WireGuard server can't access YunoHost local network

retiolus · March 29, 2024, 5:54pm

My YunoHost server

Hardware: raspberry pi 4b+
YunoHost version: 11.2.10.3
I have access to my server : Through SSH | through the webadmin | direct access via keyboard / screen | …
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

I’m trying to access my local network (192.168.2.X) through a WireGuard server I installed on YunoHost.

What works:

connecting to the wg server from deferents clients
ping to other clients connected on the wg network (10.10.10.0/24)

What doesn’t work:

ping to devices on local YunoHost network (192.168.2.0/24)

sudo cat /etc/wireguard/wg0.conf
[sudo] password for retiolus: 
# This file was generated using wireguard-ui (https://github.com/ngoduykhanh/wireguard-ui)
# Please don't modify it manually, otherwise your change might get replaced.

# Address updated at:     2024-03-29 16:23:16.82275524 +0000 UTC
# Private Key updated at: 2024-03-29 12:07:14.737136779 +0000 UTC
[Interface]
Address = 10.10.10.0/24,fd42::/112
ListenPort = 8095
PrivateKey = [private]
MTU = 1450
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip link set multicast on dev %i; iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT
PreDown = 
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -o eth0 -j ACCEPT
Table = auto

# ID:           [private]
# Name:         popos
# Email:        
# Telegram:     
# Created at:   2024-03-29 17:18:19.013732638 +0000 UTC
# Update at:    2024-03-29 17:37:11.683059476 +0000 UTC
[Peer]
PublicKey = [private]
PresharedKey = [private]
AllowedIPs = 10.10.10.3/32,fd42::3/128
PersistentKeepalive = 15

sudo cat /etc/wireguard/popos.conf
[Interface]
Address = 10.10.10.3/32,fd42::3/128
PrivateKey = [private]
MTU = 1450

[Peer]
PublicKey = [private]
PresharedKey = [private]
AllowedIPs = 10.10.10.0/24,192.168.2.0/24
Endpoint = [private]:8095
PersistentKeepalive = 15

retiolus · March 29, 2024, 6:51pm

Sending a ping from 10.10.10.1 to 192.168.2.202

On wg server:

sudo tcpdump -i wg0 host 10.10.10.1 and dst net 192.168.2.0/24
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wg0, link-type RAW (Raw IP), snapshot length 262144 bytes
19:38:14.027885 IP 10.10.10.1 > 192.168.2.202: ICMP echo request, id 3478, seq 1, length 64
19:38:15.046370 IP 10.10.10.1 > 192.168.2.202: ICMP echo request, id 3478, seq 2, length 64
19:38:16.116493 IP 10.10.10.1 > 192.168.2.202: ICMP echo request, id 3478, seq 3, length 64
19:38:17.138882 IP 10.10.10.1 > 192.168.2.202: ICMP echo request, id 3478, seq 4, length 64
19:38:18.111899 IP 10.10.10.1 > 192.168.2.202: ICMP echo request, id 3478, seq 5, length 64

on 192.168.2.202:

sudo tcpdump -i enp2s0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp2s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

(nothing)

And yes, ping from wg server to 192.168.2.202 works.

wbk · April 7, 2024, 9:49pm

In my wg.conf I only have the 10.10.10.x/32 address as allowedips, not the /24 wg-network nor the local network that I want to access. Did you try that? Don’t forget to restart the service between configuration changes!

retiolus · April 16, 2024, 10:37am

Having 10.10.10.0/24 or 10.10.10.0/32 would be the same… what I really would like is that devices on 10.10.10.0/24 can access devices on 192.168.2.0/24