Wireguard client can't access only one PC on LAN

[SiliconOxide]

Hello. I recently installed an opnsense server and and still configuring everything. I have wireguard server working using opnsenses' instructions. My mobile device can ping and connect to almost everything machine on the LAN with the exception of one LAN client. 192.168.1.124, which is my Home Assistant machine. It does have a static mapping. Every other machine on the LAN can ping this one machine not visible over wireguard.
Wireguard IP: 10.10.10.1/24
Lan: 192.168.1.0/24

Any help would be appreciated and let me know if anything is needed.

Thanks,
Chris

[Patrick M. Hausen]

Does your Home Assistant machine have the correct default gateway configured?

[SiliconOxide]

It does. It is using DHCP with a reservation. I'll attach the network setting of HA and client config of wireguard here. 192.168.1.1 is the opnsense machine, 192.168.1.124 is HomeAssistant. I have no problem connecting to anything else over wireguard like 192.168.1.120 or 192.168.1.9.

[Patrick M. Hausen]

Firewall rules on the HA machine, blocking everything not from the local network, possibly?

Use a packet trace to investigate.

[SiliconOxide]

No firewall on the HA machine. It is not a virtual install. Previously I was using Asuswrt-Merlin with wireguard and/or openvpn and had no issue. I'll have to figure out how to do a packet trace from android.

[Patrick M. Hausen]

Packet trace on OPNsense

- do you see packets come in through the tunnel with the HA machine as destination?
- do you see the same packets going out the LAN interface with HA machine as destination?
- do you see the reply packets from the HA machine coming in through LAN?
- do you see the reply packets from the HA machine going out through the tunnel?

The first position in that chain where the answer is "no" tells you where to look closer.

[SiliconOxide]

I can see packets from the tunnel to the lan and from the lan to HA

The second hop on traceroute to 10.10.10.2 from HA goes to 10.10.10.37... I have no idea what that is

I just realized that traceroute on OPnsense to 10.10.10.2 times out as does ping. On the wireguard client on android I do see a "IPV4 packet with disallowed source address from peer.." while pinging from opnsense, but nothing when trying traceroute.

I can ping 10.10.10.2 from 192.168.1.9 (other machine on local net).

[Patrick M. Hausen]

The second hop on traceroute to 10.10.10.2 from HA goes to 10.10.10.37... I have no idea what that is

Your job to find out

I just realized that traceroute on OPnsense to 10.10.10.2 times out as does ping. On the wireguard client on android I do see a "IPV4 packet with disallowed source address from peer.." while pinging from opnsense, but nothing when trying traceroute.

What's in "AllowedIPs" in the WG config on that Android client?

I can ping 10.10.10.2 from 192.168.1.9 (other machine on local net).

So the answer packets from HA are possibly going somewhere else. Are they reaching OPNsense at all?

I was not referring to traceroute, btw. A packet trace means display all packets passing a particular interface.

Interfaces > Diagnostics > Packet Capture - sorry, it's "capture" in the UI.

HTH,
Patrick

[SiliconOxide]

Your job to find out

HA can also ping this 10.10.10.37. It is in the Wireguard pool, but the WG server is 10.10.10.1

What's in "AllowedIPs" in the WG config on that Android client?

192.168.1.0/24 I also tried adding 192.168.1.124/32, but it didn't help.

[Patrick M. Hausen]

Your job to find out

HA can also ping this 10.10.10.37. It is in the Wireguard pool, but the WG server is 10.10.10.1

Start a continuous ping from HA to 10.10.10.37. Are these packets passing through OPNsense? If yes are they going out the tunnel interface? Use a packet capture to find out.

What's in "AllowedIPs" in the WG config on that Android client?

192.168.1.0/24 I also tried adding 192.168.1.124/32, but it didn't help.

10.10.10.0/24 is missing, that's why you cannot ping/traceroute the Android client from OPNsense.