Route subnets through Wireguard VPN correctly

Ahoy friends.
Some time ago i had the same issue, but i am unable to find my old topic, so i have to reopen it.
I got two different locations shown here.

On location A i got my OpenWRT device, set up as Wireguard server, and it works fine. In location B i got a Raspberry Pi 4 device, running Wireguard, and connected as peer to the Wireguard server.
Some special thing to keep attention on, on location B, the Wireguard peer is not the router. It's a client connected to a router.
I want to access the 192.168.165.0/24 subnet in location B, from location A.
Vice versa i want to do the same for 192.168.200.0/24 in location A, from location B.
Unfortunately none of them works, i am only able to establish a connection between server and peer, and they can only ping each other (So Wireguard connection works).
Is there something i am doing wrong? To which firewall zone do i have to assign the wireguard interface? And how can i establish working routing between both networks? (In location B i have also set up a static route to the Raspberry Pi 4 network in order to reach 192.168.200.0/24).

Here i got my Wireguard config, from my Raspberry Pi 4 on location B

[Interface]

Address = 10.0.0.3/24

ListenPort = 51820

PrivateKey = xxxxxxxxxxxxx



[Peer]

PublicKey = xxxxxxxxxxxxx

AllowedIPs = 10.0.0.3/24,192.168.200.0/24

Endpoint = myserver.dyndns.org:51820

And my Wireguard config on my OpenWRT Router, which is the Wireguard server.

config interface wg0
        option proto 'wireguard'
        option listen_port '51820'
        list addresses '10.0.0.1/24'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxx'
config wireguard_wg0
        option public_key 'xxxxxxxxxxxxxxxxxxxxxxx'
        option preshared_key 'xxxxxxxxxxxxxxxxxxxxxxx'
        option route_allowed_ips '1'
        option description 'Remote'
        option endpoint_host 'remote.location'
        list allowed_ips '10.0.0.3/32'
        list allowed_ips '192.168.165.0/24'

Thanks in advance, i hope someone could help!!

Remove that.

To the same zone as LAN.

Yep, add routes to 10.0.0.0/24 and 192.168.200.0/24 via the RPi on 192.168.165.1.

1 Like

I'm still experiencing issues, i think it may be related to mwan3, because i perform loadbalancing using 3 WAN connections. Even though, i'll provide your requested command output.
Unfortunately the connection is only being established when i provide the remote endpoint of the client, on server side.

1 Like

It's best to stop MWAN while troubleshooting VPN.

Thanks a lot for your help. Now without mwan3 i am atleast able to ping the 10.0.0.xx/24 address of the peer.
Unfortunately i am still not able to access the 192.168.165.0/24 subnet on the remote site.
From out of the remote side i am able to access the subnets i want on my home network, so that's working fine already.

What's wrong in my config? That's the config on my home network router, showing the config of the remote peer.
So from my home network i would like to access these listed networks under "Allowed IPs".

Unfortunately i am not able to do so.

Or is there something wrong at all in my approach?

Wireguard

Have you set up static routes on the main router (Fritz!)? You should add routes to 10.0.0.0/24 and 192.168.200.0/24 via 192.168.165.150. (An alternative is to use IP masquerade on Raspberry Pi4, if you can't add static routes.)

1 Like

Yeah that's what i did, and it works fine. But the opposite direction does not work at all, according to "tcpdump -iany icmp" nothing reaches the Raspberry Pi 4 from the other site, unless when i ping 10.0.0.3, it's wg interface. But 192.168.165.0/24 is not being routed through the tunnel to the Raspberry Pi 4 at all.
Currently i have to manually create the following route on R1, the OpenWrt router.

ip route add 192.168.165.0/24 via 10.0.0.3 dev Interconnect
This way i can reach at least the Raspberry Pi 4 in it's 192.168.165.0/24 subnet, using it's device ip.
Is there a way to automatically create these routes to the peer?

If the problem persists, establish the VPN connection, collect the diagnostics from both VPN server and client, and post it to pastebin.com redacting the private parts:

uci show network; uci show firewall; \
ip address show; ip route show table all; ip rule show; \
iptables-save; sysctl net 2> /dev/null | grep -e forward; wg show

I have selected the checkbox in my case.

Perhaps: