Hi, I have been trying to setup a WireGuard VPN to connect two different sites.
Both sites are using Netgear R7800 routers running the same OpenWRT firmware. Here is a brief overview of the topology:
Site A:
Router = 10.0.0.1
DHCP = 10.0.0.100 -> 10.0.0.254
Site B:
Router = 10.1.0.1
DHCP = 10.1.0.100 -> 10.1.0.254
I have been using this guide (https://www.youtube.com/watch?v=2dH-O0crThk) and have established the handshake. This seems to refresh every couple of minutes.
However, my issue is that I cannot ping the other network or interface from either side, and obviously cannot connect to any devices either side.
Given that the handshake is succesfull, I believe my issue is an overall lack of understanding over the "Allowed IP's", the routes and port forwards, and where they are derived from. Below is the configuration for both sites:
Site A - /etc/config/network
4 config interface 'site_a'
115 option proto 'wireguard'
116 option private_key ''###'
117 option listen_port '51820'
118 list addresses '10.0.1.1/32'
119 list dns '10.0.0.2'
120
121 config wireguard_site_a
122 option description 'site_b'
123 option public_key '###'
124 option route_allowed_ips '1'
125 option endpoint_host 'public ip of site B'
126 option endpoint_port '51820'
127 option persistent_keepalive '25'
128 list allowed_ips '10.0.1.0/24'
129 list allowed_ips '10.1.0.0/24'
130
Site A - /etc/config/firewall
155 config rule
156 option name 'Allow-Wireguard'
157 option src 'wan'
158 option dest_port '51820'
159 option target 'ACCEPT'
160 list proto 'udp'
161
162 config zone
163 option name 'vpn'
164 option input 'ACCEPT'
165 option output 'ACCEPT'
166 option forward 'REJECT'
167 list network 'site_a'
168
169 config forwarding
170 option src 'lan'
171 option dest 'vpn'
172
173 config forwarding
174 option src 'vpn'
175 option dest 'wan'
176
177 config redirect
178 option dest 'vpn'
179 option target 'DNAT'
180 option name 'wg'
181 list proto 'udp'
182 option src 'wan'
183 option src_dport '51820'
184 option dest_ip '10.0.1.1/32'
185 option dest_port '51820'
Site B - /etc/config/network
46 config interface 'site_b'
47 option proto 'wireguard'
48 option private_key '###'
49 option listen_port '51820'
50 list addresses '10.1.1.1/32'
51
52 config wireguard_site_b
53 option description 'site_a'
54 option public_key '###'
55 option route_allowed_ips '1'
56 option endpoint_host 'public ip of site A'
57 option endpoint_port '51820'
58 option persistent_keepalive '25'
59 list allowed_ips '10.1.1.0/24'
60 list allowed_ips '10.0.1.0/32'
Site B - /etc/config/firewall
7 config rule
128 option name 'Allow-Wireguard'
129 option src 'wan'
130 option dest_port '51820'
131 option target 'ACCEPT'
132 list proto 'udp'
133
134 config zone
135 option name 'VPN'
136 option input 'ACCEPT'
137 option output 'ACCEPT'
138 option forward 'REJECT'
139 list network 'site_b'
140
141 config forwarding
142 option src 'lan'
143 option dest 'VPN'
144
145 config forwarding
146 option src 'VPN'
147 option dest 'wan'
148
149 config redirect
150 option dest 'VPN'
151 option target 'DNAT'
152 list proto 'udp'
153 option src 'wan'
154 option src_dport '51820'
155 option dest_ip '10.1.1.1/32'
156 option name 'wg'
157
Any help would be massively appreciated, hopefully this information above is enough to work out what might be wrong, but I am 100% happy to help or get any more info that might be needed.
Thanks in advance,
Pedro