Score:0

Wireguard network peers access to lan

ng flag

I hope you can help me with my problem. I am building a network for personal use and I found some issues, I don't have experience in networks. I will explain using the attached image:

Network Infrastructure Diagram

Problem: I cannot reach devices on a local network using Wireguard and a Raspberry-based VPN router, that includes services within the local network (cameras, personal web server, databases).

Goal:

Reach the devices and their services from the remote server and clients. I've been searching and changing configurations but none works. Sometimes from 10.6.0.1, I can reach IP 172.16.0.1 and that's all.

Description of the infrastructure:

  1. The Wireguard server (a) is located over an Oracle instance as shown in the image and it has the following features:

    • Public IP 158.43.56.3 (IP example)

    • Internal IP 10.0.0.183 over the ens3 interface

    • Wireguard server IP 10.6.0.1 over wg0 interface

    • Wireguard port 51820

    • Wireward installed via pivpn

  2. In the local network, the modem supplies 192.168.100.XX network (wifi or ethernet)

  3. In the network that provides the modem there is a Raspberry Pi 4 (b) with Ubuntu 20.04 working as a wired router with the following features:

    • Local IP 192.168.100.182 over eth0 interface
    • IP Wireguard as Peer 10.6.0.5 over wg0 interface
    • Local subnet IP 172.16.0.1 over interface eth1 (usb-ethernet adapter)
    • DHCP server on interface eth1
  4. A switch is connected to the eth1 interface

  5. Different devices (Server, IP Cameras, DVR) connect to the switch and DHCP provides them IP with 172.16.0.XX format with ranges between 172.16.0.10 and 172.16.0.200 (b.a, b.b, b.c for example)

  6. Devices on other networks connected to the VPN (10.6.0.3 for example)

My current setup is as follows (As you can see, I've been trying):

Wireguard Server:

[Interface]
PrivateKey = yL743NyU0M1z7guWxA9kekW7DAOXzO8EDfkAaG+jSGQ=
Address = 10.6.0.1/24
MTU = 1420
ListenPort = 51820

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT;
PostUp = iptables -A FORWARD -o wg0 -j ACCEPT;
PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostUp = sysctl -q -w net.ipv4.ip_forward=1

#PostUp = route del -net 172.16.0.0/24 dev wg0
#iptables -t nat -A PREROUTING -d 172.16.0.0/24 -j DNAT --to-destination 10.6.0.1
#PostUp = iptables -t nat -A PREROUTING -d 172.16.0.0/24 -j DNAT --to-destination 10.6.0.1 
#PostUp = iptables -t filter -A FORWARD -s 10.6.0.0/24 -d 172.16.0.0/24 -j ACCEPT              
#PostUp = iptables -t nat -A POSTROUTING -s 10.6.0.0/24 -d 172.16.0.0/24 -j MASQUERADE         

PostDown = sysctl -q -w net.ipv4.ip_forward=0
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT;
PostDown = iptables -D FORWARD -o wg0 -j ACCEPT;
PostDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

##PostUp = iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o ens3 -j TCPMSS --clamp-mss-to-pmtu
##PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
##PostUp = iptables -A FORWARD -i ens3 -j ACCEPT
##PostUp = sysctl -q -w net.ipv4.ip_forward=1

##PostDown = sysctl -q -w net.ipv4.ip_forward=0
##PostDown = iptables -D FORWARD -i ens3 -j ACCEPT
##PostDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
##PostDown = iptables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o ens3 -j TCPMSS --clamp-mss-to-pmtu

### begin huawei-device ###
[Peer]
PublicKey = WaP0UPdQWKE0uy3F750cOEeLmLkikdtw0XAw/eGcrFI=
PresharedKey = fMqhe7jxsC9ukEhymPOXCogWMWo82TzIx6Veg+8lslc=
AllowedIPs = 10.6.0.2/24
### end huawei-device ###
### begin mac ###
[Peer]
PublicKey = ZCAV6xDLswBuqYWs38JYwvx2fwvmR1uEFRIAD760pxI=
PresharedKey = JdtJFaWUG2ECAfLX05WCyz/rrcs6VWFkVgnvEqnqhHo=
AllowedIPs = 10.6.0.3/32
AllowedIPs = 172.16.0.10/32
PersistentKeepalive = 15
### end mac ###
### begin rasprouter ###
[Peer]
PublicKey = r56sl4HNKHFkz8/r+aGqOHClMuXUt9lGE34gpktP5Q4=
PresharedKey = ukAcmfZUaMuVq53ruIYWmADwDYq0W+0KNjgAQ/ojqH4=
AllowedIPs = 10.6.0.5/32
AllowedIPs = 172.16.0.10/32
PersistentKeepalive = 15
### end rasprouter ###

Raspberry Wired Router

[Interface]
PrivateKey = SJXlysVGPfvodzG98EbwrZNvuPqo4sATLKaTB3Kqe20=
Address = 10.6.0.5/24
DNS = 1.1.1.1

###PostUp = sysctl -w net.ipv4.ip_forward=1
###PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
###PostUp = iptables -A FORWARD -o wg0 -j ACCEPT
###PostUp = iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
###PostUp = iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

###PostDown = sysctl -w net.ipv4.ip_forward=0
###PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
###PostDown = iptables -D FORWARD -o wg0 -j ACCEPT
###PostDown = iptables -t nat -D POSTROUTING -o wg0 -j MASQUERADE
###PostDown = iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE; iptables -A FORWARD -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth1 -j MASQUERADE; iptables -D FORWARD -o wg0 -j ACCEPT



