RUT241 Wireguard: WebUI/SSH but no LAN Access

Networking Solutions
1

Hi folks,

Device: RUT241
Firmware: RUT2M_R_00.07.18.3
VPN: Wireguard

I am running a VPS hosted Wireguard server, attempting to connect to the RUT241 and access devices on the LAN network. I have tried all number of fixes found on this forum and others and am out of ideas. The router is configured factory default with the exception of the Wireguard and Zones configurations pictured below. Thank you in advance for taking the time.

The Good:

  • Have remote connectivity to the RUT241 WebUI and SSH via Wireguard connection at address 10.7.0.3

The Bad:

  • Cannot connect to RUT241 LAN devices or router’s LAN address from Wireguard VPN.
  • LAN range 192.168.1.0/24, target test device at 192.168.1.101.

VPS Wireguard Configuration

Server Config

[Interface]
PrivateKey = <serverPrivateKey>
Address = 10.7.0.1/24
ListenPort = 443

[Peer]
PublicKey = <pcPublicKey>
AllowedIPs = 10.7.0.2/32
Endpoint = 

[Peer]
PublicKey = <rut241PublicKey>
AllowedIPs = 10.7.0.3/32, 192.168.1.0/24, 192.168.1.101/32
Endpoint =

RUT241 Peer Config

[Interface]
PrivateKey = <rut241PrivateKey>
Address = 10.7.0.3/32, 192.168.1.0/24, 192.168.1.101/32
MTU = 1280
DNS = 9.9.9.9

[Peer]
PublicKey = <serverPublicKey>
AllowedIPs = 0.0.0.0/0
Endpoint = my.vpn.endpoint:443
PersistentKeepalive = 25

PC Peer Config

[Interface]
PrivateKey = <pcPrivateKey>
Address = 10.7.0.2/32
MTU = 1280
DNS = 9.9.9.9

[Peer]
PublicKey = <serverPublicKey>
AllowedIPs = 0.0.0.0/0
Endpoint = my.vpn.endpoint:443
PersistentKeepalive = 25

RUT241 Peer Ping Results

image
image567×169 4.08 KB

RUT241 Configuration

Wireguard Config

image
image1241×702 26.9 KB

Peer Config

image
image891×567 22.2 KB

SSH wg results

root@RUT241:~# wg
interface: WG_AIO
  public key: <rut241PublicKey
  private key: (hidden)
  listening port: 51820

peer: <serverPublicKey>
  endpoint: my.vpn.endpoint:443
  allowed ips: 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1
  latest handshake: 30 seconds ago
  transfer: 53.79 KiB received, 37.95 KiB sent
  persistent keepalive: every 25 seconds

Firewall Zones

image
image1199×356 25.9 KB

2

Hello,

You configuration has a few issues:

  • in server config AllowedIPs=10.7.0.3/32, 192.168.1.0/24, 192.168.1.101/32. Here 192.168.1.101/32 is redundant, remove it from the list.
  • RUT241 Peer Config: set Address=10.7.0.3/24 only and AllowedIPs to 0.0.0.0/1 + 128.0.0.0/1 (+ ::/1 + 8000::1 if you need IPv6)
  • PC Peer Config: set Address = 10.7.0.2/24, same as above for AllowedIPs

And make sure that the default route of the devices behind the RUT point to it.

Regards,

4

Thanks, vogon.

Per your advice, I updated the Server config and each of the peer’s configs. I am still unable to access the LAN on the RUT241, and attempting to navigate to the LAN via browser will knock the RUT241 offline temporarily.

Additional thoughts?

Server Config

[Interface]
#Name = VPS
Address = 10.7.0.1/24
ListenPort = 443
PrivateKey = <serverPrivateKey>

[Peer]
#Name = RUT241
PublicKey = <rut241PublicKey>
AllowedIPs = 10.7.0.3/32, 192.168.1.0/24
Endpoint =

[Peer]
#Name = PC
PublicKey = <pcPublicKey>
AllowedIPs = 10.7.0.2/32
Endpoint =

RUT241 Config

config interface 'WG_AIO'
        option proto 'wireguard'
        option disabled '0'
        list dns '9.9.9.9'
        option private_key '<rut241PrivateKey>'
        option public_key '<rut241PublicKey'
        option mtu '1280'
        option listen_port '51820'
        list addresses '10.7.0.3/24'

config wireguard_WG_AIO 'Server'
        option endpoint_port '443'
        option description 'WG Server'
        option public_key '<serverPublicKey>'
        option force_tunlink '0'
        option endpoint_host 'my.vpn.endpoint'
        option route_allowed_ips '1'
        option tunlink 'any'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/1'
        list allowed_ips '128.0.0.0/1'

PC Config

[Interface]
PrivateKey = <pcPrivateKey>
Address = 10.7.0.2/24
DNS = 9.9.9.9
MTU = 1280

[Peer]
PublicKey = <serverPublicKey>
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
Endpoint = my.vpn.endpoint:443
PersistentKeepalive = 25
5

What happens if you turn off Masquerading on the RUT241 Wireguard zone?

6

From the server can you ping 10.7.0.3 ? 192.168.1.1 ? another 192.168.1.x device ?

I didn’t spot it the first time but the MTU = 1280 specification is missing in the server’s config. Might this be the cause ?

7

What happens if you turn off Masquerading on the RUT241 Wireguard zone?

It does not appear to have had any affect.

From the server can you ping 10.7.0.3 ? 192.168.1.1 ? another 192.168.1.x device ?

