What's new

more wireguard oddities with ac88u

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

grottoguy

Occasional Visitor
Hello all.
I've floundered through but managed to get bidirectional site to site wireguard between two identical asus ac88u routers working.
Result: .1 subnet devices are connecting with VPN Fusion on .1 router to the wireguard server on .2 router.

In parallel, I also have clients (phones and laptops) acting as normal wireguard clients to the same wireguard server on the .2 router, and they can successfully see other devices on the .2 subnet as desired.
Result: devices using wireguard to connect to the .2 router can see other devices on the .2 subnet (however, they don't see devices on the .1, so they aren't currently getting across the wireguard between the routers, which I might like to do)

In parallel, I have the same clients (phones and laptops) acting as normal wireguard clients to the wireguard server on the .1 router. Initially, this was working as above, but at some point, this stopped working.
Result: devices using wireguard to connect to the .1 router are not able to connect to other devices on the .1 subnet (i.e., these clients don't seem to be working anymore)

I still have fundamental issues with the labeling and semantics between the VPN fusion 'client' and 'server' (when it's really peer to peer between routers for bidirectional) and the standard wireguard peer to peer (generally used by a phone or laptop to get back to the router).

In looking at the wireguard configs and the existing routing tables, it seems that I should be able to make sense of what's working / not working and why, but I'm clearly missing it.

So if a wireguard / routing person can help clarify what's happening and what's not, that would be great.

Router .1 Wireguard configs for a sample client (like a phone).
I believe this means
-the actual client device gets 10.6.0.2
-not sure why / where a 10.6.2.1 server comes through (is that a rewrite of the router itself? Unclear where the .2 subnet comes from at all).
-allowedIPS in this case are all outside IPs, I think, meaning this wireguard client config will allow connection from any original IP back to the wireguard server (router).

1671999957393.png


Here is the routing table (my actual IP addresses blanked out) for the .2 subnet and then the .1 subnet after
I think they show
-the .1 and .2 subnets are symmetrically the same (i.e., one is wgs, the other a br0 which presumably bridges to the other router)
-the 10.6.0.x clients; I believe these are the clients between the two subnets over the wgs (pc, synology, etc)
-specifically, the .2, .3, and .4 devices are the ones 'seeing each other' across the router wireguard interface
-the .5, I suspect, is my phone, currently only connected to the .1 subnet via wireguard (presumably also the 208.x address)
-it's that device that can't see anything on the .1 subnet, let alone across the wg to the .2 subnet


1672000159131.png


1672000609077.png


See below for the two standard wireguard client definitions. The one on the .2 subnet works fine (i.e., can connect to other devices on the .2 subnet).
The .1 client config for wireguard connects, but doesn't seem to let it see anything on the .1 subnet.
Ideally, I'd be able to figure out how a wireguard client connected to either router could see the other subnet (i.e., connect to the .2 router but see .1 subnets as well as .2), but that'd be gravy.
My first problem is- why is my wireguard for .1 not letting devices connect / see any of the devices on .1?

Am I perhaps having some conflicts with overlapping wireguard IP configs on the two routers (i.e., they both seem to be using 10.6.0, and I'm not sure if/where I could change those- similar to why/how I changed one router to the .1 subnet, and the other to the .2).

Thanks for any feedback...

Router .2 client config (this one is working to get to .2 devices, although it doesn't let me get from the .2 also to the .1 which would be nice)
1672000980440.png


Router .1 client config; this one is not letting me even get to the .1 (where it's connecting to the .1 router), let alone the .2 subnet...

1672001078566.png
 
One more piece of data actually... Across the VPN fusion client connection from .1 to .2, I can actually connect to devices including the .2 router itself.
In the other direction, where I specify the clients, I guess maybe I'd need to add the .1 router as a client to which that wgs VPN fusion config applies in order to do the reverse.

Either that, or the allowedips (client/server/??) are more complete in one direction, perhaps, I dunno...
 
One more piece of data actually... Across the VPN fusion client connection from .1 to .2, I can actually connect to devices including the .2 router itself.
In the other direction, where I specify the clients, I guess maybe I'd need to add the .1 router as a client to which that wgs VPN fusion config applies in order to do the reverse.

Either that, or the allowedips (client/server/??) are more complete in one direction, perhaps, I dunno...
The AllowedIPs need to be in order for this to work. The AllowedIPs are used for Wireguard routing. At each peer the AllowedIPs should contain the destination ips on the other side of the tunnel.

For example
site A has wg ip 10.6.0.1 and lan 192.168.1.1/24

Site B sas wg ip 10.6.0.2 and lan 192.168.2.1/24

Each site site should have the other sites ips there, nothing else.
So Site A Server shall have AllowedIPs = 10.6.0.2/32, 192.168.2.1/24
Site B, client shall have AllowedIPs = 10.6.0.1/32, 192.168.1.1/24

Now, if you add more clients (road worrior) to site A, say 10.6.0.3 and 10.6.0.4 then site B will have no knowledge of them unless they are added in site B AllowedIPs, like:
Site B AllowedIPs = 10.6.0.1/32, 10.6.0.3/32, 10.6.0.4/32, 192.168.1.1/24

If you only plan to add more clients to site A, then it may be possible to lump entire subnet at site B, like:
Site B AllowedIPs = 10.6.0.1/24, 192.168.1.1/24

And I guess the DNS need to be a proper ip, so change it to something known to the system. Dont know how Asus appends this dns so dont know what impact it has.

//Zeb
 
One more piece of data actually... Across the VPN fusion client connection from .1 to .2, I can actually connect to devices including the .2 router itself.
In the other direction, where I specify the clients, I guess maybe I'd need to add the .1 router as a client to which that wgs VPN fusion config applies in order to do the reverse.

Either that, or the allowedips (client/server/??) are more complete in one direction, perhaps, I dunno...
And I would like to link this post: https://www.snbforums.com/threads/asuswrt-merlin-388-1-wireguard-site-to-site-on-2xax88u.82272/ where the user @GPSMapper set up site-2site using only what is available in the GUI. I thought it could be some inspiration for you and even though it is on Merlin there would not be much difference.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top