Best way to add a third peer to an existing site-to-site Wireguard configuration?

I used the automated script for setting up site-to-site Wireguard in the wiki. Kudos to the person (or people) who wrote the script, it just works.

Now I want to allow a third device to access services inside the two OpenWrt networks that have site-to-site Wireguard. What is the best approach to this?

What have I tried:
I created a new peer (in the existing Wireguard interface) in site A LuCI interface (Generated key pair and ticked Route Allowed IPs).
Then I copied the generated config to the third peer and brought it up with sudo wg-quick up ./wg0.conf.
This doesn't work as I didn't specify allowed IPs in LuCI. I tried these:

  • 192.168.2.0/24 (i.e. subnet of site A). This doesn't work, and I can't access the site A OpenWrt via 192.168.2.1 after setting this
  • 0.0.0.0/0. This sorta works (third peer can access devices in site A, but not devices in site B). Problem is, devices in site A cannot access the internet after setting this

(Note: I am using GNS3 to get my hands dirty before actually running the script in production, so no important private keys leak below)

GNS3 topology:

Site A OpenWrt /etc/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4d:53dc:93bd::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config interface 'wg_s2s_a'
        option proto 'wireguard'
        option private_key 'QFPoUoh4AvWKZnvPgNtN58oSNX/k3SLjTzZMGDheSno='
        option listen_port '51820'

config wireguard_wg_s2s_a 's2s_vpn_site_b'
        option public_key 'gyVDy7b+rfg+ixAgzKMKcHT/JuAqJoEAOV7p4k0D0hY='
        option preshared_key 'BAn/3VEJrQ5gbvkg5//ytJ8s22BFOVHwgWt08tHS70o='
        option description 'Site B, 192.168.1.147'
        list allowed_ips '192.168.3.0/24'
        list allowed_ips 'fd45:32c7:299b::/48'
        option route_allowed_ips '1'
        option persistent_keepalive '0'
        option endpoint_host '192.168.1.147'
        option endpoint_port '51820'

Site B OpenWrt /etc/network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd45:32c7:299b::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config interface 'wg_s2s_b'
        option proto 'wireguard'
        option private_key 'mCHdRy/rWmdhHZiyZBeUAcEJbIjmLJBRnCbJrHMzj0I='
        option listen_port '51820'

config wireguard_wg_s2s_b 's2s_vpn_site_a'
        option public_key '4dMkDg14UCOPxAqBvRSl6Zsy2hx6zg10RrqYQHLeQSM='
        option preshared_key 'BAn/3VEJrQ5gbvkg5//ytJ8s22BFOVHwgWt08tHS70o='
        option description 'Site A, 192.168.1.175'
        list allowed_ips '192.168.2.0/24'
        list allowed_ips 'fd4d:53dc:93bd::/48'
        option route_allowed_ips '1'
        option persistent_keepalive '0'
        option endpoint_host '192.168.1.175'
        option endpoint_port '51820'

Why do you have a WG site-to-site setup when the routers exist on the same 192.168.1.0/24 network? You can do this much more easily with static routes and firewall rules.

I plan to set up site-to-site Wireguard in production later. The two OpenWrt routers in production are in different locations and have different public IP (not fixed, so I use DuckDNS).

The GNS3 topology is a bit simplified (it might be incorrect too, I am not sure). I just want to test the script in a sandbox environment before actually running them in production.

Anyway, what I am looking for is the best approach to allow a third devices to access devices in an existing site-to-site Wireguard configuration. If my GNS3 setup is wrong, please ignore it.

What are the real configs on the two devices that you will be using? Give us /etc/config/network and /etc/config/firewall from both (redacting any private info such as keys).

I don't have access to the production OpenWrt devices right now. Will post the configs here after I run the site-to-site wireguard setup scripts on them later

Typically, one side will be the 'server' -- listening for inbound connections. The other side of a site-to-site typically then initiates the connection (acting as a 'client'). While this is not absolutely required since Wireguard just has peers (rather than server/client), it is usually the easiest method for setup, and then the third peer would just initiate the connection to the one that is listening for inbound connections... fairly simple.

Your current config seems to have a somewhat unusual topology given the description above. Is there a reason you have chosen to implement it this way? And, is it working??

A peer that does not have a LAN behind it needs an extra IP as well as its conventional LAN. This is called the tunnel IP and will be used to originate packets to be routed into the VPN tunnel. The tunnel IP is applied to the Wireguard interface directly.

Such a peer is often called a "road warrior" after the common use case that the peer is a laptop used by an employee working at a location away from the site.

It works best to also configure tunnel IPs at each site as well. These aren't strictly necessary for operation but do help with getting all the necessary routes in place automatically and are useful for testing by pinging tunnel IPs directly.

The Wireguard interfaces should have tunnel IPs defined with a /24 that is not used anywhere else in the system, e.g.
Site A: 192.168.9.2/24
Site B: 192.168.9.3/24
Road warrior 1: 192.168.9.10/24

This numbering scheme matches the LAN IPs to make it easier to remember. That is of course completely optional.

Next decide which site the road warrior will connect to, and add it as a peer at that site. For the rest of this discussion I'm assuming this road warrior and any others that you may add later will be connecting to site A.

The allowed_ips at a router site for each road warrior are only its tunnel IP /32. All traffic in the tunnel from the road warrior will have that IP as its source IP. At the road warrior it is conventional to set allowed_ips to 0.0.0.0 so that all Internet usage will be tunneled back to the site. The all zero allowed IP also of course allows both LANs. You can also allow only the LANs, in which case the road warrior will use its local ISP for Internet usage.

At a site (B) which does not directly accept connections from road warriors but may receive traffic from them indirectly via the other site, the site A allowed_ip needs to include the tunnel IP(s) that are going to come in. Conventionally use the whole /24.

