Connect three networks through a wireguard site2site tunnel

Hi all

i want to connect three networks through a wireguard site2site tunnel.

General

All router has a wan static IPv4 Adress
Router 1 - 192.168.75.1
LAN1: 192.168.75.0/24 --> with several clients and servers
Router 2 - 192.168.77.1
LAN2: 192.168.77.0/24 --> with several clients and servers
Router 3 - 192.168.47.1
LAN3: 192.168.47.0/24 --> with several clients and servers

Both sides should remain using their own local WAN connection for the internet.
Clients/Servers from all sites should reach the other site.

VPN0 is for the Wireguard Tunnel as 10.200.100.0/24:
--> Router 1: 10.200.100.1/32
--> Router 2: 10.200.100.2/32
--> Router 2: 10.200.100.3/32

my configuration:
Router 1:

/etc/config/network

config interface 'vpn0'                                                    
        option proto 'wireguard'                                           
        option private_key '-'  
        option listen_port '23555'                                         
        list addresses '10.200.100.1/24'                                   
                                                                           
config wireguard_vpn0                                                      
        option description 'Site Office 1'                            
        option public_key '-'   
        option preshared_key '-'
        list allowed_ips '192.168.77.0/24'                                 
        list allowed_ips '10.200.100.2/32'                                 
        option route_allowed_ips '1'                                       
        option persistent_keepalive '25'                                   
                                                                           
config wireguard_vpn0                                                      
        option description 'Site Office 2'                            
        option public_key '-'   
        option preshared_key '-'
        list allowed_ips '192.168.47.0/24'                                 
        list allowed_ips '10.200.100.3/32'                                 
        option route_allowed_ips '1'                                       
        option persistent_keepalive '25'

/etc/config/firewall

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '23555'
	option name 'Allow-Wireguard-Inbound'
	option src 'wan'

config zone
	option name 'vpn0'
	option network 'vpn0'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	list device 'vpn0'
	option output 'ACCEPT'

config forwarding
	option dest 'lan'
	option src 'vpn0'

config forwarding
	option dest 'vpn0'
	option src 'lan'

Router 2:

/etc/config/network

config interface 'vpn0'
        option proto 'wireguard'
        option private_key '-'
        option listen_port '23555'
	list addresses '10.200.100.2/24'

config wireguard_vpn0
        option description 'Site to Router 1'
        option public_key '-'
	option preshared_key '-'
        list allowed_ips '192.168.75.0/24'
        list allowed_ips '10.200.100.1/32'
        list allowed_ips '10.200.100.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'router1'
        option endpoint_port '23555'
/etc/config/firewall

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '23555'
	option name 'Allow-Wireguard-Inbound'
	option src 'wan'

config zone
	option name 'vpn0'
	option network 'vpn0'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	list device 'vpn0'
	option output 'ACCEPT'

config forwarding
	option dest 'lan'
	option src 'vpn0'

config forwarding
	option dest 'vpn0'
	option src 'lan'

Router 3:


/etc/config/network

config interface 'vpn0'
	option proto 'wireguard'
	option private_key '-'
	option listen_port '23555'
	list addresses '10.200.100.3/24'

config wireguard_vpn0
	option description 'Site to Router 1'
	option public_key '-'
	option preshared_key '-'
	list allowed_ips '192.168.75.0/24'
	list allowed_ips '10.200.100.1/32'
	list allowed_ips '10.200.100.2/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option endpoint_host 'router1'
	option endpoint_port '23555'
/etc/config/firewall

config zone
	option name 'vpn0'
	option network 'vpn0'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	list device 'vpn0'
	option output 'ACCEPT'

config forwarding
	option dest 'lan'
	option src 'vpn0'

config forwarding
	option dest 'vpn0'
	option src 'lan'

From server network 192.168.75.0 i can reach hosts in 192.168.77.0 and 192.168.47.0 networks.
From 192.168.77.0 and 192.168.47.0 networks i can reach only 192.168.75.0. I couldn't reach from 192.168.77.0 to 192.168.47.0

Thank you for any suggestion

Add the unreachable networks to the peer's allowed_ips for both router 2 and 3.
Also, a separate firewall zone with forwardings and the WG subnet are redundant.
You can simply assign the WG interface to the LAN zone.

3 Likes

On router 1 change your config to:

config interface 'vpn0'
        option proto 'wireguard'
        option private_key '-'
        option listen_port '23555'
 
config wireguard_vpn0
        option description 'Site Office 1'
        option public_key '-'
        option preshared_key '-'
        list allowed_ips '192.168.77.0/24'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
                                                                           
config wireguard_vpn0                                                      
        option description 'Site Office 2'
        option public_key '-'
        option preshared_key '-'
        list allowed_ips '192.168.47.0/24'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

On router 2:

config interface 'vpn0'
        option proto 'wireguard'
        option private_key '-'
        option listen_port '23555'

config wireguard_vpn0
        option description 'Site to Router 1'
        option public_key '-'
	    option preshared_key '-'
        list allowed_ips '192.168.75.0/24'
        list allowed_ips '192.168.47.0/24'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'router1'
        option endpoint_port '23555'

On router 3:

config interface 'vpn0'
	option proto 'wireguard'
	option private_key '-'
	option listen_port '23555'

config wireguard_vpn0
	option description 'Site to Router 1'
	option public_key '-'
	option preshared_key '-'
	list allowed_ips '192.168.75.0/24'
    list allowed_ips '192.168.77.0/24'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option endpoint_host 'router1'
	option endpoint_port '23555'

I also wouldn't bother putting the VPN in it's own zone if you trust all 3 sites. Just add the VPN interface to the existing LAN zone.

2 Likes