Hi Adrián, Sounds like you're doing something similar to what I've been playing with. I chatted with Jason about it a bit, and he sorted me out with a better solution - perhaps it'll work for you too: Instead of spinning up a Masquerade rule in iptables, have you tried just making sure that ProxyARP is enabled on the B side Ubuntu server? Try removing the masquerade from iptables, and run this instead: echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp You may also need to enable IP forwarding: echo 1 > /proc/sys/net/ipv4/ip_forward If you want to make it permanent, add this to your /etc/sysctl.conf (again on the B side Ubuntu): net.ipv4.conf.all.proxy_arp = 1 net.ipv4.conf.all.forwarding = 1 You might be able to use net.ipv4.conf.*wg0 *instead, I've just used .all as an example Let me know if that helps :) E -------------------------------------------- Q: Why is this email five sentences or less? A: http://five.sentenc.es On Mon, 26 Mar 2018, at 10:33, Adrián Mihálko wrote: > Ah. The solution was trivial. > > On B side, Ubuntu server: > > post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > On my server eth0 doesn't exist it has another name: ens160. > > Now it's working. > > >> On 25 Mar 2018, at 11:19, Adrián Mihálko >> wrote:>> >> A side (192.168.2.0/24): >> >> LEDE router 192.168.2.1 (static route to access remote side >> 192.168.1.0/24 pointing to 192.168.2.100)>> >> Pi Zero with Wireguard (192.168.2.100, WG: 192.168.5.2) >> >> Config: >> >> auto wg0 >> iface wg0 inet static >> pre-up ip link add dev wg0 type wireguard >> post-up wg setconf wg0 /etc/wireguard/wireguard.conf >> post-up ip link set dev wg0 up >> post-up ip route add 192.168.1.0/24 via 192.168.5.1 dev wg0 >> post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >> address 192.168.5.2 >> netmask 255.255.255.0 >> >> >> B side (192.168.1.0/24): >> >> Unifi router 192.168.1.1 (static route to access remote side >> 192.168.2.0/24 pointing to 192.168.1.54)>> >> Ubuntu server with Wireguard (192.168.1.54, WG: 192.168.5.1) >> >> Config: >> >> iface wg0 inet static >> pre-up /sbin/ip link add dev wg0 type wireguard >> post-up /usr/bin/wg setconf wg0 /etc/wireguard/wg0.conf >> post-up /sbin/ip route add 192.168.2.0/24 via 192.168.5.2 dev wg0 >> post-up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >> post-down /sbin/ip link del wg0 >> address 192.168.5.1 >> netmask 255.255.255.0 >> >> --- >> >> Everything is working great, except that on the "Pi Zero with >> Wireguard" I can't access/ping remote devices in the 192.168.1.0/24 >> range, only the remote server 192.168.1.54. From any other machine in >> the same "A side" I am able to access devices in the 192.168.1.0/24 >> range, just from the Pi Zero itself not.>> >> What I am missing here? >> >> >> pi@raspberrypizero:~ $ ping 192.168.1.54 >> PING 192.168.1.54 (192.168.1.54) 56(84) bytes of data. >> 64 bytes from 192.168.1.54[1]: icmp_seq=1 ttl=64 time=48.6 ms >> 64 bytes from 192.168.1.54[2]: icmp_seq=2 ttl=64 time=134 ms^C >> --- 192.168.1.54 ping statistics --- >> 2 packets transmitted, 2 received, 0% packet loss, time 1002ms >> rtt min/avg/max/mdev = 48.671/91.554/134.437/42.883 ms >> pi@raspberrypizero:~ $ ping 192.168.1.100 >> PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data. >> ^C >> --- 192.168.1.100 ping statistics --- >> 6 packets transmitted, 0 received, 100% packet loss, time 5188ms >> >> pi@raspberrypizero:~ $ traceroute 192.168.1.100 >> traceroute to 192.168.1.100 (192.168.1.100), 30 hops max, 60 byte >> packets>> 1 192.168.5.1 (192.168.5.1) 42.279 ms 43.834 ms 44.678 ms >> 2 * * * >> 3 * * * >> 4 * * * >> >> >> --- >> >> B side is working great, I am able to ping everything, even from the >> Ubuntu server.>> >> >> Regards, >> Adrian > _________________________________________________ > WireGuard mailing list > WireGuard@lists.zx2c4.com > https://lists.zx2c4.com/mailman/listinfo/wireguard Links: 1. http://192.168.1.54/ 2. http://192.168.1.54/