Can access the 10. address, but none of the 192. addresses. Adding MTU = 1280 to server config had no noticeable effect.

image
image596×407 15.2 KB

8

Try with traceroute instead of ping. What is the output ?

Second step: tcpdump on the RUT.

tcpdump -i any -n -v icmp

What is the output of tcpdump ?

9

Try with traceroute instead of ping. What is the output ?

image

image
image634×591 4.26 KB

What is the output of tcpdump ?

This is tcpdump while running traceroute to 192.168.1.101.

root@RUT241:~# tcpdump -i any -n -v icmp
tcpdump: WARNING: any: That device doesn't support promiscuous mode
(Promiscuous mode not supported on the "any" device)
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
11:54:51.894783 qmimux0 Out IP (tos 0xc0, ttl 64, id 37581, offset 0, flags [none], proto ICMP (1), length 88)
    100.95.249.37 > my.vpn.endpoint: ICMP time exceeded in-transit, length 68
        IP (tos 0x0, ttl 1, id 29293, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.54308 > 192.168.1.101.33434: UDP, length 32
11:54:51.910015 qmimux0 Out IP (tos 0xc0, ttl 64, id 37583, offset 0, flags [none], proto ICMP (1), length 88)
    100.95.249.37 > my.vpn.endpoint: ICMP time exceeded in-transit, length 68
        IP (tos 0x0, ttl 1, id 5336, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.46258 > 192.168.1.101.33435: UDP, length 32
11:54:51.910127 qmimux0 Out IP (tos 0xc0, ttl 64, id 37584, offset 0, flags [none], proto ICMP (1), length 88)
    100.95.249.37 > my.vpn.endpoint: ICMP time exceeded in-transit, length 68
        IP (tos 0x0, ttl 1, id 33720, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.54704 > 192.168.1.101.33436: UDP, length 32
11:54:51.911849 eth0  In  IP (tos 0x6,ECT(0), ttl 64, id 20815, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33437 unreachable, length 68
        IP (tos 0x0, ttl 1, id 20874, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.57472 > 192.168.1.101.33437: UDP, length 32
11:54:51.911858 eth0.1 In  IP (tos 0x6,ECT(0), ttl 64, id 20815, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33437 unreachable, length 68
        IP (tos 0x0, ttl 1, id 20874, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.57472 > 192.168.1.101.33437: UDP, length 32
11:54:51.911880 br-lan In  IP (tos 0x6,ECT(0), ttl 64, id 20815, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33437 unreachable, length 68
        IP (tos 0x0, ttl 1, id 20874, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.57472 > 192.168.1.101.33437: UDP, length 32
11:54:51.912113 qmimux0 Out IP (tos 0x6,ECT(0), ttl 63, id 20815, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33437 unreachable, length 68
        IP (tos 0x0, ttl 1, id 20874, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.57472 > 192.168.1.101.33437: UDP, length 32
11:54:51.912152 eth0  In  IP (tos 0x6,ECT(0), ttl 64, id 21071, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33438 unreachable, length 68
        IP (tos 0x0, ttl 1, id 29746, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.37743 > 192.168.1.101.33438: UDP, length 32
11:54:51.912156 eth0.1 In  IP (tos 0x6,ECT(0), ttl 64, id 21071, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33438 unreachable, length 68
        IP (tos 0x0, ttl 1, id 29746, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.37743 > 192.168.1.101.33438: UDP, length 32
11:54:51.912171 br-lan In  IP (tos 0x6,ECT(0), ttl 64, id 21071, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33438 unreachable, length 68
        IP (tos 0x0, ttl 1, id 29746, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.37743 > 192.168.1.101.33438: UDP, length 32
11:54:51.912275 qmimux0 Out IP (tos 0x6,ECT(0), ttl 63, id 21071, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33438 unreachable, length 68
        IP (tos 0x0, ttl 1, id 29746, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.37743 > 192.168.1.101.33438: UDP, length 32
11:54:51.912294 eth0  In  IP (tos 0x6,ECT(0), ttl 64, id 21327, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33439 unreachable, length 68
        IP (tos 0x0, ttl 1, id 9959, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.47243 > 192.168.1.101.33439: UDP, length 32
11:54:51.912299 eth0.1 In  IP (tos 0x6,ECT(0), ttl 64, id 21327, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33439 unreachable, length 68
        IP (tos 0x0, ttl 1, id 9959, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.47243 > 192.168.1.101.33439: UDP, length 32
11:54:51.912311 br-lan In  IP (tos 0x6,ECT(0), ttl 64, id 21327, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33439 unreachable, length 68
        IP (tos 0x0, ttl 1, id 9959, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.47243 > 192.168.1.101.33439: UDP, length 32
11:54:51.912407 qmimux0 Out IP (tos 0x6,ECT(0), ttl 63, id 21327, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33439 unreachable, length 68
        IP (tos 0x0, ttl 1, id 9959, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.47243 > 192.168.1.101.33439: UDP, length 32
11:54:51.912427 eth0  In  IP (tos 0x6,ECT(0), ttl 64, id 21583, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33440 unreachable, length 68
        IP (tos 0x0, ttl 2, id 17995, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.47013 > 192.168.1.101.33440: UDP, length 32
11:54:51.912432 eth0.1 In  IP (tos 0x6,ECT(0), ttl 64, id 21583, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33440 unreachable, length 68
        IP (tos 0x0, ttl 2, id 17995, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.47013 > 192.168.1.101.33440: UDP, length 32
11:54:51.912444 br-lan In  IP (tos 0x6,ECT(0), ttl 64, id 21583, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33440 unreachable, length 68
