Question on site to site link with WireGuard VPN

lBefore I invest a lot of time on this, can someone just give me some reassurance that this will work?

I am responsible for two networks, separated by about 2 hours travel time. Each network is served by its own OpenWRT router that provides Internet, DHCP and DNS for it's own network. One of the networks is unfortunately "hidden" behind a CGNAT, but the other has a static IPv4 public address.

I want to link those networks together using a site to site VPN link using WireGuard, and make all the devices in each network visible to all the devices in the other network, including by FQDN. Internet traffic should exit each network via their own router.

Is this actually possible, or will I run into problems with the traffic attempting to flow from the network with the static public IPv4 address to the network behind CGNAT?

Absolutely possible. Since one side has a static public IP, it will serve as a 'server' while the one that is behind CG-NAT will be the one to make establish the connection as a 'client.' You'll just set the routes and firewall rules accordingly, and it should work pretty easily.

There are two other important things:

  1. you'll need to setup dns, so if you're using FQDNs with different domains on each side, that's pretty easy
  • For example, and or and
    • then the hosts would be or
  1. your two networks must be on different subnets. If the subnets overlap, it will not work.

Thanks for that confirmation; it's how I'd interpreted the documentation, but it's good to have a solid answer, as I suspect we've all been burned by misinterpreting documentation at some point :slight_smile:

I've got two different subnets and, mapped to special use domain names ( site1.lan and site2.lan ). The static public IP address associated with the WAN of site1 has a publicly visible domain name, and working reverse DNS.

Slight wrinkles that may be problematic are:

  1. site1 currently has IPv6 supplied by a HE 6in4 tunnel, whereas site2 is IPv4 only. I'm not quite sure if this will prevent me simply cross-delegating DNS between the two sites, but I guess I will find out soon :joy:
  2. Each site has an associated subnet that contains (only) the WAN modem for that site, and unfortunately I cannot change (reconfigure) those modems to use any other IP address. Initially I'm hoping to just make those unrouteable / DNS-unresolveable across the VPN. Longer term I'd like to be able to access the web interface of the site2 modem from site1, and wondering if I can do something with a proxy server on the site2 router to enable that. :question:

I'll see how I get on, and no doubt report back! Thanks again for the help.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.