We recently changed the VPN on a Mac computer running the latest
10.14.6 macOS Mojave from OpenVPN to WireGuard and now we have to
deal with a weird problem. We use a Canon MB5350 multifunction
printer with integrated scanner unit in our office that is connected
via Ethernet to our local network.
After the switch to WireGuard, we still can print but we cannot scan
documents anymore, neither when initiated from the scanner
application on the computer nor directly with the scan button on the
Canon device. When the scan process is started, the Canon LJ Scan
Utility2 on the Mac starts up and searches for a network scanner, but
fails to succeed. It then shows an error message after a while saying
besides several other options, the reason for the failure might be a
blocked network connection. This is kind of confirmed by the console
application on the Mac:
[00000494] Processing: Bonjour Devices:(1) && Local Devices:(1)
[00000597] (connectConnection) New Connection For Canon MB5300 series
[00001257] Request Close Session On: Canon MB5300 series
[00000664] Canon MB5300 series - Scanner Close Session (ICACommand)
[00000431] Fatal - Command received was never executed
[00000494] Processing: Bonjour Devices:(1) && Local Devices:(1)
[00000319] Canon MB5300 series - Scanner Close Session (propertyUpdate)
As soon as we deactivate the VPN connection, the scanner starts working again.
There's no other firewall active nor any other software that could
interfere with this connection. It never was an issue with OpenVPN
and printing works fine with the active WireGuard VPN connection. The
local network access to the printer and other local computers is
enabled with the "Exclude private IPs" option set. Here's the client
configuration:
[Interface]
PrivateKey = <PrivateKey>
Address = 10.0.0.2/16, fc00::2/96
DNS = 10.0.0.1, fc00::1
[Peer]
PublicKey = <PublicKey>
AllowedIPs = ::/0, 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6,
16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5,
168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10,
172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9,
192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15,
192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8,
194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 10.0.0.2/32, fc00::1/128
Endpoint = <Global IP Address>:<Port>
According to wireguard.com, the latest WireGuard version on the App
Store is 0.0.20200127-17, but the version we are using on Mojave is
0.0.20191105 (16) with Go backend version 0.0.20191013. The App Store
does not offer us an update to the newest version. Is that one for
Catalina (10.15) only? The Canon software is up-to-date.
So, in my conclusion, WireGuard somehow blocks the incoming network
connection from the Canon device while the VPN connection is active,
but not competely as the scanner application on the Mac starts when I
hit the scan button and printing over network is always possible.
Has anyone an idea why WireGuard blocks some local network traffic
and how to fix this?
Robert Federle
