Rubin Shrestha
Zend certified PHP/Magento developer
Rubin Shrestha
Blog

wireguard client to client communication does not work

by |Published

I had a CentOS 8 Stream wireguard server, which allowed me to play LAN games with friends.
Since i updated to Rocky Linux 9, i cant communicate with other clients any more.

To clarify:

  • client to server works
  • server to all clients works
  • client to client does not work.

For all wireguard stuff, i used the CGN network range (100.64.0.0/24)
My local LAN has a 192.168.2.0/24 range.

The wireguard server has 2 interfaces:

  • 192.168.2.254/24 (which has a port forwarding on the router to the internet)
  • 100.64.0.1/24 (for wireguard stuff)

When a client connects, it can use any service on my LAN (192.168.2.0/24) network, which is fine, since i host services like DNS, TeamSpeak, etc.

The problem is, clients cant talk/ping to each other in the wireguard range (100.64.0.0/24). For example: 100.64.0.103 cant ping 100.64.0.104, which are both external clients connected to the wireguard server.

The server can ping both clients, so i think, this is a routing/firewall problem on the wireguard server.

/etc/wireguard/wg0.conf:

[Interface]
PrivateKey = ...
Address = 100.64.0.1/24

PostUp = firewall-cmd --zone=public --add-masquerade
PostUp = firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o ens3 -j ACCEPT
PostUp = firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o ens3 -j MASQUERADE

PostDown = firewall-cmd --zone=public --remove-masquerade
PostDown = firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wg0 -o ens3 -j ACCEPT
PostDown = firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o ens3 -j MASQUERADE

ListenPort = 51820


# Client #1
[Peer]
PublicKey = ...
AllowedIPs = 100.64.0.101/32


# Client #2
[Peer]
PublicKey = ...
AllowedIPs = 100.64.0.102/32


# Client #3
[Peer]
PublicKey = ...
AllowedIPs = 100.64.0.103/32


# Client #4
[Peer]
PublicKey = ...
AllowedIPs = 100.64.0.104/32

ip a:

[root@wireguard ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:b7:7f:f7 brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 192.168.2.254/24 brd 192.168.2.255 scope global dynamic noprefixroute ens3
       valid_lft 84243sec preferred_lft 84243sec
    inet6 fe80::5054:ff:feb7:7ff7/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 100.64.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever

ip route:

[root@wireguard ~]# ip route
default via 192.168.2.1 dev ens3 proto dhcp src 192.168.2.254 metric 100 
100.64.0.0/24 dev wg0 proto kernel scope link src 100.64.0.1 
192.168.2.0/24 dev ens3 proto kernel scope link src 192.168.2.254 metric 100

iptables -L -n

[root@wireguard ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Wireguard client config:

[Interface]
PrivateKey = ...
Address = 100.64.0.104/32
DNS = 192.168.2.250

[Peer]
PublicKey = ...
AllowedIPs = 0.0.0.0/0
Endpoint = vpn.example.com:51820

Can anyone tell what i need to change that a client to client communication is possible?

You may also like