Connections are up and running but I think the fritzbox is misconfigured, because the ping answer is different from the one from Mikrotik. I am using standard AVM firmware.
Pinging from WG server…
Mikrotik
PING 192.168.188.1 (192.168.188.1) 56(84) bytes of data.
64 bytes from 192.168.188.1: icmp_seq=1 ttl=64 time=50.4 ms
Fritzbox
PING 192.168.178.1 (192.168.178.1) 56(84) bytes of data.
64 bytes from 10.168.188.3: icmp_seq=1 ttl=64 time=2.61 ms (DIFFERENT ADDRESS!)
Can you help me ? I need to reach the entire network 192.168.178.0/24 from the wg server
If I setup an IPSec VPN, I don’t have this problem and I can easily reach my Fritxbox LAN, but the IPSec connection is unstable with local LTE operators.
So why Fritz is masquerading only the WG interface and not the IPSec ?
The internal firewall acts differently ?
First of all, I am just speculating here from the behaviour that you describe. Second I don’t own a Fritz to verify.
WG and IPSec work differently, but at the end of the day, it all depends on how Fritz behaves on both cases, if it is indeed masquerade the culprit.
Yes, I verified. On FritzOS the WireGuard configuration is very minimal and the firewall cannot be disabled. We have a bit more parameters to set an IPsec configuration. Anyway we need a custom firmware (eg. Freetz-NG) to be able to fine tune both VPNs. Thank you for your time.
Well you are passing the local Fritzbox Network thru the tunnel.
I guess you need to share way more information.
What is the local network address range of the wg server?
What is the local network address range of both clients?
Are both clients located on different locations?
What is the purpose of both clients?
What network should they reach?
Which traffic should be passed thru the tunnel?
What is the local network address range of the wg server?
192.168.3.0/24 - Tunnel 10.168.188.0/24
What is the local network address range of both clients?
Mikrotik 192.168.188.0/24
Fritzbox 192.168.178.0/24
Are both clients located on different locations?
YES
What is the purpose of both clients? - What network should they reach?
Webcams (from non public IP) - I have to see them from server
Which traffic should be passed thru the tunnel?
Webcam streams (TCP ports 80/554)
Before we examine this further, let’s think about whether this scenario is the right one.
Currently, the external clients (such as the FritzBox) connect to your local WG server hosted on DietPi. I assume that the connection should be permanently active. Right? Because WireGuard has an unpleasant behaviour here with permanent connections.
Unfortunately, the WG clients are not aware of any changes to the external server IP address. This means that even when using a DDNS service, the WG client will always address the same old original IP. WireGurd resolves the DDNS only once when the connection is initially established. After that, there are no further attempts to resolve the DDNS again. Not even when changing the external server IP. Unfortunately, this is a general weakness of WireGuard and not a limitation of DietPi.
As far as I know, there are some tools that work around the problem. But I have never used them myself. It certainly won’t work on a FritzBox either. I have no idea whether AVM has built something themselves.
It might be better to reverse the scenario and install your own WG server in the respective target networks. This way you can always access the network as a client when you need it and the connection is not permanently active.
