Hello,
I have successfully setup 2 client Wireguard connections following the guide here https://openwrt.org/docs/guide-user/services/vpn/wireguard/server including step 6 for the firewall.
The devices can successfully connect to the network of Site A via the allowed ips 192.168.2.0/24 and I can ping them from devices on the Site A lan.
Now I wanted to establish a site-to-site connection with a fritzbox 7590.
Im using the same wg0 interface of the two clients and I've added the remote lan address 192.168.188.x as allowed ips. In the config for the fritzbox peer I've set allowed ips to my site A subnet and I've ticked the Route IPs.
Now the connection is established and from Site B I can ping and browse devices on Site A, unfortunately I can't do it the other way around.
To properly understand the setup, we need to see the configs from both sides:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
root@Flint:~# ubus call system board
{
"kernel": "6.6.110",
"hostname": "Flint",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.4",
"revision": "r28959-29397011cc",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.4 r28959-29397011cc",
"builddate": "1760891865"
}
}
root@Flint:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxx::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth1.835'
option proto 'pppoe'
option username 'xxx'
option password 'xxx'
option ipv6 'auto'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
option peerdns '0'
list dns '2606:4700:4700::1111'
list dns '2606:4700:4700::1001'
config interface 'wg0'
option proto 'wireguard'
option private_key 'xxx'
option listen_port '51820'
list addresses '192.168.2.0/24'
list addresses '192.168.188.0/24'
config wireguard_wg0
option public_key 'xxx'
option private_key 'xxx'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.2.10'
config wireguard_wg0
option public_key 'xxx'
option private_key 'xxx'
list allowed_ips '192.168.2.11'
option endpoint_port '51820'
option persistent_keepalive '25'
config wireguard_wg0
option description 'Site B'
option public_key 'xxx'
option private_key 'xxx'
option endpoint_port '51820'
option persistent_keepalive '25'
option route_allowed_ips '1'
list allowed_ips '192.168.188.1/24'
root@Flint:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'WireguardVPN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wg0'
config forwarding
option src 'WireguardVPN'
option dest 'lan'
config forwarding
option src 'WireguardVPN'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'WireguardVPN'
config rule
option src 'wan'
option name 'WireGuard-incoming'
list proto 'udp'
option dest_port '51820'
option target 'ACCEPT'
I have omitted stock rules from the firewall config
The addresses here are wrong:
Delete 192.168.188.0/24 and change the other to 192.168.2.1/24
You peer needs two fixes:
First, you need to add an allowed IPs in the 192.168.2.0/24 network... (it needs to be unique and a /32 like below):
list allowed_ips '192.168.2.2/32'
You also need to edit the other allowed IPs to provide access to the whole remote network. If that network is 192.168.188.0/24, that is what should be there (not 192.168.188.1/24):
list allowed_ips '192.168.188.0/24'
If you're expecting symmetric routing, turn off masquerading:
What does the other side look like?
Thank you for the feedback, just to clarify:
Why 192.168.2.0/24 is wrong? Is it because the peer shouldn't use 192.168.2.1? I thought this IP subnet was the pool of assignable IPs mainly for the other two clients (that are working fine) and the 192.168.188.0/24 were for the site-to-site.
Does it mean for site-to-site there is no need to specify it? Or does it mean the 192.168.2.0/24 is used as well for the site-to-site?
The /32 wasn't really clear to me, can't I allow a random assignment among the subnet using /24?
Regarding 192.168.188.0/24 or 1/24 in the list of allowed ips, is it to allow the two clients to access the Site B lan devices as well?
This is because it's not a host address -- the 0 address in a /24 network is the subnet/network address (and refers to the entire subnet), but this is not a valid address for a host to use for itself. Thus, putting that address as ,1 refers to a specific host address.
You are definiding the subnet size by means of the /24, but the address it holds must be a valid host address.
That doesn't belong in the WG interface address.
What is the lan address/subnet on the other side?
We still need information about the other side...
But generally speaking, there are 3 subnets that each need to be unique:
- LAN at site A
- WG tunnel (this spans both site A and site B)
- LAN at site B
The allowed IPs for each peer config relates to the addresses that are accessible via the tunnel.
Each peer will use a /32 on the WG subnet. That's because allowed_ips is defining what is accessible through the tunnel to that peer. With the WG subnet, if you use /24, it may break the routing with the other peers. Therefore, you use just a /32 since it refers to a unique remote peer's address on the tunnel subnet.
If 192.168.188.0/24 is the remote side lan, then you sould define it as 192.168.188.0/24 in the allowed IPs.
But we need to see the remote side config.
That doesn't belong in the WG interface address.
What is the lan address/subnet on the other side?
Correct, the fritzbox (Site B) lan has 192.168.188.0/24
But generally speaking, there are 3 subnets that each need to be unique:
LAN at site A
WG tunnel (this spans both site A and site B
LAN at site B
Does it mean that each Site B devices with local IP in the subnet 192.168.188.0/24 will be assigned a tunnel ip in the subnet of 192.168.2.0/24?
Disabling masquerading resolved my issue but i still want to have a proper setup.
No. It means that all hosts on 192.168.188.0/24 will be accessible (unless otherwise firewalled) from 192.168.1.0/24 via the WG tunnel where the remote peer has the address 192.168.2.2.
