Wireguard site to multisite

[DocUmibozu]

Hello,
My actual configuration:
AX68U wireguard server 192.168.1.0/24

Office 1 (openwrt client) 192.168.12.0/24
[Interface]
PrivateKey = xxxxx
Address = 10.6.0.2/32
DNS = 10.6.0.1
[Peer]
PublicKey =xxxx
AllowedIPs = 192.168.1.0/24
Endpoint = xxxx:51820
PersistentKeepalive = 25

Allowed IPs (Server) 10.6.0.5/32,192.168.12.0/24
Allowed IPs (Peer) 192.168.1.0/24, 192.168.13.0/24


Office 2 (openwrt client) 192.168.13.0/24
[Interface]
PrivateKey = xxxxx
Address = 10.6.0.5/32
DNS = 10.6.0.1
[Peer]
PublicKey =xxxx
AllowedIPs = 192.168.1.0/24
Endpoint = xxxx:51820
PersistentKeepalive = 25

Allowed IPs (Server) 10.6.0.5/32,192.168.13.0/24
Allowed IPs (Peer) 192.168.1.0/24, 192.168.12.0/24

Well,
Server can see Office 1 and Office 2
Office 1 and Office 2 can see Server
Office 1 and Office 2 can't see each other.. how I can make this happen?

Thanksto all

 

[meat]

I am looking to do something similar, i.e. having WG peers communicate with each other. I had previously a very non-elegant solution with multiple OPVN tunnels and VPN Director rules that worked, but have foregone that for the speed benefits of WG. It would be great to get peer-to-peer working on WG.

@ZebMcKayhan was very helpful with my previous underlying issue. Perhaps s/he has some ideas?

Wireguard Site-to-Site Complications

Hello all! And apologies in advance for the noob question. I am running Merlin 388.1 on two RT-AX86Us routers with a Wireguard (WG) site-to-site connection established for backups between NAS units. It works great. Configuration as follows: - WG Server: 10.6.0.1/32, local IPs 172.24.0.X - WG...

www.snbforums.com

 

[ZebMcKayhan]

@ZebMcKayhan was very helpful with my previous underlying issue. Perhaps s/he has some ideas?

Well, I might have something that may work. But for clarity, why dont you state your issue and status again since last time it sounds like you got it solved by adding wan rule. What parts of system is not working?

Please provide info on how your network looks, and what configuration you do have and what part that is not working as you wish.

 

[DocUmibozu]

I had previously a very non-elegant solution with multiple OPVN tunnels and VPN Director rules that worked

With openvpn is a piece of cake and I already did it. There is a howto somewhere in the forum.
Now I have to use wireguard and I'm stalled...

 

[DocUmibozu]

Please provide info on how your network looks, and what configuration you do have and what part that is not working as you wish.

Some idea for my issue?

 

[ZebMcKayhan]

Some idea for my issue?

How could I, you have told me nothing about your system, or your problem.

 

[DocUmibozu]

How could I, you have told me nothing about your system, or your problem.

Ehm....
Seen the first message in the thread?

 

[ZebMcKayhan]

Ehm....
Seen the first message in the thread?

Sorry, ive thought we were in a different thread. Have been lurking around here for to long I guess.

There are some issues and/or typos with your setup/description:
-Your wg network are not included in AllowedIPs(client/peer). It should and probably the entire 10.6.0.0/24
-your Office 1/2 allowedIPs does not match your server AllowedIP(clent/peer). How come? Arent the client config generated by server? And imported? When did it get stripped from some ips? Or did you change it on the server after import, since thats not gonna work.

