search

WireGuard / wireguard-vyatta-ubnt

WireGuard for Ubiquiti Devices
https://www.wireguard.com/
GNU General Public License v3.0
1.46k stars 69 forks source link

Can ping IP on USG but can't reach it inside USG's network. #34

Closed anthr76 closed 4 years ago

anthr76 commented 4 years ago

Hey all. I'm giving Wireguard on USG another chance I'm 90% successful!

I'm stuck at one snag.

{
  "firewall": {
    "group": {
      "network-group": {
        "remote_user_vpn_network": {
          "description": "Remote User VPN subnets",
          "network": [
            "10.200.200.0/24"
          ]
        }
      }
    }
  },
  "interfaces": {
    "wireguard": {
      "wg0": {
        "address": [
          "10.200.200.7/32"
        ],
        "firewall": {
          "in": {
            "name": "LAN_IN"
          },
          "local": {
            "name": "LAN_LOCAL"
          },
          "out": {
            "name": "LAN_OUT"
          }
        },
        "listen-port": "443",
        "peer": [{
          "omit": {
            "allowed-ips": [
              "10.200.200.6/32",
              "172.180.10.1/24",
              "172.180.100.1/24"
            ],
            "endpoint": "omit"
          }
        },
        { 
          "omit": {
            "allowed-ips": [
              "10.136.136.11/32",
              "10.200.200.1/24",
              "10.136.153.234/32",
              "10.136.42.191/32",
              "10.136.14.244/32"
            ],
            "endpoint": "omit:443"
          }
        },
        { 
          "omit": {
            "allowed-ips": [
              "10.200.200.11/32",
              "172.170.10.1/24",
              "172.170.100.1/24"
            ],
            "endpoint": "omit:51820"
          }
        }],
        "private-key": "/config/auth/wireguard/wg_private.key",
        "route-allowed-ips": "true"
      }
    }
  }
}

Attempting to ping 10.200.200.12 on the USG is successful. I can reach 10.200.200.12 on the USG.

Though on the LAN on a client computer packets just drop trying to reach 10.200.200.12

Ping on client:

ping 10.200.200.12
PING 10.200.200.12 (10.200.200.12) 56(84) bytes of data.
^C
--- 10.200.200.12 ping statistics ---
303 packets transmitted, 0 received, 100% packet loss, time 306027ms

Ping on USG:

ping 10.200.200.12
PING 10.200.200.12 (10.200.200.12) 56(84) bytes of data.
64 bytes from 10.200.200.12: icmp_req=1 ttl=63 time=21.2 ms
^C
--- 10.200.200.12 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 21.210/21.210/21.210/0.000 ms

Trace route

traceroute 10.200.200.12
traceroute to 10.200.200.12 (10.200.200.12), 30 hops max, 38 byte packets
 1  10.200.200.1 (10.200.200.1)  11.363 ms  12.445 ms  11.897 ms
 2  10.200.200.12 (10.200.200.12)  27.661 ms  21.118 ms  19.601 ms

I have tried setting 

configure
set protocols static route 10.200.200.0/24 next-hop <gateway-address> description wg
set protocols static route 10.200.200.0/24 next-hop <gateway-address> distance 1
commit ; save

Though this was no good. Any ideas if im doing something wrong in my setup or if this is a bug?

anthr76 commented 4 years ago

Adding LAN USG subnet to allowed IPs on peer allowed me to ping. My network badly needs to be re-ip'd. This is no longer an issue.