Help setting up Site-To-Site WireGuard VPN

Hi, I have been trying to setup a WireGuard VPN to connect two different sites.

Both sites are using Netgear R7800 routers running the same OpenWRT firmware. Here is a brief overview of the topology:

Site A:
Router = 10.0.0.1
DHCP = 10.0.0.100 -> 10.0.0.254
Site B:
Router = 10.1.0.1
DHCP = 10.1.0.100 -> 10.1.0.254

I have been using this guide (https://www.youtube.com/watch?v=2dH-O0crThk) and have established the handshake. This seems to refresh every couple of minutes.

However, my issue is that I cannot ping the other network or interface from either side, and obviously cannot connect to any devices either side.

Given that the handshake is succesfull, I believe my issue is an overall lack of understanding over the "Allowed IP's", the routes and port forwards, and where they are derived from. Below is the configuration for both sites:

Site A - /etc/config/network

4 config interface 'site_a'
115         option proto 'wireguard'
116         option private_key ''###'
117         option listen_port '51820'
118         list addresses '10.0.1.1/32'
119         list dns '10.0.0.2'
120
121 config wireguard_site_a
122         option description 'site_b'
123         option public_key '###'
124         option route_allowed_ips '1'
125         option endpoint_host 'public ip of site B'
126         option endpoint_port '51820'
127         option persistent_keepalive '25'
128         list allowed_ips '10.0.1.0/24'
129         list allowed_ips '10.1.0.0/24'
130

Site A - /etc/config/firewall

155 config rule
156         option name 'Allow-Wireguard'
157         option src 'wan'
158         option dest_port '51820'
159         option target 'ACCEPT'
160         list proto 'udp'
161
162 config zone
163         option name 'vpn'
164         option input 'ACCEPT'
165         option output 'ACCEPT'
166         option forward 'REJECT'
167         list network 'site_a'
168
169 config forwarding
170         option src 'lan'
171         option dest 'vpn'
172
173 config forwarding
174         option src 'vpn'
175         option dest 'wan'
176
177 config redirect
178         option dest 'vpn'
179         option target 'DNAT'
180         option name 'wg'
181         list proto 'udp'
182         option src 'wan'
183         option src_dport '51820'
184         option dest_ip '10.0.1.1/32'
185         option dest_port '51820'

Site B - /etc/config/network

46 config interface 'site_b'
47         option proto 'wireguard'
48         option private_key '###'
49         option listen_port '51820'
50         list addresses '10.1.1.1/32'
51
52 config wireguard_site_b
53         option description 'site_a'
54         option public_key '###'
 55        option route_allowed_ips '1'
56         option endpoint_host 'public ip of site A'
57         option endpoint_port '51820'
58         option persistent_keepalive '25'
59         list allowed_ips '10.1.1.0/24'
60         list allowed_ips '10.0.1.0/32'

Site B - /etc/config/firewall

7 config rule
128         option name 'Allow-Wireguard'
129         option src 'wan'
130         option dest_port '51820'
131         option target 'ACCEPT'
132         list proto 'udp'
133
134 config zone
135         option name 'VPN'
136         option input 'ACCEPT'
137         option output 'ACCEPT'
138         option forward 'REJECT'
139         list network 'site_b'
140
141 config forwarding
142         option src 'lan'
143         option dest 'VPN'
144
145 config forwarding
146         option src 'VPN'
147         option dest 'wan'
148
149 config redirect
150         option dest 'VPN'
151         option target 'DNAT'
152         list proto 'udp'
153         option src 'wan'
154         option src_dport '51820'
155         option dest_ip '10.1.1.1/32'
156         option name 'wg'
157

Any help would be massively appreciated, hopefully this information above is enough to work out what might be wrong, but I am 100% happy to help or get any more info that might be needed.

Thanks in advance,
Pedro

Well your setup is not quite right.

See: https://openwrt.org/docs/guide-user/services/vpn/wireguard/site-to-site

Some basics (most of those you already have right):
WireGuard is a routed protocol there need to be three different subnets

  1. The WG subnet
  2. The subnet of site A
  3. The subnet of site B
    and they all need to be different.

As WG address use a /24 subnet to be sure WG itself is always routed via the tunnel

As allowed IPs in site A, there should be the address of the WG interface (/32) of site B and the subnet (/24) of Site B.
On site B it is the other way around.

Also do not forget to Enable Route Allowed IPs

Forwarding should be from LAN > VPN and from VPN> LAN.

2 Likes

You can delete this rule as you already have a traffic rule allowing port 51820

The correct rule is

Hi,

I appreciate the information and the script looks really interesting, I wish I had seen this sooner!

Would you recommend I attempt to modify what I already have (struggling to understand exactly whats needed) or start over with the script?

As per your suggestion, I got rid of the "config redirect" rules on both sides, and kept just the config rule.

Thanks

The script should work so it certainly is a good idea to start over, delete everything you have from WG (Network and firewall) and use the script to setup.

Thank you so much for your help!

Wiping all the previous traces of WG, restarting both routers, running the script on A and B, restarting the routers, and adding the LAN -> WAN + VPN, as well as the VPN->LAN rules, has got it working perfectly!

Thank you, you have been great

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.