 

[ZebMcKayhan]

To be perfectly clear:

Office 1

Allowed IPs (Server) 10.6.0.5/32,192.168.12.0/24
Allowed IPs (Peer) 192.168.1.0/24, 192.168.13.0/24

Allowed IPs (Server) 10.6.0.2/32,192.168.12.0/24
Allowed IPs (Peer) should be: 10.6.0.0/24, 192.168.1.0/24, 192.168.13.0/24

Office 2:

Allowed IPs (Server) 10.6.0.5/32,192.168.13.0/24
Allowed IPs (Peer) 192.168.1.0/24, 192.168.12.0/24

Allowed IPs (Peer) should be: 10.6.0.0/24, 192.168.1.0/24, 192.168.12.0/24

But the clients after import:

AllowedIPs = 192.168.1.0/24

If you change these on your server nothing will change until you import the new config (thats their only purpose on the server).

Or you manually change the client config directly on your clients, but its a good idea to change on the server as well in case you generate new configs in the future.

 

[DocUmibozu]

ok, i’ll try to add 10.6.0.0/32.
I think I stripped it in the process to obtain the split tunnel (in the original config I achieved a full tunnel, which I don’t want).
Thanks for the suggestion, I’ll follow up

 

[ZebMcKayhan]

ok, i’ll try to add 10.6.0.0/32.

Nope, it needs to be 10.6.0.0/24
And it needs to contain all other lans that are not local.

It will only be a global accessing peer if you put 0.0.0.0/0 there so dont do that

 

[DocUmibozu]

Nope, it needs to be 10.6.0.0/24
And it needs to contain all other lans that are not local.

It will only be a global accessing peer if you put 0.0.0.0/0 there so dont do that

Ok, monday, when I'll have access to Office 1 and 2, I'll try.

 

[DocUmibozu]

Well
I modified the server side and everything it's ok.
Then this morning I edited Office 2 and when I add 10.6.0.0/24 the tunnel falls apart, no connection.
It's a busy week at work so I think I'll postpone the investigation to the weekend....

 

[ZebMcKayhan]

Well
I modified the server side and everything it's ok.
Then this morning I edited Office 2 and when I add 10.6.0.0/24 the tunnel falls apart, no connection.
It's a busy week at work so I think I'll postpone the investigation to the weekend....

That would imply one of the following:
1. 10.6.0.0/24 is used on Office2 already and we created an ip conflict.
2. You entered it wrong. Wrong format, wrong delimiter or missing some space or wrong place. You did leave the lan ips /24 in there as well right?

Perhaps you could post a picture on how it looks when you added it?

To check both these you could skip this range initially on office2 and only enter
AllowedIPs(office2): 192.168.1.0/24, 192.168.12.0/24
It would make that the router itself will likely not be able to talk to these networks but lan clients will.

You could also add the explicit ips to your clients but you wont be able to communicate to roaming clients if you ever create it:
AllowedIPs(office2): 192.168.1.0/24, 192.168.12.0/24, 10.6.0.2/32, 10.6.0.1/32

But the final goal must be to get all ranges in there:
AllowedIPs(office2): 192.168.1.0/24, 192.168.12.0/24, 10.6.0.0/24

 

[mrskoku]

i migrated just yesterday from openvpn to wireguard.
i used cloud vps as server, but configuration is the same.
basically on server's config
Address = 10.6.0.1/24

peerA
allowedIPs = 10.6.0.2/32, 192.168.1.0/24 (or wathever network is on this peer)

peerB
allowedIPs = 10.6.0.3/32, 192.168.2.0/24

config on peers

peerA
AllowedIPs = 10.6.0.0/24, 192.168.2.0/24 (peerB local network)

peerB
AllowedIPs = 10.6.0.0/24, 192.168.1.0/24 (peerA local network)

i had openvpn on my ax88u and max i get was 10Mbit/s through the tunnel - client was connecting to my router directly

now i set up a wireguard server on aws and i have both location connected to this server. routing works fine. speed is > 20Mbit/s.

 

[DocUmibozu]

Hello,
I confirm that it works, I made a mistake in one client config that partly broken the tunnel.
Main benefit of wireguard over openvpn is that it gives new life to a lot of old/low cost openwrt router. No way you can find a router for 29 euro that gives over 50mb on an openvpn tunnel...