Is anyone actually running S2S without the Gl Cloud?

n2wq · January 24, 2021, 7:37pm

I am getting very frustrated with the inability to get S2S VPN going using Wireguard. Clients can reach hosts on the LAN side of the server, but cannot ping each other or client LAN hosts.

Server is 10.0.0.1 and LAN is 192.168.8.0/24
Client A is an iPhone, 10.0.0.2
Client B is Windows 10.0.0.3 and LAN is 192.168.0.0/24

Both client A and B can ping 192.168.8.102. However, 10.0.0.3 cannot ping 10.0.0.2 and vice versa. Furthermore, neither the server nor client A can ping any hosts on 192.168.0.0/24.

The server config file has list subnet 192.168.0.0/24 for peer B.

What I am doing wrong? No, I am not interested in using the Cloud solution and trust my network to a third party.

antifascista · January 24, 2021, 8:30pm

n2wq · January 24, 2021, 8:45pm

Unfortunately the reference thread does not apply. First, in that case the clients are other GL routers. More importantly, I have tried countless times to follow the OpenWRT community instructions for Luci and have been unable to get wireguard going.

From my perspective, I purchased a router and am following the manufacturer’s instructions which unfortunately do not work. At this point I am fed up and ready to ship the router back to Amazon.

Here’s the server configuration file:

config servers
        option local_ip '10.0.0.1'
        option local_ipv6 'fd00:db8:0:abc::1'
        option private_key 'iiSm1IgC0+kc2Nt6iiiYX+BHmCK7QXzkM='
        option public_key 'DPPEBN01sVt6Rh61rtytn/s70Vy/bsV4='
        option access 'ACCEPT'
        option local_port '5003'
        option enable '1'

config peers 'wg_peer_3044'
        option name 'Client_A'
        option client_key 'ekL4tuGGV2gqJYlk0xJJuhNVmrOdsDjFA='
        option private_key 'yYnJhiQuwT01HaTFu6Cd+/EEsEekgwS2A='
        option client_ip '10.0.0.2/32'

   config peers 'wg_peer_8682'
        option name 'Client_B'
        option client_key 'etX/sxzdf/f2tBI/0WMRq06kPcEsB0DAg='
        option private_key 'sG81B5B/W1CX5k722Y0h4B6+F+lhglNjZjWfoqpQJ3E='
        option client_ip '10.0.0.6/32'
        list subnet '192.168.0.0/24'

antifascista · January 24, 2021, 8:58pm

Alloweds IP of yours devices? You have to put tunnel address and/or subnet of client you want to reach.
Windows firewall is allowing ping?
WG it’s the same in a router or in a client…

n2wq · January 24, 2021, 9:07pm

This is what I have for allowed IPs:

root@GL-MV1000:/etc/config# wg
interface: wg0
  public key: lDPPEBN01sVt6Rh61rtytn/s70Vy/bsV4=
  private key: (hidden)
  listening port: 5001

peer: ekL4tuGGV2gqJYlk0xJJuhNVmrOdsDjFA=
  endpoint: 67.80.214.177:52372
  allowed ips: 10.0.0.2/32
  latest handshake: 1 minute, 19 seconds ago
  transfer: 19.40 MiB received, 79.71 MiB sent
  persistent keepalive: every 25 seconds

peer: etX/sxzdf/f2tBI/0WMRq06kPcEsB0DAg=
  endpoint: 173.72.5.241:40376
  allowed ips: 10.0.0.6/32, 192.168.0.0/24
  latest handshake: 1 hour, 42 minutes, 42 seconds ago
  transfer: 841.57 KiB received, 3.51 MiB sent
  persistent keepalive: every 25 seconds

root@GL-MV1000:/etc/config#

antifascista · January 24, 2021, 10:00pm

In alloweds ip of client A put 192.168.0.0/24 and 10.0.0.0/24
In alloweds ip of client B put 10.0.0.0/24
Be sure that Windows firewall is allowing ping and files and folders sharing or what you want to reach.

n2wq · January 24, 2021, 10:16pm

Thank you! Two questions:

Which configuration files do I edit to add the allowed IPs?
On my phone, the WG client shows 0.0.0.0/0 for the peer (the peer is the server running on the Brume); should this allow for all traffic, including the ping from the Windows client to my iPhone?

antifascista · January 25, 2021, 6:17am

In WG app on the iPhone you have to set the IP alloweds tab. On Windows what WG client do you use? Usually there is a dedicated section for alloweds IP or you can edit the file on the dir of WG client.
0.0.0.0/0 route all traffic but for a s2s is better to explicite what routes you want to use.