I'm not sure if this is a general routing question or more to do with Wireguard or EasyTether but I think it's general routing.
I have a Raspberry Pi 4 to enable an Android phone to act as the WAN port on a NAT router.
The Pi runs EasyTether via USB to the phone. This is working. It provides an tun-easytether
interface on 192.168.117.0/31
The phone is 192.168.117.1
.
I have defined a gateway resulting in the following:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.117.1 0.0.0.0 UG 0 0 0 tun-easytether
192.168.115.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.117.0 0.0.0.0 255.255.255.254 U 0 0 0 tun-easytether
192.168.118.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
eth0 is the Ethernet port at 192.168.115.1
which is connected to the router's WAN. The router WAN has a static IP of 192.168.115.2
.
That works nicely. I can browse the web from my laptop connected to the LAN side of the router.
Now I'm trying to introduce Wireguard. I have Wireguard installed on a droplet at Digital Ocean and on the Pi. The server is at 192.168.118.1
and the Pi is 192.168.118.2
.
I have changed the default route and setup one for the VPN resulting on the following:
0.0.0.0 192.168.118.2 0.0.0.0 UG 0 0 0 wg0
68.x.x.x 192.168.117.1 255.255.255.255 UGH 0 0 0 tun-easytether
192.168.115.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.117.0 0.0.0.0 255.255.255.254 U 0 0 0 tun-easytether
192.168.118.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
68.x.x.x is the public address of the server. That pretty much works because I can ping 192.168.118.1
and 8.8.8.8
from the command line on the Pi. A traceroute to 8.8.8.8
shows it going through Digital Ocean. That all looks great except that I can no longer get to the outside world from my laptop on the LAN side of the router. A traceroute stops at 192.168.115.1
, i.e., eth0 on the Pi.
The Pi seems to be not forwarding traffic coming into 192.168.115.1
. I've reverted to the original non-VPN config several times to make sure that still works. net.ipv4.ip_forward=1
is set in sysctl.conf
on the Pi.
I feel like I'm close but just missing something. I could give the Wireguard setup etc but it doesn't seem relevant because that appears to be working.
Thanks for any help.
Edit: On further digging, I think I might be wrong about this not being a Wireguard issue. It looks like a duplicate of https://serverfault.com/questions/1014577/howto-configure-wireguard-on-linux-router-to-route-all-traffic-from-lan-to-remot