Destination Host Unreachable via wireguard

jbrodriguez2 · October 19, 2020, 8:25pm

The issue I’m having is that I can’t access hosts on my LAN from my laptop via wireguard

Any thoughts on how to fix this ?

I’ve tried different incantations of next-hop, but it doesn’t work

This is the error I’m getting

ping hermes
PING hermes (192.168.23.25): 56 data bytes
92 bytes from 192.168.10.1: Destination Host Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 8ab1 0 0000 3f 01 4e8b 192.168.10.3 192.168.23.25

Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2

And this is my config

firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name FROM-EXTERNAL {
    default-action drop
    rule 10 {
        action accept
        state {
            established enable
            related enable
        }
    }
}
name LAN-TO-LAN {
    default-action accept
}
name TO-ROUTER {
    default-action drop
    rule 10 {
        action accept
        state {
            established enable
            related enable
        }
    }
    rule 20 {
        action accept
        icmp {
            type-name echo-request
        }
        protocol icmp
        state {
            new enable
        }
    }
    rule 30 {
        action accept
        destination {
            port 2294
        }
        protocol udp
    }
    rule 40 {
        action accept
        destination {
            port 2284
        }
        protocol udp
    }
}
receive-redirects disable
send-redirects disable
source-validation disable
syn-cookies enable
twa-hazards-protection disable

}
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
firewall {
in {
name FROM-EXTERNAL
}
local {
name TO-ROUTER
}
}
hw-id **************
smp-affinity auto
speed auto
}
ethernet eth1 {
address 192.168.23.1/24
description LAN
duplex auto
firewall {
in {
name LAN-TO-LAN
}
}
hw-id *************
smp-affinity auto
speed auto
traffic-policy {
out EGRESS_QOS
}
}
loopback lo {
}
openvpn vtun0 {
local-port 2294
mode server
openvpn-option comp-lzo
server {
domain-name *******************
name-server 192.168.23.1
push-route 192.168.23.0/24
subnet 192.168.70.0/24
}
tls {
}
}
wireguard wg0 {
address 192.168.10.1/24
description wg-roadwarrior
peer macbook {
allowed-ips 192.168.10.3/32
pubkey ****************
}
peer mobile {
allowed-ips 192.168.10.2/32
pubkey ****************
}
port 2284
}
}
nat {
destination {
}
source {
rule 100 {
outbound-interface eth0
source {
address 192.168.23.0/24
}
translation {
address masquerade
}
}
rule 200 {
outbound-interface eth0
source {
address 192.168.10.0/24
}
translation {
address masquerade
}
}
}
}
protocols {
static {
interface-route 192.168.10.0/24 {
next-hop-interface wg0 {
}
}
}
}
service {
dhcp-server {
shared-network-name LAN_POOL {
authoritative
subnet 192.168.23.0/24 {
default-router 192.168.23.1
dns-server 192.168.23.1
domain-name *********
lease 604800
range 0 {
start 192.168.23.200
stop 192.168.23.245
}
}
}
}
dns {
forwarding {
allow-from 0.0.0.0/0
allow-from ::/0
cache-size 2048
listen-on eth1
listen-on vtun0
listen-on wg0
system
}
}
ssh {
disable-password-authentication
port 22
}
}

Viacheslav · October 19, 2020, 8:34pm

It difficult to say without configuration/network diagram
It seems 192.168.10.1 doesn’t know about that network

Try to check routes
show ip route 192.168.23.25

jbrodriguez2 · October 19, 2020, 9:26pm

Thanks a lot

this is the reply

show ip route 192.168.23.25
Routing entry for 192.168.23.0/24
Known via “connected”, distance 0, metric 0, best
Last update 01w3d01h ago
directly connected, eth1

A quick and dirty diagram would be

[ mobile wg ] 192.168.10.3
|
[ vyos firewall ]
wg 192.168.10.1
lan 192.168.23.x
|
[ hermes ]
lan 192.168.23.5

hope this helps

tjh · October 19, 2020, 10:51pm

You don’t need this:
interface-route 192.168.10.0/24 {
next-hop-interface wg0 {
}

You already have 10.168.10.0/24 assigned to wg0, adding a static route to yourself doesn’t make much sense.

Otherwise, I can’t see anything wrong with that setup. Can an openvpn connected client ping 192.168.23.25?

jbrodriguez2 · October 20, 2020, 12:00am

Thank you !

I can’t test through OpenVPN as I made some changes to my dynamic dns settings and didn’t change the openvpn side, only wireguard’s

I’m away from my LAN, I’ll do some testing when I get back home

tjh · October 20, 2020, 12:28am

Cool cool - please let us know, I’d like to know what the problem/fix is.

The only other issue I can think of is that you’ve got an Internet directly on your test box that’s part of your LAN network, so it’s not routing via Wireguard it’s routing to that (And erroring as there’s no ARP for it)

Viacheslav · October 20, 2020, 8:38am

Can you share configuration from the client site?
Which networks do you allow?

jbrodriguez2 · October 20, 2020, 9:19pm

Yes, nothing unusual I think

I can access the vyos firewall, it looks like I can’t see anything beyond that

[Interface]
PrivateKey = ***
Address = 192.168.10.3/32
DNS = 192.168.23.1

[Peer]
PublicKey = ***
AllowedIPs = 0.0.0.0/0
Endpoint = $WIREGUARD_SERVER_ADDRESS:$PORT
PersistentKeepalive = 15