There is exactly one WG peer address for each site to establish the tunnel, and the rest is routed.
config interface 'wg0'
option proto 'wireguard'
option private_key 'xxxxx'
option listen_port '51820'
list addresses '192.168.2.1/24'
config wireguard_wg0
option description 'xxx'
option public_key 'xxx'
option private_key 'xxx'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.2.10/32'
list allowed_ips '192.168.188.0/24'
config wireguard_wg0
option description 'xxx'
option public_key 'xxx'
option private_key 'xxx'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.2.11/32'
list allowed_ips '192.168.188.0/24'
config wireguard_wg0
option description 'Site B'
option public_key 'xxx'
option private_key 'xxx'
option endpoint_port '51820'
option persistent_keepalive '25'
option route_allowed_ips '1'
list allowed_ips '192.168.2.12/32'
This is my understanding, but the Site-B now is completly unreachable. I only get few bytes
On the fritz side i simply imported the config that the luci was giving me chaning the Allowed IPs to the subnet of the lan of Site A only so 192.168.1.0/24.
Do i need to add the 192.168.2.0/24 as well? That would be needed in case i want Site B to reach the other devices e.g. 2.10 and 2.11 right?
Not sure what changed it but with the first config, masquerading off was enough.
What is the address of the Site-B wiregaurd interface?
It looks like we've got some mistakes in the peer configs....
Only the peer that is site B should have 192.168.188.0/24 in the allowed IPs. Therefore, remove that from the first two peers, and add it to the 3rd which is labeled site B.
Hopefully that will restore the connection, but we still need site B's config.
You don't actually need /32 tunnel IPs for a site to site to work, but they are useful for pinging the other sites. /32 tunnel IPs (within a /24) are necessary for road warriors since they will originate traffic from their IP.
Each site has the other site's LAN .0/24 as allowed_ip, and with route_allowed_ips, there will be an entry in the site's local routing table to send packets to the remote LAN via the wg tunnel.
I see.
I’ve changed to
config wireguard_wg0
option description 'xxx'
option public_key 'xxx'
option private_key 'xxx'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.2.10/32'
config wireguard_wg0
option description 'xxx'
option public_key 'xxx'
option private_key 'xxx'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.2.11/32'
config wireguard_wg0
option description 'xxx'
option public_key 'xxx'
option private_key 'xxx'
option endpoint_port '51820'
option persistent_keepalive '25'
option route_allowed_ips '1'
list allowed_ips '192.168.2.12/32'
list allowed_ips '192.168.188.0/24'
but the Site B simply refuses to connect. I then used
list allowed_ips '192.168.188.1/24'
and it worked. I’m curious on the effect of
list allowed_ips '192.168.2.12/32'
since in the initial config was not even there as if it doesnt play a role although as you said it should be the tunnel ip which most likely will ovelap on the 192.168.188.0/24 subnet and its difficult to catch especially if there are only few devices, right?
Here is simply saying to set the network ips properly and it uses 1/24
For now, remove this.
I recommend using this, but as @mk24 points out, it's not actually reqiured.
Once you're able to connect to the other side, let's see that config.
config interface 'wg0'
option proto 'wireguard'
option private_key 'xxx'
option listen_port '51820'
list addresses '192.168.2.1/24'
config wireguard_wg0
option description 'xxx'
option public_key 'xxx'
option private_key 'xxx'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.2.10/32'
config wireguard_wg0
option description 'xxx'
option public_key 'xxx'
option private_key 'xxx'
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '192.168.2.11/32'
config wireguard_wg0
option description 'xxx'
option public_key 'xxx'
option private_key 'xxx'
option endpoint_port '51820'
option persistent_keepalive '25'
option route_allowed_ips '1'
list allowed_ips '192.168.188.1/24'
that’s my final working config.
The missing bits would be from Site B to reach the two clients over wireguard and understanding why from ssh of the Flint 2 i can’t ping Site B devices, although i can reach them from the devices on the physical LAN of it
If you want to figure out the Flint 2 > Site B issue, we need to see the configs from the remote peer, but it generally seems that things are working now.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 
I suspect the config generated by luci had the 192.168.188.1/24 in the [interface] definition.
[Interface]
PrivateKey = xxx
Address = 192.168.188.1/24 ## i will change this to 0/24
ListenPort = 51820
DNS = 192.168.1.1
[Peer]
PublicKey = xxx
# PresharedKey not used
AllowedIPs = 192.168.1.1/24 ## luci ui issue here + other vpn clients ?
Endpoint = xxx:51820
PersistentKeepAlive = 25
I will check it as soon as i can and try to set both the “allowed_ips” and the “Interface Address” value to 192.168.188.0/24.
One thing I’ve noticed is that in the luci config generation window the AllowedIPs are always restored (even when saving) to “0.0.0.0/0, ::/0”
although this is just for the config generation i was wondering whether it is intended or not.
Should i allow the 192.168.2.10 and 2.11 to this list as well?
EDIT:
[Interface]
PrivateKey = xxxx
Address = 192.168.188.1/24
ListenPort = 51820
DNS = 192.168.1.1
[Peer]
PublicKey = xxxx
# PresharedKey not used
AllowedIPs = 192.168.1.0/24
Endpoint = xxxx:51820
PersistentKeepAlive = 25
when i add 192.168.188.0/24 on the config, the fritzbox replies that the remote station (192.168.188.0/24) in conflict with the local netwok (192.168.188.1/24).
By default the Fritz!OS seems to be using .1/24
How can i resolve the reachability of the other tunneled devices from Site B?