Development discussion of WireGuard
 help / color / mirror / Atom feed
From: Sergey Ivanov <seriv@cs.umd.edu>
To: mikma.wg@lists.m7n.se
Cc: wireguard@lists.zx2c4.com
Subject: Re: Openwrt wg0 behaves not alike that on Fedora: why?
Date: Mon, 15 Jun 2020 16:02:41 -0400	[thread overview]
Message-ID: <CAM+N7vnykeL=0oF4zq_2zO2JVGLAiMwe7PLGkHptR8S238baUA@mail.gmail.com> (raw)
In-Reply-To: <433a642e-4bde-cd7b-021c-2dd8663d3d47@lists.m7n.se>

Thanks!
You are right, it was a rule: '-A zone_wireguard_forward -m comment
--comment "!fw3" -j zone_wireguard_dest_REJECT'. Corresponding setting
in the luci web interface was "Forward" from the zone "Wireguard" to
"Wireguard". Although I also need a separate ip route table for this
VPN to get access to subnet routing.
-- 
  Sergey.

On Mon, Jun 15, 2020 at 7:02 AM <mikma.wg@lists.m7n.se> wrote:
>
> On 2020-06-14 20:19, Sergey Ivanov wrote:
> > Hi,
> > I have a question about wg0 on OpenWRT not forwarding packets from one
> > client to another. I have a laptop at home in my home LAN, and a
> > computer at work in a very restricted LAN. They can not see one
> > another. I spent a lot of time trying to get them connected by adding
> > their wg0's IP addresses to the AllowedIPs on my home router running
> > OpenWRT. I saw pings from each of them successfully decrypted (I've
> > used ping with patterns) on the OpenWRT wg0, but they never got routed
> > further.
> >
> > When I decided to try to move the same AllowedIPs from OpenWRT's wg0
> > to my desktop Fedora, it immediately worked. It looks like some sort
> > of setting like isolation of the clients, or hairpin mode which is
> > different on OpenWRT than on Fedora.
> >
> > Can someone help and suggest what I should look at? I'd like to have
> > it working on the router which is all time on.
>
> You should look at the firewall in OpenWrt. It's probably dropping or
> rejecting the packets. In particular look at the forward option of the
> firewall zone assigned to wg0. From the OpenWrt Firewall - Zone Settings
> GUI:
>
>      the forward option describes the policy for forwarded traffic
> between different networks within the zone.
>
> Since WireGuard is a routed (and not bridged) VPN the above setting can
> also control forwarding between hosts on the same network.

      reply	other threads:[~2020-06-15 20:03 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-14 18:19 Sergey Ivanov
2020-06-15 11:01 ` mikma.wg
2020-06-15 20:02   ` Sergey Ivanov [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAM+N7vnykeL=0oF4zq_2zO2JVGLAiMwe7PLGkHptR8S238baUA@mail.gmail.com' \
    --to=seriv@cs.umd.edu \
    --cc=mikma.wg@lists.m7n.se \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).