        IP (tos 0x0, ttl 2, id 17995, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.47013 > 192.168.1.101.33440: UDP, length 32
11:54:51.912538 qmimux0 Out IP (tos 0x6,ECT(0), ttl 63, id 21583, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33440 unreachable, length 68
        IP (tos 0x0, ttl 2, id 17995, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.47013 > 192.168.1.101.33440: UDP, length 32
11:54:51.912559 eth0  In  IP (tos 0x6,ECT(0), ttl 64, id 21839, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33441 unreachable, length 68
        IP (tos 0x0, ttl 2, id 12369, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.53925 > 192.168.1.101.33441: UDP, length 32
11:54:51.912563 eth0.1 In  IP (tos 0x6,ECT(0), ttl 64, id 21839, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33441 unreachable, length 68
        IP (tos 0x0, ttl 2, id 12369, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.53925 > 192.168.1.101.33441: UDP, length 32
11:54:51.912575 br-lan In  IP (tos 0x6,ECT(0), ttl 64, id 21839, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33441 unreachable, length 68
        IP (tos 0x0, ttl 2, id 12369, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.53925 > 192.168.1.101.33441: UDP, length 32
11:54:51.912667 qmimux0 Out IP (tos 0x6,ECT(0), ttl 63, id 21839, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33441 unreachable, length 68
        IP (tos 0x0, ttl 2, id 12369, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.53925 > 192.168.1.101.33441: UDP, length 32
11:54:51.912687 eth0  In  IP (tos 0x6,ECT(0), ttl 64, id 22095, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33442 unreachable, length 68
        IP (tos 0x0, ttl 2, id 57387, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.47126 > 192.168.1.101.33442: UDP, length 32
11:54:51.912691 eth0.1 In  IP (tos 0x6,ECT(0), ttl 64, id 22095, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33442 unreachable, length 68
        IP (tos 0x0, ttl 2, id 57387, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.47126 > 192.168.1.101.33442: UDP, length 32
11:54:51.912703 br-lan In  IP (tos 0x6,ECT(0), ttl 64, id 22095, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33442 unreachable, length 68
        IP (tos 0x0, ttl 2, id 57387, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.47126 > 192.168.1.101.33442: UDP, length 32
11:54:51.912794 qmimux0 Out IP (tos 0x6,ECT(0), ttl 63, id 22095, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33442 unreachable, length 68
        IP (tos 0x0, ttl 2, id 57387, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.47126 > 192.168.1.101.33442: UDP, length 32
11:54:51.912814 eth0  In  IP (tos 0x6,ECT(0), ttl 64, id 22351, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33443 unreachable, length 68
        IP (tos 0x0, ttl 3, id 28450, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.57917 > 192.168.1.101.33443: UDP, length 32
11:54:51.912818 eth0.1 In  IP (tos 0x6,ECT(0), ttl 64, id 22351, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33443 unreachable, length 68
        IP (tos 0x0, ttl 3, id 28450, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.57917 > 192.168.1.101.33443: UDP, length 32
11:54:51.912830 br-lan In  IP (tos 0x6,ECT(0), ttl 64, id 22351, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33443 unreachable, length 68
        IP (tos 0x0, ttl 3, id 28450, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.57917 > 192.168.1.101.33443: UDP, length 32
11:54:51.912924 qmimux0 Out IP (tos 0x6,ECT(0), ttl 63, id 22351, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33443 unreachable, length 68
        IP (tos 0x0, ttl 3, id 28450, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.57917 > 192.168.1.101.33443: UDP, length 32
11:54:51.912943 eth0  In  IP (tos 0x6,ECT(0), ttl 64, id 22607, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33444 unreachable, length 68
        IP (tos 0x0, ttl 3, id 37442, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.32872 > 192.168.1.101.33444: UDP, length 32
11:54:51.912947 eth0.1 In  IP (tos 0x6,ECT(0), ttl 64, id 22607, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33444 unreachable, length 68
        IP (tos 0x0, ttl 3, id 37442, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.32872 > 192.168.1.101.33444: UDP, length 32
11:54:51.912960 br-lan In  IP (tos 0x6,ECT(0), ttl 64, id 22607, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33444 unreachable, length 68
        IP (tos 0x0, ttl 3, id 37442, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.32872 > 192.168.1.101.33444: UDP, length 32
11:54:51.913057 qmimux0 Out IP (tos 0x6,ECT(0), ttl 63, id 22607, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33444 unreachable, length 68
        IP (tos 0x0, ttl 3, id 37442, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.32872 > 192.168.1.101.33444: UDP, length 32
11:54:51.913670 eth0  In  IP (tos 0x6,ECT(0), ttl 64, id 22863, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33445 unreachable, length 68
        IP (tos 0x0, ttl 3, id 25987, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.45362 > 192.168.1.101.33445: UDP, length 32
11:54:51.913682 eth0.1 In  IP (tos 0x6,ECT(0), ttl 64, id 22863, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33445 unreachable, length 68
        IP (tos 0x0, ttl 3, id 25987, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.45362 > 192.168.1.101.33445: UDP, length 32
11:54:51.913706 br-lan In  IP (tos 0x6,ECT(0), ttl 64, id 22863, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33445 unreachable, length 68
        IP (tos 0x0, ttl 3, id 25987, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.45362 > 192.168.1.101.33445: UDP, length 32