Now let's say that the Ubuntu road warrior (which is connected to site A) wishes to establish a ssh connection via the VPN to a site B PC. A packet [from 192.168.9.10 to 192.168.3.5] will be encrypted then dispatched onto the 192.168.1 LAN (later, the Internet) to be received by site A. Site A decrypts the packet and examines the destination IP, realizes that it is for a machine at site B, so it is encrypted again (with a different key) then sent into the A-B tunnel so the B router can route it to the destination machine.

3 Likes

Hi, I just ran the automated script in the production routers.
With these configs:

  1. Devices in site A can access devices in site B, and vice versa. However,
  2. Devices in site A CANNOT access the OpenWrt router in site B, and vice versa (pinging 10.0.0.2 and 192.168.1.1 with devices in site A, both got Destination Port Unreachable)

Here are my configs:

Site A /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde4:f62f:d720::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config device
        option name 'lan1'
        option macaddr '94:83:c4:a2:f2:30'

config device
        option name 'lan2'
        option macaddr '94:83:c4:a2:f2:30'

config device
        option name 'lan3'
        option macaddr '94:83:c4:a2:f2:30'

config device
        option name 'lan4'
        option macaddr '94:83:c4:a2:f2:30'

config device
        option name 'lan5'
        option macaddr '94:83:c4:a2:f2:30'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '<REDACTED>'
        list dns '1.1.1.1'

config device
        option name 'eth1'
        option macaddr '94:83:c4:a2:f2:2e'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config interface 'wg_s2s_site_a'
        option proto 'wireguard'
        option private_key '<REDACTED>'
        option listen_port '51820'
        list addresses '10.0.0.1/24'

config wireguard_wg_s2s_site_a 's2s_vpn_site_b'
        option public_key '<REDACTED>'
        option preshared_key '<REDACTED>'
        option description '<REDACTED>'
        option route_allowed_ips '1'
        option endpoint_host '<REDACTED>'
        option endpoint_port '51820'
        list allowed_ips '192.168.1.0/24'
        list allowed_ips 'fdc9:68ab:67bb::/48'
        list allowed_ips '10.0.0.2/32'

Site A /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'tailscale'
        list proto 'udp'
        option src 'wan'
        option src_dport '41641'
        option dest_ip '<REDACTED>'
        option dest_port '41641'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg_s2s_site_a'

config rule 'wg_s2s_51820'
        option name 'Allow-WireGuard-51820'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'vpn'

Site B /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb2:49a9:b118::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wg_s2s_site_b'
        option proto 'wireguard'
        option private_key '<REDACTED>'
        option listen_port '51820'
        list addresses '10.0.0.2/24'

config wireguard_wg_s2s_site_b 's2s_vpn_site_a'
        option public_key '<REDACTED>'
        option preshared_key '<REDACTED>'
        option description '<REDACTED>'
        option route_allowed_ips '1'
        option persistent_keepalive '0'
        option endpoint_host '<REDACTED>'
        option endpoint_port '51820'
        list allowed_ips '192.168.0.0/24'
        list allowed_ips 'fde4:f62f:d720::/48'
        list allowed_ips '10.0.0.1/32'

Site B /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg_s2s_site_b'

config rule 'wg_s2s_51820'
        option name 'Allow-WireGuard-51820'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'vpn'

Thanks for the explanation. Indeed the 3rd peer Ubuntu device is a road warrior (in production it would be my mobile phone).

Though I have failed to set the 3rd peer correctly and had to reset the router because I messed up.

Here is what I did:

  1. Ran the automated scripts on the production routers (configs in #8)
  2. Created a new peer (my_mobile_phone) in the existing site A OpenWrt Wireguard interface (wg_s2s_site_a):
  • Generated a pair of keys
  • In Allowed IPs, added 192.168.0.1/24 and 192.168.1.1/24
  • Checked Route Allowed IPs
  1. Clicked Save and Apply, then restarted the Wireguard interface
  2. Could not access the OpenWrt device (via 192.168.0.1) and had to reset it

Not sure which step is wrong, any help would be much appreciated

That's expected when you have:

Change input to ACCEPT

2 Likes

That is because input is set to reject on the vpn zone. You'd need to add an allow ping rule or generally accept input. If you want to use ssh to the router through the tunnel you'd need to add an allow ssh rule, or generally accept input. The input policy is for services within the router. It doesn't affect forwarding to other networks.

I thought that you had site to site already sorted out working and wanted to add a road warrior.

1 Like

Thanks to both krazeh and mk24, changing the input to accept solved the connectivity problem.

Please see #9, I do want to create a road warrior setup (and failed), and would appreciate any guidance.

Sorry for my bad English if I caused confusion :joy:

There isn't an automated script for your use case, so you're going to have to understand the various settings that need to be made and then enter them manually.

The thing about Wireguard that is the most trouble for beginners is the concept of allowed_ips. Whenever configuring a peer, realize that allowed_ips are not the local IPs, but those of remote machines that are going to be seen coming through that particular tunnel. At the server for a road warrior, the only source IP that is ever going to come from the road warrior is its single tunnel IP. Meanwhile at the road warrior, in its usual use case it uses the tunnel for access to the Internet, so the allowed_ips that may come back to it are from anywhere on the Internet, so the proper setting there is 0.0.0.0/0.

If you enter local IPs as allowed_ips instead of remote ones, the network will break. If you configure multiple peers on one Wireguard interface and their allowed_ip sets overlap, the network will break.

3 Likes

Thanks, I will have to digest this. Will do more experiment in GNS3 later...

I just successfully set up the road warrior peer. Indeed the allowed_ips should be remote IPs (I think this was what I mess up in the beginning). Thanks for all the help!

Note: I added the phone peer to the Wireguard interface on both sites.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.