Openwrt wg0 behaves not alike that on Fedora: why?

Openwrt wg0 behaves not alike that on Fedora: why?

[Sergey Ivanov]

Hi,
I have a question about wg0 on OpenWRT not forwarding packets from one
client to another. I have a laptop at home in my home LAN, and a
computer at work in a very restricted LAN. They can not see one
another. I spent a lot of time trying to get them connected by adding
their wg0's IP addresses to the AllowedIPs on my home router running
OpenWRT. I saw pings from each of them successfully decrypted (I've
used ping with patterns) on the OpenWRT wg0, but they never got routed
further.

When I decided to try to move the same AllowedIPs from OpenWRT's wg0
to my desktop Fedora, it immediately worked. It looks like some sort
of setting like isolation of the clients, or hairpin mode which is
different on OpenWRT than on Fedora.

Can someone help and suggest what I should look at? I'd like to have
it working on the router which is all time on.

-- 
  Regards,
  Sergey Ivanov

Re: Openwrt wg0 behaves not alike that on Fedora: why?

[mikma.wg]

On 2020-06-14 20:19, Sergey Ivanov wrote:
> Hi,
> I have a question about wg0 on OpenWRT not forwarding packets from one
> client to another. I have a laptop at home in my home LAN, and a
> computer at work in a very restricted LAN. They can not see one
> another. I spent a lot of time trying to get them connected by adding
> their wg0's IP addresses to the AllowedIPs on my home router running
> OpenWRT. I saw pings from each of them successfully decrypted (I've
> used ping with patterns) on the OpenWRT wg0, but they never got routed
> further.
> 
> When I decided to try to move the same AllowedIPs from OpenWRT's wg0
> to my desktop Fedora, it immediately worked. It looks like some sort
> of setting like isolation of the clients, or hairpin mode which is
> different on OpenWRT than on Fedora.
> 
> Can someone help and suggest what I should look at? I'd like to have
> it working on the router which is all time on.

You should look at the firewall in OpenWrt. It's probably dropping or 
rejecting the packets. In particular look at the forward option of the 
firewall zone assigned to wg0. From the OpenWrt Firewall - Zone Settings 
GUI:

     the forward option describes the policy for forwarded traffic 
between different networks within the zone.

Since WireGuard is a routed (and not bridged) VPN the above setting can 
also control forwarding between hosts on the same network.

Re: Openwrt wg0 behaves not alike that on Fedora: why?

[Sergey Ivanov]

Thanks!
You are right, it was a rule: '-A zone_wireguard_forward -m comment
--comment "!fw3" -j zone_wireguard_dest_REJECT'. Corresponding setting
in the luci web interface was "Forward" from the zone "Wireguard" to
"Wireguard". Although I also need a separate ip route table for this
VPN to get access to subnet routing.
-- 
  Sergey.

On Mon, Jun 15, 2020 at 7:02 AM <mikma.wg@lists.m7n.se> wrote:
>
> On 2020-06-14 20:19, Sergey Ivanov wrote:
> > Hi,
> > I have a question about wg0 on OpenWRT not forwarding packets from one
> > client to another. I have a laptop at home in my home LAN, and a
> > computer at work in a very restricted LAN. They can not see one
> > another. I spent a lot of time trying to get them connected by adding
> > their wg0's IP addresses to the AllowedIPs on my home router running
> > OpenWRT. I saw pings from each of them successfully decrypted (I've
> > used ping with patterns) on the OpenWRT wg0, but they never got routed
> > further.
> >
> > When I decided to try to move the same AllowedIPs from OpenWRT's wg0
> > to my desktop Fedora, it immediately worked. It looks like some sort
> > of setting like isolation of the clients, or hairpin mode which is
> > different on OpenWRT than on Fedora.
> >
> > Can someone help and suggest what I should look at? I'd like to have
> > it working on the router which is all time on.
>
> You should look at the firewall in OpenWrt. It's probably dropping or
> rejecting the packets. In particular look at the forward option of the
> firewall zone assigned to wg0. From the OpenWrt Firewall - Zone Settings
> GUI:
>
>      the forward option describes the policy for forwarded traffic
> between different networks within the zone.
>
> Since WireGuard is a routed (and not bridged) VPN the above setting can
> also control forwarding between hosts on the same network.