11:54:51.913923 qmimux0 Out IP (tos 0x6,ECT(0), ttl 63, id 22863, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33445 unreachable, length 68
        IP (tos 0x0, ttl 3, id 25987, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.45362 > 192.168.1.101.33445: UDP, length 32
11:54:51.913959 eth0  In  IP (tos 0x6,ECT(0), ttl 64, id 23119, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33446 unreachable, length 68
        IP (tos 0x0, ttl 4, id 47042, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.52875 > 192.168.1.101.33446: UDP, length 32
11:54:51.913964 eth0.1 In  IP (tos 0x6,ECT(0), ttl 64, id 23119, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33446 unreachable, length 68
        IP (tos 0x0, ttl 4, id 47042, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.52875 > 192.168.1.101.33446: UDP, length 32
11:54:51.913977 br-lan In  IP (tos 0x6,ECT(0), ttl 64, id 23119, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33446 unreachable, length 68
        IP (tos 0x0, ttl 4, id 47042, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.52875 > 192.168.1.101.33446: UDP, length 32
11:54:51.914075 qmimux0 Out IP (tos 0x6,ECT(0), ttl 63, id 23119, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33446 unreachable, length 68
        IP (tos 0x0, ttl 4, id 47042, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.52875 > 192.168.1.101.33446: UDP, length 32
11:54:51.914097 eth0  In  IP (tos 0x6,ECT(0), ttl 64, id 23375, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33447 unreachable, length 68
        IP (tos 0x0, ttl 4, id 59601, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.42707 > 192.168.1.101.33447: UDP, length 32
11:54:51.914102 eth0.1 In  IP (tos 0x6,ECT(0), ttl 64, id 23375, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33447 unreachable, length 68
        IP (tos 0x0, ttl 4, id 59601, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.42707 > 192.168.1.101.33447: UDP, length 32
11:54:51.914115 br-lan In  IP (tos 0x6,ECT(0), ttl 64, id 23375, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33447 unreachable, length 68
        IP (tos 0x0, ttl 4, id 59601, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.42707 > 192.168.1.101.33447: UDP, length 32
11:54:51.914210 qmimux0 Out IP (tos 0x6,ECT(0), ttl 63, id 23375, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33447 unreachable, length 68
        IP (tos 0x0, ttl 4, id 59601, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.42707 > 192.168.1.101.33447: UDP, length 32
11:54:51.914238 eth0  In  IP (tos 0x6,ECT(0), ttl 64, id 23631, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33448 unreachable, length 68
        IP (tos 0x0, ttl 4, id 55600, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.37436 > 192.168.1.101.33448: UDP, length 32
11:54:51.914242 eth0.1 In  IP (tos 0x6,ECT(0), ttl 64, id 23631, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33448 unreachable, length 68
        IP (tos 0x0, ttl 4, id 55600, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.37436 > 192.168.1.101.33448: UDP, length 32
11:54:51.914255 br-lan In  IP (tos 0x6,ECT(0), ttl 64, id 23631, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33448 unreachable, length 68
        IP (tos 0x0, ttl 4, id 55600, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.37436 > 192.168.1.101.33448: UDP, length 32
11:54:51.914353 qmimux0 Out IP (tos 0x6,ECT(0), ttl 63, id 23631, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33448 unreachable, length 68
        IP (tos 0x0, ttl 4, id 55600, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.37436 > 192.168.1.101.33448: UDP, length 32
11:54:51.914374 eth0  In  IP (tos 0x6,ECT(0), ttl 64, id 23887, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33449 unreachable, length 68
        IP (tos 0x0, ttl 5, id 23349, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.40225 > 192.168.1.101.33449: UDP, length 32
11:54:51.914378 eth0.1 In  IP (tos 0x6,ECT(0), ttl 64, id 23887, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33449 unreachable, length 68
        IP (tos 0x0, ttl 5, id 23349, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.40225 > 192.168.1.101.33449: UDP, length 32
11:54:51.914391 br-lan In  IP (tos 0x6,ECT(0), ttl 64, id 23887, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33449 unreachable, length 68
        IP (tos 0x0, ttl 5, id 23349, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.40225 > 192.168.1.101.33449: UDP, length 32
11:54:51.914509 qmimux0 Out IP (tos 0x6,ECT(0), ttl 63, id 23887, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.101 > my.vpn.endpoint: ICMP 192.168.1.101 udp port 33449 unreachable, length 68
        IP (tos 0x0, ttl 5, id 23349, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.40225 > 192.168.1.101.33449: UDP, length 32
11:55:24.083366 WG_AIO Out IP (tos 0xc0, ttl 64, id 7684, offset 0, flags [none], proto ICMP (1), length 342)
    10.7.0.3 > 100.83.234.192: ICMP 100.83.234.191 udp port 68 unreachable, length 322
        IP (tos 0x0, ttl 254, id 20, offset 0, flags [none], proto UDP (17), length 314)
    100.83.234.192.67 > 100.83.234.191.68: BOOTP/DHCP, Reply, length 286, xid 0xd543bb59, Flags [none]
          Your-IP 100.83.234.191
          Server-IP 100.83.234.192
          Client-Ethernet-Address 00:00:00:00:00:00
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: Offer
            Subnet-Mask (1), length 4: 255.255.255.128
            Default-Gateway (3), length 4: 100.83.234.192
            Domain-Name-Server (6), length 8: 198.224.167.135,198.224.166.135
            Hostname (12), length 6: "RUT241"
            Lease-Time (51), length 4: 7200
            Server-ID (54), length 4: 100.83.234.192
^C
56 packets captured
73 packets received by filter
0 packets dropped by kernel

