Yes, you need to define for each peer the allowed IPs and tick the route allowed IPs.
At home router you need to allow 10.1.1.2/32 and 192.168.1.0/24
At office router 10.1.1.1/32 and 172.16.10.0/24
I tried that with "route allowed IPs" - after running into issues I decided to use 0.0.0.0/0, ::/0 on both routers for troubleshooting but received the same results.
While I don't think I'm a complete noob at networking it certainly isn't my strongest point. I'm at a loss for why a fairly basic setup wouldn't allow communication via the wireguard vpn.
Any other common gotchas with this sort of setup?
I have the firewall zone for the WG interfaces (on each router) using the "LAN" firewall zone.
You could if you don't have more than one peer and don't use "route allowed IPs" and configure routes another way, statically or using a dynamic routing protocol.
Regarding applying routes, you are only referring to the "route allowed IPs" checkbox, yes? This is the only type of routes I have added thus far - e.g. no static routes have been manually added.
ip -4 addr:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 172.16.10.1/24 brd 172.16.10.255 scope global br-lan
valid_lft forever preferred_lft forever
13: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet XX.XX.XX.XX/23 brd XX.XX.XX.255 scope global eth1.2
valid_lft forever preferred_lft forever
14: WG: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.1.1.1/32 brd 255.255.255.255 scope global WG
valid_lft forever preferred_lft forever
ip -4 ro:
default via XX.XX.XX.1 dev eth1.2 proto static src XX.XX.XX.XX
XX.XX.XX.0/23 dev eth1.2 proto kernel scope link src XX.XX.XX.XX
172.16.10.0/24 dev br-lan proto kernel scope link src 172.16.10.1
ip -4 ru:
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
This needs to change to something bigger, e.g 10.1.1.1/24 (or at least /30)
So in config/network under WG interface change
into list addresses '10.1.1.1/24'
Also in config wireguard_WG
in list allowed_ips remove the 0.0.0.0/0 and ::0, add 10.1.1.2/24 and 192.168.1.0/24. Also tick the route allowed ips.
Finally remove all this redirect
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '51820'
option dest_ip '10.1.1.1'
option dest_port '51820'
option name 'wg'
You need a rule
config rule
option name 'wg'
option src 'wan'
option proto 'udp'
option dest_port '51820'
option target 'ACCEPT'
option family 'ipv4'
Do the appropriate changes in both sides and try again.
If it doesn't work, post again the same list of things to see what may be wrong.