0

TL; DR

I'm trying to route between a local network (192.168.0.0/24) on my router and a Wireguard interface (192.168.2.0/24) on the router. The router can use the Wireguard interface just fine but other hosts on 192.168.0.0/24 cannot. How do I resolve this?

Hopefully someone can help shed some light on what is going on here as I have already invested a number of hours into trying to figure it out!

Full Explanation

Network

First I'd like to lay out my network so that the structure is clear. The following hosts are in play:

  • synapse - The DD-WRT router causing problems.

    • oet1 (192.168.2.2) - The Wireguard interface which is successfully connected to axon.

    • vlan2 (55.55.55.55) - The WAN interface of the router.

    • vlan1 (192.168.0.1) - The LAN interface of the router.
  • axon
    • eth0 (55.55.55.66) - The WAN interface of the host.
    • wg0 (192.168.2.1) - The Wireguard interface connected with synapse.
  • neon - A host on the synapse 192.168.0.0/24 network.
    • eth0 (192.168.0.100)

Here's a diagram of this setup (with WAN interfaces excluded)

+--------------------+        +---------------------------------+        +--------------------+
|        Neon        |        |             Synapse             |        |        Axon        |
|                    +------->+                                 +-------->                    |
|        eth0        |        |     vlan1             oet1      |        |        wg0         |
|  192.168.0.100/24  +<-------+ 192.168.0.1/24   192.168.2.2/24 +<-------+   192.168.2.1/24   |
|                    |        |                                 |        |                    |
+--------------------+        +---------------------------------+        +--------------------+

Problem

On synapse, pings to axon get through just fine. Same on axon; pings from axon to synapse are successful.

However, if neon attempts to ping synapse at 192.168.2.2, nothing gets through. Same with 192.168.2.1 naturally.

Note: One interesting observation in this whole mess is that, while pinging 192.168.2.2 from neon, while applying settings in DD-WRT, roughly 1 or 2 packets make it through until the pings stop responding again. This drives me to believe that this is a firewall issue.

Configurations

Here are some relevant configurations

Routes

default 0.0.0.0 55.55.55.1  UG  0   WAN
192.168.2.0 255.255.255.0   *   U   0   oet1
192.168.0.0 255.255.255.0   *   U   0   LAN & WLAN
55.55.55.0  255.255.252.0   *   U   0   WAN

Wireguard Configuration in DD-WRT

Screenshot of Wireguard Configuration in DD-WRT web interface

decaby7e
  • 1
  • 1
  • Your issue might be caused by the CVE-2019-14899 Mitigation that is known to break communication between VPN peers and the local network. Try disabling it and see it it works. You can alternatively add `iptables -t nat -I POSTROUTING -o br0 -s $(nvram get oet1_ipaddr)/$(nvram get oet1_netmask) -j MASQUERADE` to your firewall commands. – TCB13 Aug 27 '20 at 22:53
  • Also make sure you're using a recent build such as v3.0-r44236. Older builds have bugs and don't do the proper setup. – TCB13 Aug 27 '20 at 22:56
  • Thank you for the advice, but I ended up moving to OpenWRT. Fixed the issue and the interface was much more intuitive and powerful . – decaby7e Aug 29 '20 at 06:13

0 Answers0