На ср, 28.08.2019 г. в 13:56 ч. Dimitar Vassilev написа: > Hi Kalin, > > 1. Disable the FW and test. >> > Tried - disabling one fw shows wg traffic flowing. > > >> 2. Try ping from one router to the other using the configured public IP >> address >> >> That works as well with the default fw config on OpenWRT/LEDE/LibreCMC > > >> 3. Ping the other using the WG IP address >> >> my problem is that ping between the WG IP addresses is not working. I see > some PostUp and Postdown examples in the regular configurations like the > ones below > PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A > POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; > ip6tables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE > PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D > POSTROUTING -o enp5s0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; > ip6tables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE > In the LEDE/OpenWRT derivatives those are marked in the GUI with > MASQUERADE and route allowed ips options, but still I'm getting stuck. I > moved my VPN network from /25 to another /24 and still was stuck. > >> If all runs them it is a routing problem left to solve... >> >> Agree. I'm a bit at loss which routing - the kernel one or the forwarding > of packets. Will tear down and start from scratch with another test. > >> Kalin. >> > Hello all, Problem solved via a trivial solution - add my origin VPN endpoint IP into the list of AllowedIPs for the peer. Used https://forum.openwrt.org/t/solved-setup-wireguard-connecting-two-networks/4215 to achieve this At least in this setup I see the packets flowing in both directions - RX and TX Ny next questions are: - is this normal since I'm behind NAT or there are some OpenWRT /Wireguard specifics I'm missing? In the docs and examples I see examples with just peer IPs added - what should I do to make the flow to a private subnet in DMZ on site B from site A ? Thanks, Dimitar