdown examples in the regular configurations like the
> ones below
> PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A
> POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT;
> ip6tables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE
> PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D
> POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT;
> ip6tables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE
> In the LEDE/OpenWRT derivatives those are marked in the GUI with
> MASQUERADE and route allowed ips options, but still I'm getting stuck.  I
> moved my VPN network from /25 to another /24 and still was stuck.
>
>> If all runs them it is a routing problem left to solve...
>>
>> Agree. I'm a bit at loss which routing - the kernel one or the forwarding
> of packets. Will tear down and start from scratch with another test.
>
>> Kalin.
>>
>
Hello all,

Problem solved via a trivial solution - add my origin VPN endpoint IP into
the list of AllowedIPs for the peer. Used
https://forum.openwrt.org/t/solved-setup-wireguard-connecting-two-networks/4215
to
achieve this
At least in this setup I see the packets flowing in both directions - RX
and TX
Ny next questions are:

   -  is this normal since I'm behind NAT or there are some OpenWRT
   /Wireguard specifics I'm missing? In the docs and examples I see examples
   with just peer IPs added
   - what should I do to make the flow to a private subnet in DMZ on site B
   from site A ?

Thanks,
Dimitar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190901/2b562015/attachment.html>

More information about the WireGuard mailing list