Thanks! You are right, it was a rule: '-A zone_wireguard_forward -m comment --comment "!fw3" -j zone_wireguard_dest_REJECT'. Corresponding setting in the luci web interface was "Forward" from the zone "Wireguard" to "Wireguard". Although I also need a separate ip route table for this VPN to get access to subnet routing. -- Sergey.
On Mon, Jun 15, 2020 at 7:02 AM <[email protected]> wrote: > > On 2020-06-14 20:19, Sergey Ivanov wrote: > > Hi, > > I have a question about wg0 on OpenWRT not forwarding packets from one > > client to another. I have a laptop at home in my home LAN, and a > > computer at work in a very restricted LAN. They can not see one > > another. I spent a lot of time trying to get them connected by adding > > their wg0's IP addresses to the AllowedIPs on my home router running > > OpenWRT. I saw pings from each of them successfully decrypted (I've > > used ping with patterns) on the OpenWRT wg0, but they never got routed > > further. > > > > When I decided to try to move the same AllowedIPs from OpenWRT's wg0 > > to my desktop Fedora, it immediately worked. It looks like some sort > > of setting like isolation of the clients, or hairpin mode which is > > different on OpenWRT than on Fedora. > > > > Can someone help and suggest what I should look at? I'd like to have > > it working on the router which is all time on. > > You should look at the firewall in OpenWrt. It's probably dropping or > rejecting the packets. In particular look at the forward option of the > firewall zone assigned to wg0. From the OpenWrt Firewall - Zone Settings > GUI: > > the forward option describes the policy for forwarded traffic > between different networks within the zone. > > Since WireGuard is a routed (and not bridged) VPN the above setting can > also control forwarding between hosts on the same network.
