Generated wireguard conf ip addresses

[elorimer]

I have wireguard servers set up on two Asus routers (an AX88 and an AX86pro) running Merlin. They are joined site to site, and on each I've generated client configurations for a stable of laptops and travel routers to connect to one or the other. That all works fine, although there are things I haven't figured out (a client connected to site A can't see site B, and vice versa, while devices on each site's LAN can see everything on the other site).

Because of that, I'm now experimenting with running two wireguard clients on the travel routers, one connected to each site, and using policy based routing to direct the traffic. That works fine too. In the course of that I realized that the client configurations generated on each Asus router are in the same subnet. At the moment, accidentally, I guess, they don't overlap. So I've got site A server allowed IPs of 10.6.0.2/32, 10.6.0.3/32, etc. But site B is generating allowed ips of 10.6.0.4/32, etc. I thought along the lines of OpenVPN I should somewhere specify the subnet for the generated configurations for the 10 clients so I could be sure there wouldn't be overlaps (e.g., 10.6.100.0/24 for site A and 10.6.200.0/24 for Site B). Did I miss it somewhere? Or should I be manually managing the allowed IPs into separate subnets?

 

[ZebMcKayhan]

there are things I haven't figured out (a client connected to site A can't see site B, and vice versa, while devices on each site's LAN can see everything on the other site).

There is an issue with allowedIPs on both sides. If both routers shares a wireguard network they also share Wireguard ip range. In such case one could divide the wireguard ip in 2 ranges, for example:
10.6.0.1/25 = siteA+clients
10.6.0.128/25= siteB+clients.

so site A have ip 10.6.0.1 and clients connected to Site A should have ip 10.6.0.2-10.6.0.127
Site B should have ip 10.6.0.128 and clients connected to Site B should have ip 10.6.0.129-10.6.0.254.

On site A, the peer connecting to site B should have 10.6.0.128/25 in it's AllowedIP(server) (along with with site B Lan).
On site B, the peer connecting to site A should have 10.6.0.1/25 in it's AllowedIP(server) (along with site A Lan).

I should somewhere specify the subnet for the generated configurations for the 10 clients so I could be sure there wouldn't be overlaps (e.g., 10.6.100.0/24 for site A and 10.6.200.0/24 for Site B). Did I miss it somewhere? Or should I be manually managing the allowed IPs into separate subnets?

There is no such generalized setting. You would need to set the server peer ip and set each client ip (under advanced site-2-site settings). I thought that Asus would have made this easier but as far as I know generated clients dont follow the server peer automatically.

When not following the auto-generated convention from Asus and set peer ip manually you will typically need to correct/double-check the allowed ips under advanced site-2-site settings.

personally I would try to stick with your initial setup with 2 server peers and make it work with the clients by fixing their ips and allowed-ips. but in the end I think both setups would work.

 

[elorimer]

This is so enormously helpful. I'm in the process of adjusting my settings along these lines.

Also, appreciate the precision of how you stated it.