I have a flaw in my WireGuard setup, but I can't see it. Any suggestions to help debug would be appreciated.
Setup: A local pi (192.168.1.2/24
) running WireGuard that sits behind an ISP gateway. A remote pi (192.168.2.1/24
) that is a gateway/wifi ap also running WireGuard. The remote Pi iptables filters are temperalily flushed. iptables is not installed on the local pi.
Desired State: A LAN to LAN L3 bridge.
Problem: I can't ping machines on the local network from any machine on the remote network. I can ping/ssh to any machine on the remote network from a local machine. I can ping to the local pi running Wireguard (ping 192.168.1.2
works) from a remote machine, but not beyond that to other local machines (ping 192.168.1.180
does not work).
CORRECTION: I could always ping/ssh from a regular client on the remote network to any machine on the local network. It was only a ping/ssh from 192.168.2.1
on the remote network to any machine on the local network other than the WireGuard server 192.168.1.2
where the issue was.
Seems I'm have a routing issue on the local pi. Any direction re debug would be appreciated.
dhcpcd.conf
and interfaces
on the local pi have not been touched.
timemachine@pibackup4:/etc/wireguard $ ip route list
default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.2 metric 202
10.8.0.0/24 dev wglink2 proto kernel scope link src 10.8.0.1
192.168.1.0/24 dev eth0 proto dhcp scope link src 192.168.1.2 metric 202
192.168.2.0/24 via 10.8.0.2 dev wglink2
timemachine@pibackup4:/etc/wireguard $ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether dc:a6:32:03:fe:6f brd ff:ff:ff:ff:ff:ff
inet 192.168.1.2/24 brd 192.168.1.255 scope global dynamic noprefixroute eth0
valid_lft 74276sec preferred_lft 63476sec
inet6 fe80::f2a8:7662:6de:5b4e/64 scope link
valid_lft forever preferred_lft forever
10: wglink2: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.8.0.1/24 scope global wglink2
valid_lft forever preferred_lft forever
timemachine@pibackup4:/etc/wireguard $ cat wglink2.conf
[Interface]
# LAN Address: 192.168.1.2/24
# Wireguard Address: 10.8.0.1
PrivateKey = xxxxxx
Address = 10.8.0.1/24
ListenPort = 51820
Table = off
PostUp = ip route add 192.168.2.0/24 via 10.8.0.2 dev wglink2
PreDown = ip route del 192.168.2.0/24 via 10.8.0.2 dev wglink2
[Peer]
# LAN Address: 192.168.2.1/24
# Wireguard Address: 10.8.0.2
PublicKey = xxxxxx
AllowedIPs = 10.8.0.2/32, 192.168.2.0/24
PersistentKeepalive = 25
timemachine@pibackup4:/etc/network $ sudo wg
interface: wglink2
public key: xxxxxx
private key: (hidden)
listening port: 51820
peer: xxxxxx
endpoint: 192.168.1.1:39915
allowed ips: 10.8.0.2/32, 192.168.2.0/24
latest handshake: 8 seconds ago
transfer: 37.14 KiB received, 42.57 KiB sent
persistent keepalive: every 25 seconds
sudo tcpdump -niany icmp
on each hop while you attempt a ping from a remote machine, to determine conclusively where the icmp packet is being dropped.