tcpdump while traceroute to 192.168.1.1

root@RUT241:~# tcpdump -i any -n -v icmp
tcpdump: WARNING: any: That device doesn't support promiscuous mode
(Promiscuous mode not supported on the "any" device)
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
11:59:40.624793 qmimux0 Out IP (tos 0xc0, ttl 64, id 19430, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.1 > my.vpn.endpoint: ICMP 192.168.1.1 udp port 33434 unreachable, length 68
        IP (tos 0x0, ttl 1, id 62162, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.36397 > 192.168.1.1.33434: UDP, length 32
11:59:40.624988 qmimux0 Out IP (tos 0xc0, ttl 64, id 19431, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.1 > my.vpn.endpoint: ICMP 192.168.1.1 udp port 33435 unreachable, length 68
        IP (tos 0x0, ttl 1, id 22378, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.48348 > 192.168.1.1.33435: UDP, length 32
11:59:40.625172 qmimux0 Out IP (tos 0xc0, ttl 64, id 19432, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.1 > my.vpn.endpoint: ICMP 192.168.1.1 udp port 33436 unreachable, length 68
        IP (tos 0x0, ttl 1, id 56956, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.51727 > 192.168.1.1.33436: UDP, length 32
11:59:40.625356 qmimux0 Out IP (tos 0xc0, ttl 64, id 19433, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.1 > my.vpn.endpoint: ICMP 192.168.1.1 udp port 33437 unreachable, length 68
        IP (tos 0x0, ttl 2, id 57930, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.43864 > 192.168.1.1.33437: UDP, length 32
11:59:40.625630 qmimux0 Out IP (tos 0xc0, ttl 64, id 19434, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.1 > my.vpn.endpoint: ICMP 192.168.1.1 udp port 33438 unreachable, length 68
        IP (tos 0x0, ttl 2, id 19661, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.56687 > 192.168.1.1.33438: UDP, length 32
11:59:40.625851 qmimux0 Out IP (tos 0xc0, ttl 64, id 19435, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.1 > my.vpn.endpoint: ICMP 192.168.1.1 udp port 33439 unreachable, length 68
        IP (tos 0x0, ttl 2, id 33452, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.48161 > 192.168.1.1.33439: UDP, length 32
11:59:45.745408 qmimux0 Out IP (tos 0xc0, ttl 64, id 19760, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.1 > my.vpn.endpoint: ICMP 192.168.1.1 udp port 33450 unreachable, length 68
        IP (tos 0x0, ttl 6, id 50783, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.54606 > 192.168.1.1.33450: UDP, length 32
11:59:45.745709 qmimux0 Out IP (tos 0xc0, ttl 64, id 19761, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.1 > my.vpn.endpoint: ICMP 192.168.1.1 udp port 33451 unreachable, length 68
        IP (tos 0x0, ttl 6, id 42327, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.54210 > 192.168.1.1.33451: UDP, length 32
11:59:45.745907 qmimux0 Out IP (tos 0xc0, ttl 64, id 19762, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.1 > my.vpn.endpoint: ICMP 192.168.1.1 udp port 33452 unreachable, length 68
        IP (tos 0x0, ttl 7, id 11236, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.41916 > 192.168.1.1.33452: UDP, length 32
11:59:45.746091 qmimux0 Out IP (tos 0xc0, ttl 64, id 19763, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.1 > my.vpn.endpoint: ICMP 192.168.1.1 udp port 33453 unreachable, length 68
        IP (tos 0x0, ttl 7, id 15124, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.57422 > 192.168.1.1.33453: UDP, length 32
11:59:45.746277 qmimux0 Out IP (tos 0xc0, ttl 64, id 19764, offset 0, flags [none], proto ICMP (1), length 88)
    192.168.1.1 > my.vpn.endpoint: ICMP 192.168.1.1 udp port 33454 unreachable, length 68
        IP (tos 0x0, ttl 7, id 26873, offset 0, flags [none], proto UDP (17), length 60)
    my.vpn.endpoint.38636 > 192.168.1.1.33454: UDP, length 32
12:00:15.333302 WG_AIO Out IP (tos 0xc0, ttl 64, id 44670, offset 0, flags [none], proto ICMP (1), length 342)
    10.7.0.3 > 100.126.179.190: ICMP 100.126.179.189 udp port 68 unreachable, length 322
        IP (tos 0x0, ttl 254, id 22, offset 0, flags [none], proto UDP (17), length 314)
    100.126.179.190.67 > 100.126.179.189.68: BOOTP/DHCP, Reply, length 286, xid 0x3ca2c81f, Flags [none]
          Your-IP 100.126.179.189
          Server-IP 100.126.179.190
          Client-Ethernet-Address 00:00:00:00:00:00
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: Offer
            Subnet-Mask (1), length 4: 255.255.255.252
            Default-Gateway (3), length 4: 100.126.179.190
            Domain-Name-Server (6), length 8: 198.224.167.135,198.224.166.135
            Hostname (12), length 6: "RUT241"
            Lease-Time (51), length 4: 7200
            Server-ID (54), length 4: 100.126.179.190
12:00:15.336182 WG_AIO Out IP (tos 0xc0, ttl 64, id 44671, offset 0, flags [none], proto ICMP (1), length 342)
    10.7.0.3 > 100.126.179.190: ICMP 100.126.179.189 udp port 68 unreachable, length 322
        IP (tos 0x0, ttl 254, id 23, offset 0, flags [none], proto UDP (17), length 314)
    100.126.179.190.67 > 100.126.179.189.68: BOOTP/DHCP, Reply, length 286, xid 0x3ca2c81f, Flags [none]
          Your-IP 100.126.179.189
          Server-IP 100.126.179.190
          Client-Ethernet-Address 00:00:00:00:00:00
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: ACK
            Server-ID (54), length 4: 100.126.179.190
            Subnet-Mask (1), length 4: 255.255.255.252
            Default-Gateway (3), length 4: 100.126.179.190
            Domain-Name-Server (6), length 8: 198.224.167.135,198.224.166.135
            Hostname (12), length 6: "RUT241"
            Lease-Time (51), length 4: 7200
10

