Site-to-Site VPN

Hello everyone.

I would like to set up a site-to-site vpn from my WRT1900ACS to another WRT1900ACS. For this I've read some of the Documentation in the OpenWRT Wiki. I'm not sure if this Guide fits my needs. In the vpn I want to set up both sides should be the same. Do I have to do some special configurations for this?
I'm very grateful if you could take a look at my plan and give me some advice.

IPsec is tricky. I would suggest OpenVPN or Wireguard instead.

You will need to choose one site as the "server". Functionally once the tunnel is open both sites are equal peers, but for opening the tunnel the client site will make an outgoing request to the server. The server site needs to be reachable on a known public IP, either buy a static IP from the ISP or set up a dynamic DNS.

The two LANs should have different IP subnets. Then it is simple to install static routes at each site that point to the other site. OpenVPN can do this automatically.

Test your setup in the same room by connecting both WAN ports to the Internet through a third router.


Use Wireguard.


Ty. I will take a look at Wireguard as it seems to fit better with its peer-to-peer option.

Update will follow...

If you need fine tuning with routing by special port (it is needed when you run multiple instances), use TCP OpenVPN. If you don't, use Wireguard.

Hello again. This is the update I've promised.

My friend and I worked over a few days to get the wireguard connection running. We took off to a great start by initiating a successful VPN connection after the basic configuration steps. We ran into the problem of not reaching each others VPN Router via a client in the LAN. After some testing and troubleshooting we couldn't find a solution and thought it would be the best to continue on another day. I've then tested some stuff on my site before our next session and could solve the problem by assigning the VPN Interface its own Firewall Zone, also enabling Masquerading on it. I now could reach the VPN Router of my friend. After he changed his settings to mine we could both reach each others VPN Routers. Now the last problem was, that we couldn't get into each others LAN. We tried everything from Static Routes to NAT Rules. As it turned out in the end we just had to add the IP Subnet of each others LAN into the "Allowed IPs" section of the wireguard settings. After that we could reach each others LAN and everything works now.

Since there is very few Documentation about how to configure wireguard in the luci-web-interface and we didn't just wanted to execute random commands that we don't know, we ran into a lot of problems and had to test and troubleshoot on our own.

If you want to know more about our config, just reply me on this message.

You shouldn't need to use masquerading for a site to site VPN. What is your current config?

1 Like

Don't I need some kind of NAT so my LAN clients can get to the LAN of the other site?

No, that is done directly with routes. Each site has a route to the other site using the VPN tunnel endpoint as a gateway. Wireguard will install these routes at startup if properly configured. You can examine the results with the route or ip route show commands.


Not really. Each LAN should be on a different subnet and wireguard will do the routing.


You're right. We just tested it without masquerading and it works.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.