[Peer]
PublicKey = mCK/FAHGtXFBNLS5WpHhSPEBvZRwY09HohD1YkNCNSI=
PresharedKey = ukAcmfZUaMuVq53ruIYWmADwDYq0W+0KNjgAQ/ojqH4=
Endpoint = 158.43.56.3:51820
#AllowedIPs = 0.0.0.0/0, ::/1
AllowedIPs = 172.16.0.10/32 
AllowedIPs = 10.6.0.0/24
PersistentKeepalive = 25

Additional client (Mac in the image) on another LAN, far away

[Interface]
PrivateKey = YH+51/x6MoErmogdOs0UUzIF6W6Oz56t7BhhW9dFvXM=
Address = 10.6.0.3/24
DNS = 1.1.1.1

[Peer]
PublicKey = mCK/FAHGtXFBNLS5WpHhSPEBvZRwY09HohD1YkNCNSI=
PresharedKey = JdtJFaWUG2ECAfLX05WCyz/rrcs6VWFkVgnvEqnqhHo=
Endpoint = 158.43.56.3:51820
### AllowedIPs = 0.0.0.0/0, ::0/0
AllowedIPs = 172.16.0.10/32
AllowedIPs = 10.6.0.0/24
PersistentKeepalive = 25

Next, I share the state of the infrastructure

From server Pastebin Server status

From Raspberry Wired Router Pastebin Raspberry status

Tests

From a to b works

ubuntu@instance-20210915-wireguard:~$ ping 10.6.0.5
PING 10.6.0.5 (10.6.0.5) 56(84) bytes of data.
64 bytes from 10.6.0.5: icmp_seq=1 ttl=64 time=75.1 ms
64 bytes from 10.6.0.5: icmp_seq=2 ttl=64 time=74.8 ms
^C
--- 10.6.0.5 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 74.772/74.920/75.069/0.148 ms

From a to b.a doesn't work

ubuntu@instance-20210915-wireguard:~$ ping 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
^C
--- 172.16.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3075ms

From a to c works

ubuntu@instance-20210915-wireguard:~$ ping 10.6.0.3
PING 10.6.0.3 (10.6.0.3) 56(84) bytes of data.
64 bytes from 10.6.0.3: icmp_seq=1 ttl=64 time=78.5 ms
64 bytes from 10.6.0.3: icmp_seq=2 ttl=64 time=119 ms
64 bytes from 10.6.0.3: icmp_seq=3 ttl=64 time=77.9 ms
^C
--- 10.6.0.3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 77.888/91.816/119.047/19.256 ms

From b to a works

ubuntu@ubuntu:~$ ping 10.6.0.1
PING 10.6.0.1 (10.6.0.1) 56(84) bytes of data.
64 bytes from 10.6.0.1: icmp_seq=1 ttl=64 time=74.3 ms
64 bytes from 10.6.0.1: icmp_seq=2 ttl=64 time=74.5 ms
^C
--- 10.6.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 74.334/74.396/74.459/0.062 ms

From c to a works

user@MacBook-Pro-user Downloads % ping 10.6.0.1
PING 10.6.0.1 (10.6.0.1): 56 data bytes
64 bytes from 10.6.0.1: icmp_seq=0 ttl=64 time=80.921 ms
64 bytes from 10.6.0.1: icmp_seq=1 ttl=64 time=78.086 ms
64 bytes from 10.6.0.1: icmp_seq=2 ttl=64 time=91.625 ms
^C
--- 10.6.0.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 78.086/83.544/91.625/5.830 ms

From b to c doesn't work

ubuntu@ubuntu:~$ ping 10.6.0.3
PING 10.6.0.3 (10.6.0.3) 56(84) bytes of data.
From 10.6.0.1 icmp_seq=1 Destination Host Prohibited
From 10.6.0.1 icmp_seq=2 Destination Host Prohibited
^C
--- 10.6.0.3 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1002ms

From c to b doesn't work

user@MacBook-Pro-user Downloads % ping 10.6.0.5
PING 10.6.0.5 (10.6.0.5): 56 data bytes
92 bytes from 10.6.0.1: Dest Unreachable, Bad Code: 10
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 25f3   0 0000  3f  01 41a3 10.6.0.3  10.6.0.5

Request timeout for icmp_seq 0
92 bytes from 10.6.0.1: Dest Unreachable, Bad Code: 10
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 a5cc   0 0000  3f  01 c1c9 10.6.0.3  10.6.0.5

Request timeout for icmp_seq 1
^C
--- 10.6.0.5 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

From b to b.a works!!

ubuntu@ubuntu:~$ ping 172.16.0.10
PING 172.16.0.10 (172.16.0.10) 56(84) bytes of data.
64 bytes from 172.16.0.10: icmp_seq=1 ttl=64 time=74.6 ms
64 bytes from 172.16.0.10: icmp_seq=2 ttl=64 time=74.5 ms
^C
--- 172.16.0.10 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 74.455/74.541/74.627/0.086 ms

Well, the goal is to be able to reach at least from IP 10.6.0.1 to 172.16.0.XX.

Using OpenVPN I can define the infrastructure without problems, but the bandwidth is terrible.

I'm so bad at working with network infrastructures, sorry.

What's Next?

Use Nginx to consume services and deploy Apache Airflow in order to process the information that I generate in my LAN.

Thanks in advance

Edit: I posted it before on the wrong site

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.