Time exceeded icmp errors could indicate a routing error somewhere.

Redo the tcpdump and a ping instead of traceroute. What do you see ?

11 
root@RUT241:~# tcpdump -i any -n -v icmp
tcpdump: WARNING: any: That device doesn't support promiscuous mode
(Promiscuous mode not supported on the "any" device)
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
12:16:30.437860 WG_AIO In  IP (tos 0x0, ttl 64, id 28282, offset 0, flags [DF], proto ICMP (1), length 84)
    my.vpn.endpoint > 192.168.1.1: ICMP echo request, id 3121, seq 1, length 64
12:16:30.438172 qmimux0 Out IP (tos 0x0, ttl 64, id 41299, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.1.1 > my.vpn.endpoint: ICMP echo reply, id 3121, seq 1, length 64
12:16:31.381637 WG_AIO In  IP (tos 0x0, ttl 64, id 28674, offset 0, flags [DF], proto ICMP (1), length 84)
    my.vpn.endpoint > 192.168.1.1: ICMP echo request, id 3121, seq 2, length 64
12:16:31.381859 qmimux0 Out IP (tos 0x0, ttl 64, id 41337, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.1.1 > my.vpn.endpoint: ICMP echo reply, id 3121, seq 2, length 64
12:16:32.333268 WG_AIO In  IP (tos 0x0, ttl 64, id 28975, offset 0, flags [DF], proto ICMP (1), length 84)
    my.vpn.endpoint > 192.168.1.1: ICMP echo request, id 3121, seq 3, length 64
12:16:32.333490 qmimux0 Out IP (tos 0x0, ttl 64, id 41398, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.1.1 > my.vpn.endpoint: ICMP echo reply, id 3121, seq 3, length 64
12:16:33.613251 WG_AIO In  IP (tos 0x0, ttl 64, id 29535, offset 0, flags [DF], proto ICMP (1), length 84)
    my.vpn.endpoint > 192.168.1.1: ICMP echo request, id 3121, seq 4, length 64
12:16:33.613475 qmimux0 Out IP (tos 0x0, ttl 64, id 41466, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.1.1 > my.vpn.endpoint: ICMP echo reply, id 3121, seq 4, length 64
12:16:34.513972 WG_AIO In  IP (tos 0x0, ttl 64, id 30085, offset 0, flags [DF], proto ICMP (1), length 84)
    my.vpn.endpoint > 192.168.1.1: ICMP echo request, id 3121, seq 5, length 64
12:16:34.514192 qmimux0 Out IP (tos 0x0, ttl 64, id 41486, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.1.1 > my.vpn.endpoint: ICMP echo reply, id 3121, seq 5, length 64
12:16:35.541740 WG_AIO In  IP (tos 0x0, ttl 64, id 30691, offset 0, flags [DF], proto ICMP (1), length 84)
    my.vpn.endpoint > 192.168.1.1: ICMP echo request, id 3121, seq 6, length 64
12:16:35.541962 qmimux0 Out IP (tos 0x0, ttl 64, id 41522, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.1.1 > my.vpn.endpoint: ICMP echo reply, id 3121, seq 6, length 64
12:16:36.500851 WG_AIO In  IP (tos 0x0, ttl 64, id 30695, offset 0, flags [DF], proto ICMP (1), length 84)
    my.vpn.endpoint > 192.168.1.1: ICMP echo request, id 3121, seq 7, length 64
12:16:36.501071 qmimux0 Out IP (tos 0x0, ttl 64, id 41578, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.1.1 > my.vpn.endpoint: ICMP echo reply, id 3121, seq 7, length 64
12

So the ping 192.168.1.1 works fine or seem at least, depening on the value of my.vpn.endpoint. Is this a private or public address ?

Try a ping 192.168.1.101 same tcpdump. What appears ?

