Site-to-site over wireguard [SOLVED]

Message

Korhul · Post by **Korhul** » Wed Apr 14, 2021 10:59 am

EDIT - SOLVED, it was misconfigured wireguard on mikrotik router, forgot to add 192.168.10.0/24 to allowed address in peers configuration.

Hi!
I have tried to setup connection between two physical sites using wireguard and I want to allow communication between computers in these LANs to communicate between each other. This works only partialy.
This is diagram of my network

Code: Select all


		LOCAL SITE 1						 			INTERNET
																 |
		192.168.10.1 ---									|
							|						-----------------------
							|						|   PUBLIC IP (wan)   | Gentoo Router
		192.168.10.2 --- 192.168.10.0/24 -| 192.168.10.253 (lan)| providing DHCP/DNS
							|						| 10.88.128.1 (wg0)   | via DNSMASQ
							|						----------------------- 
		192.168.10.3 ---									|
																 |
		LOCAL SITE 2									WIREGUARD VPN (network 10.88.128.0/24)
																 |
		192.168.0.1 ---									 |
							|						---------------------------
							|						| 10.88.128.4 (wg0)	    | MIKROTIK ROUTER
		192.168.0.2 --- 192.168.0.0/24 -- | 192.168.0.253 (bridge)  | 
							|						| EXTERNAL IP (ether1)    |
							|						--------------------------
		192.168.0.3 ---							 	   |
															    |
														    INTERNET

The problem is I can ping from 192.168.10.0/24 to 192.168.0.0/24 but not from 192.168.0.0/24 to 192.168.10.0/24.

Code: Select all

192.168.0.1 ~ $ ping 192.168.10.33
PING 192.168.10.33 (192.168.10.33) 56(84) bytes of data.
From 192.168.0.253 icmp_seq=1 Destination Host Unreachable
From 192.168.0.253 icmp_seq=2 Destination Host Unreachable

192.168.0.1 ~ $ traceroute 192.168.10.33
traceroute to 192.168.10.33 (192.168.10.33), 30 hops max, 60 byte packets
 1  192.168.0.253 (192.168.0.253)  0.430 ms  0.407 ms  0.491 ms
 2  192.168.0.253 (192.168.0.253)  0.410 ms !H  0.525 ms !H  0.409 ms !H

To verify host 192.168.10.33 is up:

Code: Select all

192.168.10.253 # ping 192.168.10.33
PING 192.168.10.33 (192.168.10.33) 56(84) bytes of data.
64 bytes from 192.168.10.33: icmp_seq=1 ttl=64 time=0.873 ms
64 bytes from 192.168.10.33: icmp_seq=2 ttl=64 time=0.796 ms

Vice versa works

Code: Select all

192.168.10.33 > ping 192.168.0.1
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                                                                                                                                                                                                                    
    0 192.168.0.1                                56  62 8ms  
    1 192.168.0.1                                56  62 7ms  
    sent=2 received=2 packet-loss=0% min-rtt=7ms avg-rtt=7ms max-rtt=8ms

I am not sure, if this is problem with routing or firewall issue. But I suspect that Destination Host Unreachable is probably some issue with routing.

Code: Select all

192.168.10.253 # ip route
default via PUBLICIP dev wan metric 4 
10.88.128.0/24 dev wg0 proto kernel scope link src 10.88.128.1 
10.88.128.4 dev wg0 scope link 
PUBLICNETWORK/26 dev wan proto kernel scope link src PUBLICIP 
127.0.0.0/8 via 127.0.0.1 dev lo 
192.168.0.0/24 via 10.88.128.4 dev wg0 
192.168.10.0/24 dev lan proto kernel scope link src 192.168.10.253

Code: Select all

192.168.0.253 > /ip/route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
  #       DST-ADDRESS      GATEWAY      D
  0   As  0.0.0.0/0        ISP_INTERNAL_IP  1
     DAc  10.88.128.0/24   wg0      0
  1   As  10.88.128.1      wg0      1
     DAc  192.168.0.0/24   bridge       0
  2   As  192.168.10.0/24  wg0      1
     DAc  ISP_NETWORK/22   ether1       0

Sidenote: mikrotik si configured to bridge ether2 (lan) and wireless (lan) interface together. Interface ether1 is WAN with ISP_INTERNAL_IP.

Thanks in advance for your help.