I'm currently working to build a parallel wireguard tunnel to an existing openvpn tunnel.
I have public subnets on both sides, and on each side I have a dd-wrt R7000 with a working OpenVPN tunnel endpoint on it, and a OpenWRT endpoint with the wireguard software installed on it and a tunnel defined pointing at the other OpenWRT box.
I haven't figured out the configuration yet on routing the private subnets that are behind the devices through Wireguard. Unfortunately, all the config examples out there seem to be remote single endpoint connecting to private subnet.
It did take several years of tweaking OpenVPN on the dd-wrt systems to get it rock-solid and figure out all the quirks, though.
It is a bit off topic so consider starting a new thread about this.
If you can show a network diagram it might help in exactly understanding what you want.
I also have some Broadcom routers running DDWRT with OpenVPN and WireGuard, still going strong
If I can't figure it out and get it working I will. If I do figure it out and get it working eventually, I'll document and post it since there's a lack of information out there on gateway-to-gateway vpn routing using open source, even though it's pretty common in the corporate world to tie sites together.
For the most straightforward way, the instructions for a site-to-site WireGuard VPN is documented in a single and not particularly long sentence:
Put a WireGuard interface in each side's LAN firewall zone, connect them as peers with Allowed IPs set to their respective subnet and Route Allowed IPs turned on.
Which I did already but there's no evidence data is going through the tunnel.
I think I'm basically at the end of what the GUI can do I need to do further troubleshooting at the command line. I just haven't had the time. And I'm also pretty sure it is some very small configuration item. It always is.
There is a paragraph about site-to-site setup let us know if you need further assistance.
If you need further assistance then it helps if you share your config, in that case please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show
Thanks from the initial look at the PDFs I'm assuming Wireguard is still following the "client/server" model OpenVPN uses instead of a pure peer-to-peer model that IPSec uses, then? In other words one side initiates the tunnel request the other side approves the setup? I'm guessing that's due to the need to use it on links where the client side would have a dynamic IP? That's how I did the initial configure of it. I'll put some time into this this weekend.
No it is really a peer to peer connection but for simplicity and because setup and firewall can be different we often talk about client and server side.
On a site-to-site setup both sides can initiate a connection but it does not have to.
Firewall wise both sides are setup as a "server".
