I had a CentOS 8 Stream wireguard server, which allowed me to play LAN games with friends.
Since i updated to Rocky Linux 9, i cant communicate with other clients any more.
To clarify:
- client to server works
- server to all clients works
- client to client does not work.
For all wireguard stuff, i used the CGN network range (100.64.0.0/24
)
My local LAN has a 192.168.2.0/24
range.
The wireguard server has 2 interfaces:
192.168.2.254/24
(which has a port forwarding on the router to the internet)100.64.0.1/24
(for wireguard stuff)
When a client connects, it can use any service on my LAN (192.168.2.0/24
) network, which is fine, since i host services like DNS, TeamSpeak, etc.
The problem is, clients cant talk/ping to each other in the wireguard range (100.64.0.0/24
). For example: 100.64.0.103
cant ping 100.64.0.104
, which are both external clients connected to the wireguard server.
The server can ping both clients, so i think, this is a routing/firewall problem on the wireguard server.
/etc/wireguard/wg0.conf
:
[Interface]
PrivateKey = ...
Address = 100.64.0.1/24
PostUp = firewall-cmd --zone=public --add-masquerade
PostUp = firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o ens3 -j ACCEPT
PostUp = firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o ens3 -j MASQUERADE
PostDown = firewall-cmd --zone=public --remove-masquerade
PostDown = firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wg0 -o ens3 -j ACCEPT
PostDown = firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o ens3 -j MASQUERADE
ListenPort = 51820
# Client #1
[Peer]
PublicKey = ...
AllowedIPs = 100.64.0.101/32
# Client #2
[Peer]
PublicKey = ...
AllowedIPs = 100.64.0.102/32
# Client #3
[Peer]
PublicKey = ...
AllowedIPs = 100.64.0.103/32
# Client #4
[Peer]
PublicKey = ...
AllowedIPs = 100.64.0.104/32
ip a
:
[root@wireguard ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:b7:7f:f7 brd ff:ff:ff:ff:ff:ff
altname enp0s3
inet 192.168.2.254/24 brd 192.168.2.255 scope global dynamic noprefixroute ens3
valid_lft 84243sec preferred_lft 84243sec
inet6 fe80::5054:ff:feb7:7ff7/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 100.64.0.1/24 scope global wg0
valid_lft forever preferred_lft forever
ip route
:
[root@wireguard ~]# ip route
default via 192.168.2.1 dev ens3 proto dhcp src 192.168.2.254 metric 100
100.64.0.0/24 dev wg0 proto kernel scope link src 100.64.0.1
192.168.2.0/24 dev ens3 proto kernel scope link src 192.168.2.254 metric 100
iptables -L -n
[root@wireguard ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Wireguard client config:
[Interface]
PrivateKey = ...
Address = 100.64.0.104/32
DNS = 192.168.2.250
[Peer]
PublicKey = ...
AllowedIPs = 0.0.0.0/0
Endpoint = vpn.example.com:51820
Can anyone tell what i need to change that a client to client communication is possible?