13

Public address.
New tcpdump with ping at 192.168.1.101.

root@RUT241:~# tcpdump -i any -n -v icmp
tcpdump: WARNING: any: That device doesn't support promiscuous mode
(Promiscuous mode not supported on the "any" device)
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
12:39:21.603096 WG_AIO In  IP (tos 0x0, ttl 64, id 43432, offset 0, flags [DF], proto ICMP (1), length 84)
    my.vpn.endpoint > 192.168.1.101: ICMP echo request, id 4165, seq 1, length 64
12:39:21.603347 br-lan Out IP (tos 0x0, ttl 63, id 43432, offset 0, flags [DF], proto ICMP (1), length 84)
    my.vpn.endpoint > 192.168.1.101: ICMP echo request, id 4165, seq 1, length 64
12:39:21.603379 eth0.1 Out IP (tos 0x0, ttl 63, id 43432, offset 0, flags [DF], proto ICMP (1), length 84)
    my.vpn.endpoint > 192.168.1.101: ICMP echo request, id 4165, seq 1, length 64
12:39:21.603984 eth0  In  IP (tos 0x0, ttl 64, id 14022, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.101 > my.vpn.endpoint: ICMP echo reply, id 4165, seq 1, length 64
12:39:21.603993 eth0.1 In  IP (tos 0x0, ttl 64, id 14022, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.101 > my.vpn.endpoint: ICMP echo reply, id 4165, seq 1, length 64
12:39:21.604005 br-lan In  IP (tos 0x0, ttl 64, id 14022, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.101 > my.vpn.endpoint: ICMP echo reply, id 4165, seq 1, length 64
12:39:21.604152 qmimux0 Out IP (tos 0x0, ttl 63, id 14022, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.101 > my.vpn.endpoint: ICMP echo reply, id 4165, seq 1, length 64
12:39:22.905012 WG_AIO In  IP (tos 0x0, ttl 64, id 44301, offset 0, flags [DF], proto ICMP (1), length 84)
    my.vpn.endpoint > 192.168.1.101: ICMP echo request, id 4165, seq 2, length 64
12:39:22.905245 br-lan Out IP (tos 0x0, ttl 63, id 44301, offset 0, flags [DF], proto ICMP (1), length 84)
    my.vpn.endpoint > 192.168.1.101: ICMP echo request, id 4165, seq 2, length 64
12:39:22.905276 eth0.1 Out IP (tos 0x0, ttl 63, id 44301, offset 0, flags [DF], proto ICMP (1), length 84)
    my.vpn.endpoint > 192.168.1.101: ICMP echo request, id 4165, seq 2, length 64
12:39:22.905502 eth0  In  IP (tos 0x0, ttl 64, id 14278, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.101 > my.vpn.endpoint: ICMP echo reply, id 4165, seq 2, length 64
12:39:22.905510 eth0.1 In  IP (tos 0x0, ttl 64, id 14278, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.101 > my.vpn.endpoint: ICMP echo reply, id 4165, seq 2, length 64
12:39:22.905530 br-lan In  IP (tos 0x0, ttl 64, id 14278, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.101 > my.vpn.endpoint: ICMP echo reply, id 4165, seq 2, length 64
12:39:22.905645 qmimux0 Out IP (tos 0x0, ttl 63, id 14278, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.101 > my.vpn.endpoint: ICMP echo reply, id 4165, seq 2, length 64
14

The 192.168.1.101 device doesn’t reply to ping. Can you run tcpdump on it ?

What is its default route ?

15

Cannot - it is an OEM PLC.

IP: 192.168.1.101/24
Gateway: 192.168.1.1

I connected a windows PC to the RUT241 LAN and attempted ping (192.168.1.116).
Seems like the packets are arriving but not being returned?

C:\Users\User\Downloads>windump.exe icmp
windump.exe: listening on \Device\NPF_{DF764C8F-1301-4EFF-8920-AD58D6E50EE2}
13:16:48.335458 IP my.vpn.endpoint-host.colocrossing.com > DESKTOP-CR57F34.lan: ICMP echo request, id 5812, seq 1, length 64
13:16:49.335397 IP my.vpn.endpoint-host.colocrossing.com > DESKTOP-CR57F34.lan: ICMP echo request, id 5812, seq 2, length 64
13:16:50.610042 IP my.vpn.endpoint-host.colocrossing.com > DESKTOP-CR57F34.lan: ICMP echo request, id 5812, seq 3, length 64
13:16:51.383253 IP my.vpn.endpoint-host.colocrossing.com > DESKTOP-CR57F34.lan: ICMP echo request, id 5812, seq 4, length 64
13:16:52.416479 IP my.vpn.endpoint-host.colocrossing.com > DESKTOP-CR57F34.lan: ICMP echo request, id 5812, seq 5, length 64
13:16:53.449826 IP my.vpn.endpoint-host.colocrossing.com > DESKTOP-CR57F34.lan: ICMP echo request, id 5812, seq 6, length 64
13:16:54.457406 IP my.vpn.endpoint-host.colocrossing.com > DESKTOP-CR57F34.lan: ICMP echo request, id 5812, seq 7, length 64

7 packets captured
691 packets received by filter
0 packets dropped by kernel

Pinging 10.7.0.1 from the PC on the RUT LAN resolves without issue.

16

Exact, you have the echo request frames but no echo reply.

What are the open ports on th .101 device ? Check with nmap:

nmap -Pn -A 192.168.1.101

Install nmap on the RUT if you don’t have it.

17

I am unclear on how to install nmap on the RUT. Everything I see indicates it is not an option.

Of note, I am able to ping from LAN on RUT to Server, but I am unable to ping from LAN on RUT to PC Client. I can see the packets on the Server’s tcpdump, so I suspect its the same issue.

