From: Sergey Ivanov <seriv@cs.umd.edu>
To: mikma.wg@lists.m7n.se
Cc: wireguard@lists.zx2c4.com
Subject: Re: Openwrt wg0 behaves not alike that on Fedora: why?
Date: Mon, 15 Jun 2020 16:02:41 -0400 [thread overview]
Message-ID: <CAM+N7vnykeL=0oF4zq_2zO2JVGLAiMwe7PLGkHptR8S238baUA@mail.gmail.com> (raw)
In-Reply-To: <433a642e-4bde-cd7b-021c-2dd8663d3d47@lists.m7n.se>
Thanks!
You are right, it was a rule: '-A zone_wireguard_forward -m comment
--comment "!fw3" -j zone_wireguard_dest_REJECT'. Corresponding setting
in the luci web interface was "Forward" from the zone "Wireguard" to
"Wireguard". Although I also need a separate ip route table for this
VPN to get access to subnet routing.
--
Sergey.
On Mon, Jun 15, 2020 at 7:02 AM <mikma.wg@lists.m7n.se> wrote:
>
> On 2020-06-14 20:19, Sergey Ivanov wrote:
> > Hi,
> > I have a question about wg0 on OpenWRT not forwarding packets from one
> > client to another. I have a laptop at home in my home LAN, and a
> > computer at work in a very restricted LAN. They can not see one
> > another. I spent a lot of time trying to get them connected by adding
> > their wg0's IP addresses to the AllowedIPs on my home router running
> > OpenWRT. I saw pings from each of them successfully decrypted (I've
> > used ping with patterns) on the OpenWRT wg0, but they never got routed
> > further.
> >
> > When I decided to try to move the same AllowedIPs from OpenWRT's wg0
> > to my desktop Fedora, it immediately worked. It looks like some sort
> > of setting like isolation of the clients, or hairpin mode which is
> > different on OpenWRT than on Fedora.
> >
> > Can someone help and suggest what I should look at? I'd like to have
> > it working on the router which is all time on.
>
> You should look at the firewall in OpenWrt. It's probably dropping or
> rejecting the packets. In particular look at the forward option of the
> firewall zone assigned to wg0. From the OpenWrt Firewall - Zone Settings
> GUI:
>
> the forward option describes the policy for forwarded traffic
> between different networks within the zone.
>
> Since WireGuard is a routed (and not bridged) VPN the above setting can
> also control forwarding between hosts on the same network.
prev parent reply other threads:[~2020-06-15 20:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-14 18:19 Sergey Ivanov
2020-06-15 11:01 ` mikma.wg
2020-06-15 20:02 ` Sergey Ivanov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAM+N7vnykeL=0oF4zq_2zO2JVGLAiMwe7PLGkHptR8S238baUA@mail.gmail.com' \
--to=seriv@cs.umd.edu \
--cc=mikma.wg@lists.m7n.se \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).