Wireguard two-way setup

[redbird71]

I tried to follow the official ASUS FAQ how to setup a site to site wireguard conection. The conection does get established and is apparently working. The problem I find is how to tell the router what devices on the server site I want to route through the VPN to the client site. VPN Director does not allow to create any rule to use the a server as a gateway so I don't know what else to do.

FYI it's a RT-AX86U Pro on the server site and a RT-BE92U on the client site both on the latest Merlin firmware.

 

[elorimer]

You can set up a server on site A and a client on site B, with VPN director controlling what goes over the tunnel from site B; then a server on site B and a client on site A, with VPN director controlling what goes over the tunnel from site A.

 

[ZebMcKayhan]

The problem I find is how to tell the router what devices on the server site I want to route through the VPN to the client site.

You dont/cant. Site-2-site is generally for connecting 2 lans and its typically used for lan2lan and not internet data.
On the server side you control which destinations that should be sent over the tunnel from the server side perspective with AllowedIPs (server) (under advanced site-2-site settings).
For example if the client site has wg ip 10.6.0.2 and the lan there is 192.168.51.0/24 then the alloweips (server) in the server for this peer is set to

10.6.0.2/32, 192.168.51.0/24

It will then be available for all server side network.

 

[redbird71]

You dont/cant. Site-2-site is generally for connecting 2 lans and its typically used for lan2lan and not internet data.
On the server side you control which destinations that should be sent over the tunnel from the server side perspective with AllowedIPs (server) (under advanced site-2-site settings).
For example if the client site has wg ip 10.6.0.2 and the lan there is 192.168.51.0/24 then the alloweips (server) in the server for this peer is set to

10.6.0.2/32, 192.168.51.0/24

It will then be available for all server side network.

This is what I want to do. I don't want to route internet trafic - just access machines on one network from the other and vis-a-versa.

This is what I did:

Step 1) I create the server
Step 2) I create a client for the server - and within ..
Step 3) I open "More Settings for Site to Site Usage" and create
Address
10.6.0.2/32
Allowed IPs (Server)
10.6.0.2/32, 192.168.100.0/24 (the Lan on the server side), 192.168.50.0/24 (the lan on the client side)
Allowed IPs (Client)
0.0.0.0/0

So it seams that the only thing that's different to what you're proposing is that I added the clients LAN ip range to allowed IPs (Server).

 

[ZebMcKayhan]

So it seams that the only thing that's different to what you're proposing is that I added the clients LAN ip range to allowed IPs (Server).

Yea, that could be trouble. By adding the server own lan into AllowedIPs(server) you are creating a routing conflict that could mess things up.

AllowedIP(server) should contain destination ips that is reached over the tunnel, never ips local on the server side. So it should be 10.6.0.2/32, 192.168.50.0/24

AllowedIPs(client) is not used by the server at all, it is only used in the config file that is generated by the server that you import on your client side router. It could be 0.0.0.0/0 if you ever want to send internet data this way. Or it could be 10.6.0.0/24, 192.168.100.0/24 to only use the tunnel for lan2lan. On top of this you have to use vpndirector to setup how you client lan relates to the tunnel. For a typical site2site in your case it would be 2 rules
Local ip: leave blank
Remote ip: 10.6.0.0/24
Iface: wgcX
And the other rule would be the same but replace Remote ip with 192.168.100.0/24.

what is it exactly that is not working for you?