wireguard config - can connect but cannot ping LAN hosts from phone

mushinsky · Sep 3, 2023, 3:13 PM

I was able to connect my phone but it cannot see hosts inside LAN.

LAN has addresses 192.168.1.0/24, router is 192.168.1.1
Tunnel address is 192.168.2.0
WAN uses Dynamic DNS

Symptoms:

Handshake is completed, phone connects
I can ping 192.168.2.0 from hosts on LAN. But not my router or anything from the phone.

Q1. What to do?
Q2. Also, if I change the interface address to 192.168.2.0/24, on the pfsense side it complains that it is a "network address and cannot be used". It is fine with one client, but what if I have more in future? Why is there the mask field at all in the configuration then?

Here is my config (only keys edited away)

On the server (which is a pfsense router)

Description: external

[Interface]
PrivateKey = [...]
ListenPort = 51820

Peer: pixel7

[Peer]
PublicKey = [Z46...]
AllowedIPs = 192.168.2.0/24
PersistentKeepalive = 0

On the phone

[Interface]
Name=tun
PublicKey= [Z46...]
Addresses=192.168.2.0/32, 192.168.1.0/24
DNS servers 8.8.8.8 (for now, I would really like 192.168.1.1 later to get names within LAN)
ListenPort=51820

#Peer
PublicKey=[...]
AllowedIPs=192.168.1.0/24,192.168.2.0/24
Endpoint=gateway.xxx.com:51820

Firewall

WAN allows everything on IPv4/IPv6 UDP on port 51820
WireGuard group contains wg tunnel interface and allows everything. For good measure, the wg interface also has a (likely useless) rule to allow anything.
Outbound below

Any ideas?

Bob.Dig · Sep 3, 2023, 4:11 PM

@mushinsky said in wireguard config - can connect but cannot ping LAN hosts from phone:

but it cannot see hosts inside LAN.

What hosts?

mushinsky · Sep 3, 2023, 5:31 PM

@Bob-Dig e.g. 192.168.1.3 (NAS)
Or the router itself, 192.168.1.1

mushinsky · Sep 5, 2023, 6:48 PM

Still no luck with this. Any suggestions?

Bob.Dig · Sep 6, 2023, 6:43 AM

@mushinsky You can't have two addresses for the interface and you also have other problems. Maybe take a closer look here.