0

I'm a quite happy OpenVPN user who, for security and performance reasons, decided to switch everything to Wireguard.

The main target is to be able to access the office private lan from outside. Both office router and outside peers are behind firewalls so I decided to adopt a Hub and Spoke configuration. The hub is on a linux cloud VPS with public IP. The configuration is the same I currently adopt with OpenVPN: there is a server accessible from the internet and several clients that can communicate with each other when connected to the VPN. One of these is a router that expose its private LAN to the other clients.

I use the office router as WG client with VPN Fusion (it's a ASUS RT-AX92U) and I'm able to see all the other computers, both in the VPN and in the private LAN.

VPN address range   = 10.10.10.0/24
LAN address range   = 192.168.51.0/24
router address LAN  = 192.168.51.1
router address VPN  = 10.10.10.3
wireguard hub       = 10.10.10.1
peer A              = 10.10.10.4
peer B              = 10.10.10.5

The main issue is that I cannot connect directly to the router from the VPN. Both 10.10.10.3 and 192.168.51.1 are not responding. Also ping doesn't work. I don't understand if it is due to the firewall or to the WG configuration. With OpenVPN everything works fine. Of course the router is accessible from the private LAN.

I found similar questions but I already tried the suggested solutions without success. There is something I'm just not getting...

Please find here below the configuration file for the hub:

[Interface]
Address = 10.10.10.1/32
ListenPort = 51820
PrivateKey = ************
PreUp = iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x30
PreUp = iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-mark 0x30
PostDown = iptables -t nat -D POSTROUTING ! -o wg0 -m mark --mark 0x30 -j MASQUERADE

[Peer]
PublicKey = ************
PresharedKey = ************
AllowedIPs = 10.10.10.3/32, 192.168.51.0/24

[Peer]
PublicKey = ************
PresharedKey = ************
AllowedIPs = 10.10.10.4/32

[Peer]
PublicKey = ************
PresharedKey = ************
AllowedIPs = 10.10.10.5/32

The configuration file for the router

[Interface]
Address = 10.10.10.3/32
PrivateKey = ********

[Peer]
PublicKey = ********
PresharedKey = ********
AllowedIPs = 10.10.10.0/24
Endpoint = cloudIP:51820

and the configuration file for Peer B (Peer A is the same)

[Interface]
Address = 10.10.10.5/32
PrivateKey = ********

[Peer]
PublicKey = ********
PresharedKey = ********
AllowedIPs = 10.10.10.0/24, 192.168.51.0/24
Endpoint = cloudIP:51820

Do you have any idea? Thanks.

Improve this question
New contributor
LucaR is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
1
  • Maybe this is a stupid question but I can see where you're adding your masquerade rules, but is ip forwarding enabled on your hub?
    – Robbie Mckennie
    17 hours ago

1 Answer 1

Reset to default
0

First things first, this is my understanding of your setup.

I used network namespaces to build a toy model of your network and deploy your config (unfortunately I didn't have time to build it to scale or to paint it)

#!/bin/bash

sudo true

sudo ./newHub.sh wan
sudo ./newHub.sh lan

sudo ./newHost.sh router
sudo ./newHost.sh lanA
sudo ./newHost.sh lanB

sudo ./hostToHub.sh router eth0 192.168.51.1/24 lan
sudo ./hostToHub.sh lanA   eth0 192.168.51.101/24 lan
sudo ./hostToHub.sh lanB   eth0 192.168.51.102/24 lan

sudo ip netns exec router sysctl net.ipv4.ip_forward=1

sudo ip -n lanA route add default via 192.168.51.1
sudo ip -n lanB route add default via 192.168.51.1

sudo ./newHost.sh hub
sudo ./newHost.sh peerA
sudo ./newHost.sh peerB

sudo ./hostToHub.sh router wan0 172.16.0.1/24 wan
sudo ./hostToHub.sh hub    wan0 172.16.0.2/24 wan
sudo ./hostToHub.sh peerA  wan0 172.16.0.3/24 wan
sudo ./hostToHub.sh peerB  wan0 172.16.0.4/24 wan


sudo ip netns exec router wg-quick up ./wg/router/wg0.conf # 10.10.10.3
sudo ip netns exec hub    wg-quick up ./wg/hub/wg0.conf    # 10.10.10.1
sudo ip netns exec peerA  wg-quick up ./wg/peerA/wg0.conf  # 10.10.10.4
sudo ip netns exec peerB  wg-quick up ./wg/peerB/wg0.conf  # 10.10.10.5

Each respective wg0.conf matches your examples. At this stage, every wireguard peer could ping the center hub, but not each other. I didn't actually think your masquerade rules were actually doing anything, so I deleted those, and I added sysctl net.ipv4.ip_forward=1 to the wg0.conf for the hub.

Excerpt from wg/hub/wg.conf

PreUp = sysctl net.ipv4.ip_forward=1
PostDown = sysctl net.ipv4.ip_forward=0

And then everything worked perfectly.

[root@orobas virtopology]# traceroute 192.168.51.101 # ping to a device on the router's lan, from peerA
traceroute to 192.168.51.101 (192.168.51.101), 30 hops max, 60 byte packets
 1  10.10.10.1 (10.10.10.1)  0.541 ms  0.531 ms  0.523 ms
 2  10.10.10.3 (10.10.10.3)  0.969 ms  0.966 ms  1.039 ms
 3  192.168.51.101 (192.168.51.101)  1.041 ms  1.044 ms  1.037 ms
[root@orobas virtopology]#

Hope this helps

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .