Can a single Wireguard cover an entire local network?

No.

What's the full current config on your phone?

At the moment is that one

That doesn't appear to have an endpoint defined for the peer.

Ok, i though that i had to delete from both sites phone and B site

Why? How would you expect it to connect if neither side has any details about the address of the other end? There's nothing in @mk24's post which suggest removing the endpoint from the config on the phone. It makes troubleshooting complicated when you just seem to be guessing about what changes to make and then come back to simply say it doesn't work.

But now we have the endpoint back in place, has there been a handshake?

Again the language... im so sorry for that...

Nope, i suppose it would be a handshake for each peer:

I have rebooted both A and B even the phone and the result was this:

The wg output on site A seems to show the endpoint for site B has the port '1090'. Is that something you have set somewhere?

No, i didnt change anything:

Hmm, ok then. If the endpoint address for site B is exactly the same in the peer configs at site A and on phone, but only one is handshaking then that'd point to an error with keys. Double check the keys on the phone and the phone peer at site B are correct.

Hmm yes, i have checked them manually and just in case, i have generated new pair and set them up by QR, i dont think QR could have errors (I have checked the new key pair too). After that, i still getting the "Destination Net Unreachable"

I dont know, but, could be some Firewall issue?

Preshared key needs to be left blank. Preshared keys are an optional extra layer of security and they should not be used during this initial setup.

The firewall on B does not need to be changed to add a phone peer. The phone uses the same Internet port as the connection from A.

As others said, you must to make the phone initiate the connection to B by configuring its peer section with B's public IP (or DDNS name) and port. B will not know how to send packets to the phone unless the phone has reached it first.

Although Wireguard nodes are not clients and servers, they can have two different roles in establishing the outer tunnel connection. These aren't official names but I call them Initiator and Responder

An Initiator:

  • may be behind NAT
  • makes an outgoing connection, so default firewall rules are sufficient
  • must be configured with endpoint_host and port
  • typically does not specify a listen_port (operating port will be chosen randomly by its OS)

A Responder:

  • must have listen_port set to a known number that the Initiators will use
  • must have a public reachable IP, with NAT disabled or listen_port forwarded.
  • must have incoming UDP connections to the listen_port allowed through its firewall
  • typically does not specify endpoint_host in the peer section

On that last point, in a site to site configuration where both sites meet the conditions to be Responders, they can optionally be configured as a dual role by setting endpoint_host to act as both potential Responders, and also both Initiators to the other site. This is only practical for site to site. Road warriors should always be Initiators.

1 Like

The theory is fulfilled then, I'm going to repost all the configuration of A and B (Firewall and Network) and the phone to see if those of us here see something wrong. I will leave part of the keys to see that there is no error and they are correct in each place:

  • A cat /etc/config/network
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd75:07f1:eeb7::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan'
        option device 'eth1.20'
        option proto 'pppoe'
        option username 'redacted@digi'
        option password 'redacted'
        option ipv6 'auto'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '20'
        option name 'eth1.20'
        option mtu '1500'

config interface 'wg_s2s_a'
        option proto 'wireguard'
        option private_key 'CGc********FI='
        option listen_port '51820'
        list addresses '192.168.9.2/24'

config wireguard_wg_s2s_a 's2s_vpn_site_b'
        option public_key 'SlF********xg='
        option preshared_key 'il3********MY='
        option description 'Site B, **********0.ddns.net'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host '**********0.ddns.net'
        option endpoint_port '51820'
        list allowed_ips '192.168.1.0/24'
        list allowed_ips 'fdee:eeee:eeee::/48'
        list allowed_ips '192.168.9.1/32'
        list allowed_ips '192.168.9.3/32'

root@OpenWrt:~#

  • B cat /etc/config/network
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdcc:295e:3aab::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.7'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wg_s2s_b'
        option proto 'wireguard'
        option private_key 'EKq********3s='
        option listen_port '51820'
        list addresses '192.168.9.1/24'

config wireguard_wg_s2s_b 's2s_vpn_site_a'
        option public_key 'sbr********B0='
        option preshared_key 'il3********MY='
        option description 'Site A, ********v.ddns.net'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host '********v.ddns.net'
        option endpoint_port '51820'
        list allowed_ips '192.168.2.0/24'
        list allowed_ips 'fdff:ffff:ffff::/48'
        list allowed_ips '192.168.9.2/32'

config device
        option name 'wg_s2s_b'
        option ipv6 '0'

config wireguard_wg_s2s_b
        option description 'iPhone'
        option public_key 'xBD********X0='
        option private_key '2Az********XA='
        list allowed_ips '192.168.9.3/32'
        option route_allowed_ips '1'

root@OpenWrt:~#

  • A cat /etc/config/firewall
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg_s2s_a'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg_s2s_51820'
        option name 'Allow-WireGuard-51820'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

root@OpenWrt:~#

  • B cat /etc/config/firewall
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg_s2s_b'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network '.'
        list network ''
        option masq '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule 'wg_s2s_51820'
        option name 'Allow-WireGuard-51820'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

root@OpenWrt:~#

  • Phone config.

Note: Im under cellular data and VPN active

Are you 100% sure site B has a public IP? And the isp router is forwarding port 51820 to the wireguard host?

1 Like

That! That was the problem OMG. The only thing is that the phone can't access Internet with the VPN on...

root@OpenWrt:~# wg
interface: wg_s2s_b
  public key: redacted=
  private key: (hidden)
  listening port: 51820

peer: redacted=
  preshared key: (hidden)
  endpoint: redacted:51820
  allowed ips: 192.168.2.0/24, fdff:ffff:ffff::/48, 192.168.9.2/32
  latest handshake: 49 seconds ago      <----------
  transfer: 2.91 MiB received, 1.73 MiB sent
  persistent keepalive: every 25 seconds

peer: redacted=
  endpoint: redacted:39563
  allowed ips: 192.168.9.3/32
  latest handshake: 1 minute, 55 seconds ago       <------------
  transfer: 42.52 KiB received, 22.57 KiB sent
root@OpenWrt:~#

Thank you so much for supporting me on this, i have learned so much. And thank you also for putting up with the actions I did without warning that made you go crazy.

Hugs

Can it ping by IP? For example, to 8.8.8.8?

No:


Add another static route to the ISP router. It should be the same as the other WG related static route, except the destination is 192.168.9.1 rather than 192.168.2.1

Leave the existing static route in place.

1 Like

Perfect, all is working properly now. Thank you

Well, not properly at all, doing some test i have notice that i can have access from A to B resources but not from B to A. I see it extrange because ping and traceroute has reached it destination... Any suggestion?

It's probably not a wireguard issue. If it were then it's unlikely pings/traceroutes would work, or you'd be able to access resources in B from site A.

I'd guess it's likely to be an issue with settings on local devices (firewall and/or what networks they'll allow access).

1 Like