What's new

Wireguard site2site (Server AC86U Peer AX86U)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I export from ax86u and import on ac86u as a client , the name got change to wg11
 
I export from ax86u and import on ac86u as a client , the name got change to wg11
Ok, normally, thats not the way I would have done it. Non-conflicting routes belong in the main routing table, not policy routes table and access control should be handled by firewall, not by policy routes.

But ok, it should work anyway altough there might be issues down the road.

Please list all your policy rules regarding wg11.
 
I have just setup this one.Thanks
Client Auto IP Endpoint DNS MTU Annotate
wg11 P 10.6.0.2/32 xxx.xxx.xxx.xxx:51811 10.6.0.1 Auto # N/A

Selective Routing RPDB rules
ID Peer Interface Source Destination Description
1 wg11 WAN 192.168.0.87 Any wan macbookairold


Configuration rules for Peer wg11
 
I tried to exclude one computer from vpn but I can still acess all the computers on the remote.
That does not make any sense. You should not be able to access any remote lan ips. Perhaps you need to restart wg11 to have the routes move to policy table?

Then you need to setup rules for anything that should be able to access remote lan (peer wg11 rule add vpn src=0.0.0.0/0 dst=<remote lan>/24)
 
That was just the rules. The config looks like this:

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxx=
Address = 10.6.0.2/32
DNS = 192.168.0.45,10.6.0.1


[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxx=
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
AllowedIPs = 10.6.0.1/32,192.168.2.0/24,192.168.1.0/24
Endpoint = xxx.xxx.xxx.xxx:51811
PersistentKeepalive = 25

Running this way Ican acess all my remote lan and keep my ip adress.

I will like to exclude a computer from this route.
I tried to use :
peer wg11 rule add wan 192.168.0.87 comment My Computer To Wan

But that is not working
 
But that is not working
Did some readup in wgm code and it turns out only AllowedIPs = 0.0.0.0/0 gives a policy route table. All others end up in main table. Since your AllowedIPs does not contain this, the rules (and policy mode) have virtually no effect.

There is another issue with your way of doing this. As Client import in WGM implies internet client only one-way communication is allowed.

You will also get nat again and wierd dns handling thats not really appropriate for site-2-site.

But however you wish to play this you will need to make custom firewall rules.

1. Remake your import as client but change AllowedIPs = 0.0.0.0/0 and setup rules for your current AllowedIPs (dst). Make custom firewall rules to allow inbound access and remove nat.

2. Remake your import as it is but do it as type=server. You will need to put _public.key and _private.key files with your conf file. Create custom firewall rules for blocking access to the tunnel from your ip you want to block.

Let me know how you want to make it and I will try to support.
 
@ZebMcKayhan

Thanks for all your help.

The reason I did not follow your guide is I did not find the location of the server on the AX86U.
Just now I m in the remote location and the main features are working.
I will change when I m back home.
I came with a work around when I want to isolate a computer. I connect to a openvpn server locate at my present place and it does work as i intend.

Once more thanks for your help
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Top