It appears that the ping can make it from LAN to VPN, but the reply is lost in both directions.

tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
22:29:12.328385 wg0   In  IP (tos 0x0, ttl 127, id 54340, offset 0, flags [none], proto ICMP (1), length 60)
    10.7.0.3 > 10.7.0.2: ICMP echo request, id 1, seq 19, length 40
22:29:12.328424 wg0   Out IP (tos 0x0, ttl 126, id 54340, offset 0, flags [none], proto ICMP (1), length 60)
    10.7.0.3 > 10.7.0.2: ICMP echo request, id 1, seq 19, length 40
22:29:15.887738 eth0  Out IP (tos 0xc8, ttl 64, id 18502, offset 0, flags [none], proto ICMP (1), length 576)
    my.vpn.endpoint > 4.155.89.87: ICMP my.vpn.endpoint unreachable - need to frag (mtu 1280), length 556
        IP (tos 0x28, ttl 49, id 27248, offset 0, flags [DF], proto TCP (6), length 1500)
    4.155.89.87.443 > my.vpn.endpoint.56643: Flags [.], seq 487131547:487133007, ack 3168684149, win 63, length 1460
22:29:16.940688 wg0   In  IP (tos 0x0, ttl 127, id 54341, offset 0, flags [none], proto ICMP (1), length 60)
    10.7.0.3 > 10.7.0.2: ICMP echo request, id 1, seq 20, length 40
22:29:16.940722 wg0   Out IP (tos 0x0, ttl 126, id 54341, offset 0, flags [none], proto ICMP (1), length 60)
    10.7.0.3 > 10.7.0.2: ICMP echo request, id 1, seq 20, length 40
22:29:21.938834 wg0   In  IP (tos 0x0, ttl 127, id 54342, offset 0, flags [none], proto ICMP (1), length 60)
    10.7.0.3 > 10.7.0.2: ICMP echo request, id 1, seq 21, length 40
22:29:21.938880 wg0   Out IP (tos 0x0, ttl 126, id 54342, offset 0, flags [none], proto ICMP (1), length 60)
    10.7.0.3 > 10.7.0.2: ICMP echo request, id 1, seq 21, length 40
22:29:26.908885 wg0   In  IP (tos 0x0, ttl 127, id 54343, offset 0, flags [none], proto ICMP (1), length 60)
    10.7.0.3 > 10.7.0.2: ICMP echo request, id 1, seq 22, length 40
22:29:26.908966 wg0   Out IP (tos 0x0, ttl 126, id 54343, offset 0, flags [none], proto ICMP (1), length 60)
    10.7.0.3 > 10.7.0.2: ICMP echo request, id 1, seq 22, length 40
    10.7.0.3 > 10.7.0.2: ICMP echo request, id 1, seq 21, length 40
22:29:26.908885 wg0   In  IP (tos 0x0, ttl 127, id 54343, offset 0, flags [none], proto ICMP (1), length 60)
    10.7.0.3 > 10.7.0.2: ICMP echo request, id 1, seq 22, length 40
22:29:26.908966 wg0   Out IP (tos 0x0, ttl 126, id 54343, offset 0, flags [none], proto ICMP (1), length 60)
    10.7.0.3 > 10.7.0.2: ICMP echo request, id 1, seq 22, length 40
18 
opkg -e /etc/opkg/openwrt/distfeeds.conf update
opkg -e /etc/opkg/openwrt/distfeeds.conf install nmap

Ping 10.7.0.1 from 10.7.0.2 and 10.7.0.3. Does that work ? If yes check the firewall on 10.7.0.2

19

In the process of installing nmap, the device memory filled and the install failed. I wound up restoring the config and picking up where we left off.

I allowed pings in both PC firewalls and then produced the following. It appears as though traffic originating in the LAN has no issue getting mapped to the VPN, but traffic originating from the VPN is not being returned from the LAN. Additionally, pinging devices on the LAN seems to take the RUT241 offline temporarily. It wont show disconnect from wireguard, but it will drop SSH sessions, the WebUI will be unavailable, and web access from the LAN will be temporarily inhibited.

This all leads me to believe there is an issue with routing traffic on the RUT between Wireguard and LAN. Thoughts? I am happy to share the RUT241 config backup here if that is of any help

Ping Results

Peers:
PC Client → Server: :white_check_mark:
Server → PC Client: :white_check_mark:

RUT Client → Server: :white_check_mark:
Server → RUT Client: :white_check_mark:

PC Client → RUT Client: :white_check_mark:
RUT Client → PC Client: :white_check_mark:

RUT LAN:
RUT LAN PC → Server: :white_check_mark:
Server → RUT LAN PC: :cross_mark:

RUT LAN PC → PC Client: :white_check_mark:
PC Client → RUT LAN PC: :cross_mark:

Bonus tcpdump from RUT LAN PC (192.168.1.116) when being pinged by PC Client (10.7.0.2)

C:\Users\User\Downloads\WinDump.exe: listening on \Device\NPF_{DF764C8F-1301-4EFF-8920-AD58D6E50EE2}
15:44:29.561699 IP my-vpn-endpoint-host.colocrossing.com > DESKTOP-CR57F34.lan: ICMP echo request, id 1, seq 95, length 40
15:44:34.294984 IP my-vpn-endpoint-host.colocrossing.com > DESKTOP-CR57F34.lan: ICMP echo request, id 1, seq 96, length 40
15:44:39.244968 IP my-vpn-endpoint-host.colocrossing.com > DESKTOP-CR57F34.lan: ICMP echo request, id 1, seq 97, length 40
15:44:44.256654 IP my-vpn-endpoint-host.colocrossing.com > DESKTOP-CR57F34.lan: ICMP echo request, id 1, seq 98, length 40
20

What is the OS of the “RUT LAN PC” ? Does it allow ping replies ?

21

Windows 11. It does allow ping replies; pinging it from the RUT works great.