I'm using a GL.inet router with OpenWRT OpenWrt 19.07.8 r11364-ef56c85848.
I have set up a Wireguard server on a remote machine. With the VPN not connected I can reach that server from my LAN using its public IP. With the VPN connected, I can reach it with the internal IP, but can no longer reach it via the external IP from a computer on my LAN.
Traceroute shows the packets failing at the router with no route to host:
~ % ping 35.190.161.xxx
PING 35.190.161.169 (35.190.161.xxx): 56 data bytes
92 bytes from router.local.wan (192.168.1.254): Destination Host Unreachable
However if I ssh into the router it not only shows the expected routing, but pings and traceroute succeed:
~# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 100.64.0.1 0.0.0.0 UG 0 0 0 wan
10.66.66.0 * 255.255.255.0 U 0 0 0 wg0
34.120.255.244 * 255.255.255.255 UH 0 0 0 wan
35.190.161.xxx 100.64.0.1 255.255.255.255 UGH 0 0 0 wan
100.64.0.0 * 255.192.0.0 U 0 0 0 wan
192.168.0.0 * 255.255.252.0 U 0 0 0 br-lan
~# ping 35.190.161.xxx
PING 35.190.161.xxx (35.190.161.xxx): 56 data bytes
64 bytes from 35.190.161.xxx: seq=0 ttl=59 time=243.335 ms
My Wireguard config for this client is:
[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxlMxuhwtB9vV2Gpks=
Address = 10.66.66.3/32,fd42:42:42::3/128
DNS = 8.8.8.8,8.8.4.4
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxkIIPFsO2/EuXDNbeR3g=
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxYnnXy4CZUMUzGBAieqU=
Endpoint = 35.190.161.xxx:60242
AllowedIPs = 10.66.66.0/24,::/0
While I can get to the remote server (e.g. via ssh) using the internal IP, it's inconvenient to have to choose the right address depending on whether or not the VPN is established.
Is there something missing in my Wireguard config or is there some other issue?
ip -4 rule
give more than the usual 3 rules (with pref 0, 32766, 32767) when the VPN is up?