Wireguard site2site (Server AC86U Peer AX86U)

[helio58]

Hi,
Preparing to connect a ste2site with wireguard.
Server location I have 2 networks 192.168.10.0/24 and 192.168.20.0/24
The peer location network 192.168.50.0/24
I will like both sites to use own internet but all lan trafik work both ways.
Please could I have same advise how to configure this?
Thanks

 

[ZebMcKayhan]

Hi,
Preparing to connect a ste2site with wireguard.
Server location I have 2 networks 192.168.10.0/24 and 192.168.20.0/24
The peer location network 192.168.50.0/24
I will like both sites to use own internet but all lan trafik work both ways.
Please could I have same advise how to configure this?
Thanks

Using firmware (ax86 only):
https://www.snbforums.com/threads/wireguard-site2site-ax88u-to-ax88u-on-version-388-1.83516/
(Read whole thread)

Using Wireguard Manager (ac86u and ax86u):
https://github.com/ZebMcKayhan/WireguardManager#setup-wireguard-site-2-site

 

[helio58]

Using firmware (ax86 only):
https://www.snbforums.com/threads/wireguard-site2site-ax88u-to-ax88u-on-version-388-1.83516/
(Read whole thread)

Using Wireguard Manager (ac86u and ax86u):
https://github.com/ZebMcKayhan/WireguardManager#setup-wireguard-site-2-site

Thanks I totaly miss it.

 

[helio58]

@ZebMcKayhan​

One question "Using firmware (ax86 only)"
Do you know the location off wgxx.conf of the server? I found the clients at /etc/wg
Thanks

 

[ZebMcKayhan]

@ZebMcKayhan​

One question "Using firmware (ax86 only)"
Do you know the location off wgxx.conf of the server? I found the clients at /etc/wg
Thanks

No, sorry. Im running AC86U which is stuck on 386 firmware.

But according to merlin wireguard source code: https://github.com/RMerl/asuswrt-merlin.ng/blob/master/release/src/router/rc/wireguard.c the directory /etc/wg is used for both server and client configs. But perhaps it only exists there when the server is started?

 

[helio58]

I started the server, this is the content of the directory.

The clients are ok but cant see the server config.
Thanks for the github guide.
I will set the ac86u as server so i can acess the server config.

 

[ZebMcKayhan]

I started the server, this is the content of the directory.

Check if there is anything under /etc/wg/ since that is what the source refers to. But it could be mapped differently.

 

[helio58]

Check if there is anything under /etc/wg/ since that is what the source refers to. But it could be mapped differently.

In the image above I m in /etc/wg/

 

[ZebMcKayhan]

In the image above I m in /etc/wg/

Ooh, sorry, you could try

cd /
find -name wgs1.conf

And see if something turns up.

If all fails you could use Wireguard tools:

wg showconf wgs1

but there might be some missing pieces that Wireguard doesnt use, like DNS = directive.

 

[helio58]

Ooh, sorry, you could try

cd /
find -name wgs1.conf

And see if something turns up.

If all fails you could use Wireguard tools:

wg showconf wgs1

but there might be some missing pieces that Wireguard doesnt use, like DNS = directive.

cd /
find -name wgs1.conf
nothing

but
wg showconf wgs1
shows the server config
Thanks

Do you know the command to edit?

Thanks

 

[ZebMcKayhan]

Do you know the command to edit?

You cant edit an active config (as far as I know). You need to bring the wg interface down. Perhaps even restart the interface with a new config, but honestly, isnt it easier to install Wireguard Manager from amtm and set it up according to your needs?

 

[ZebMcKayhan]

Do you know the command to edit?

Looks like you can change the active configuration using "wg set <command> <parameter>"

Check: https://manpages.ubuntu.com/manpages/focal/man8/wg.8.html

But I have never used it so you will have to try for yourself.

 

[helio58]

You cant edit an active config (as far as I know). You need to bring the wg interface down. Perhaps even restart the interface with a new config, but honestly, isnt it easier to install Wireguard Manager from amtm and set it up according to your needs?

Thanks you are right its easier to install Wireguard Manager.
Thanks for all help.

 

[Martineau]

You cant edit an active config (as far as I know). You need to bring the wg interface down. Perhaps even restart the interface with a new config, but honestly, isnt it easier to install Wireguard Manager from amtm and set it up according to your needs?

The syncconf command would appear to be able to dynamically alter WireGuard parameters for a specific interface without disrupting traffic?

i.e. using wg showconf to pipe the existing active parameters to say a '/tmp/$$PID' file then use sed to modify '/tmp/$$PID' before reapplying.

Obviously parameters such as MTU are not supported, but could be modified by the appropriate ip link commands.

 

[helio58]

View attachment 49148

The syncconf command would appear to be able to dynamically alter WireGuard parameters for a specific interface without disrupting traffic?

i.e. using wg showconf to pipe the existing active parameters to say a '/tmp/$$PID' file then use sed to modify '/tmp/$$PID' before reapplying.

Obviously parameters such as MTU are not supported, but could be modified by the appropriate ip link commands.

Thanks Martineau, Its the MTU i m hopping to change.

 

[Martineau]

Thanks Martineau, Its the MTU i m hopping to change.

Try these commands in a SSH session to see if you can successfully alter the MTU once the interface is UP

ip link show dev $WG_INTERFACE

ip link set dev $WG_INTERFACE mtu nnnn

If it works, then perhaps you can include them in a post-up script.

 

[helio58]

Try these commands in a SSH session to see if you can successfully alter the MTU once the interface is UP

ip link show dev $WG_INTERFACE

ip link set dev $WG_INTERFACE mtu nnnn

If it works, then perhaps you can include them in a post-up script.

Thanks i m using
ip link set dev wgs1 mtu 1400

It seem to keep the value .
When I m att my remote location the tunnel is upp all time.
My internet speed is 250/250 when using wireguard about 130/130 it ok.

 

[ZebMcKayhan]

It seem to keep the value .
When I m att my remote location the tunnel is upp all time.

You may want to keep an eye in it. Obviously the mtu will reset at router reboot but there may be other events were the firmware restarts the interface.
There are script hooks in merlin firmware that executes whenever a wireguard interface is brought up were you could put your mtu changing command.

/jffs/scripts/wgserver-start

the server number will be given as args.

 

[helio58]

You may want to keep an eye in it. Obviously the mtu will reset at router reboot but there may be other events were the firmware restarts the interface.
There are script hooks in merlin firmware that executes whenever a wireguard interface is brought up were you could put your mtu changing command.

/jffs/scripts/wgserver-start

the server number will be given as args.

Thanks will do that.

 

[helio58]

@ZebMcKayhan

AC86U as client AX86U as server
Its working very well.

I tried to exclude one computer from vpn but I can still acess all the computers on the remote.

The rule tht I use is:
peer wg11 rule add wan 192.168.0.87 comment computer to wan
peer wg11 auto=P

I must have missed same rule