Site to Site Wireguard, help

Hello, I hope everyone is having a great day!

I'm attempting to connect two routers site-to-site using Wireguard. I believe the connection is established, but I am encountering some issues. Below is the network configuration:

Router Site A (with Wireguard and DHCP)
|
Modem (Bridge Mode)
|
Internet
|
Modem (DHCP)
|
Router Site B (with Wireguard, connected to the LAN on the modem)

I am unable to access Site A from Site B. However, pinging from Site A to Site B works fine.
Any suggestions on how to troubleshoot or resolve this issue would be greatly appreciated!

Site A

root@Swordfish_II:~# ubus call system board
hcp
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
wg show{
        "kernel": "5.15.150",
        "hostname": "Swordfish_II",
        "system": "ARMv8 Processor rev 4",
        "model": "ASUS TUF-AX4200",
        "board_name": "asus,tuf-ax4200",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
root@Swordfish_II:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr 'hidden'

config device
        option name 'lan2'
        option macaddr 'hidden'

config device
        option name 'lan3'
        option macaddr 'hidden'

config device
        option name 'lan4'
        option macaddr 'hidden'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth1'
        option macaddr 'hidden'
        option ipv6 '0'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'ModemVideotron'
        option proto 'static'
        option device '@wan'
        option ipaddr '10.0.0.2'
        option netmask '255.255.255.0'
        option auto '0'

config interface 'iotSpace'
        option proto 'static'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'

config interface 'site_a'
        option proto 'wireguard'
        option private_key 'hidden'
        option listen_port '51820'
        list addresses '10.10.10.1/32'

config wireguard_site_a
        option description 'site_b'
        option public_key 'hidden'
        option route_allowed_ips '1'
        option endpoint_host 'hidden'
        option persistent_keepalive '25'
        list allowed_ips '10.10.10.0/24'
        list allowed_ips '192.168.2.0/24'

root@Swordfish_II:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,1.0.0.1,1.1.1.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'iotSpace'
        option interface 'iotSpace'
        option start '100'
        option limit '25'
        option leasetime '12h'
        list dhcp_option ' 6,1.0.0.1,1.1.1.1'

root@Swordfish_II:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'IoTZone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'iotSpace'

config forwarding
        option src 'lan'
        option dest 'IoTZone'

config rule
        option name 'IoTDNS_DHCP'
        option src 'IoTZone'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config forwarding
        option src 'IoTZone'
        option dest 'wan'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'site_a'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'wan'

config redirect
        option dest 'vpn'
        option target 'DNAT'
        option name 'wg'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.10.10.1/32'
        option dest_port '51820'

config forwarding
        option src 'vpn'
        option dest 'lan'


root@Swordfish_II:~# wg show
interface: site_a
  public key: hidden
  private key: (hidden)
  listening port: 51820

peer: hidden
  endpoint: hidden:51820
  allowed ips: 10.10.10.0/24, 192.168.2.0/24
  latest handshake: 2 seconds ago
  transfer: 1.34 GiB received, 27.85 MiB sent
  persistent keepalive: every 25 seconds
root@Swordfish_II:~#

site B

 OpenWrt 23.05.3, r23809-234f1a2efa
 -----------------------------------------------------
root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "ASUS TUF-AX4200",
        "board_name": "asus,tuf-ax4200",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr 'hidden'

config device
        option name 'lan2'
        option macaddr 'hidden'

config device
        option name 'lan3'
        option macaddr 'hidden'

config device
        option name 'lan4'
        option macaddr 'hidden'

config interface 'lan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '192.168.2.2'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.2.1'

config device
        option name 'eth1'
        option macaddr 'hidden'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option disabled '1'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'
        option disabled '1'

config interface 'site_b'
        option proto 'wireguard'
        option private_key 'hidden'
        option listen_port '51820'
        list addresses '10.10.10.2/32'

config wireguard_site_b
        option description 'site_a'
        option public_key 'hidden'
        option route_allowed_ips '1'
        option endpoint_host 'hidden'
        option persistent_keepalive '25'
        list allowed_ips '10.10.10.0/24'
        list allowed_ips '192.168.1.0/24'

root@OpenWrt:~# /etc/config/dhcp
-ash: /etc/config/dhcp: Permission denied
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'site_b'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'wan'

config redirect
        option dest 'vpn'
        option target 'DNAT'
        option name 'wg'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.10.10.2/32'
        option dest_port '51820'

config forwarding
        option src 'vpn'
        option dest 'lan'

root@OpenWrt:~# ip rule show
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
root@OpenWrt:~# wg show
interface: site_b
  public key: hidden
  private key: (hidden)
  listening port: 51820

peer: hidden
  endpoint: hidden:51820
  allowed ips: 10.10.10.0/24, 192.168.1.0/24
  latest handshake: 2 minutes ago
  transfer: 28.68 MiB received, 1.34 GiB sent
  persistent keepalive: every 25 seconds

Port forwading modem site B (ON or OFF it does nothing):
https://i.imgur.com/qFkpiBH.png

You have to put in the wireguard interface into the lan firewall zone, or create a new VPN zone and allow traffic from lan to VPN and from VPN to lan.
Also ensure that allowed IP in the wireguard config reflects the network of the other site...

1 Like

Not sure if my suggestion is helpful or a distraction, but my setup was doing something similar with a commercial VPN provider and I ended up doing it again with a family member's setup. The difference for me is that I did not want all networks from site A to use the VPN, only a single interface (totally wireless but would work with a wired as well if I set it up). If this sounds like it is useful to you see: Create a SSID/Interface that will use a commercial VPN

I missed that you have posted the firewall config.
Config forward is wrong. You need config rule like for from lan to wan with accept

You want symmetric routing so do not masquerade in or out of the lans or the tunnel. The only zone with masq set should be wan.

There is a lot of stuff in the configs that is perhaps not breaking anything, but it is wrong, perhaps added in an attempt to fix things. Starting over from a clean default should be considered.

is it alredy donne ?

site B is clean default

Vpn to lan and wan needs action accept on forward.

Same issue, I want to correct my firt post.
On site B the router is connected form WAN port to LAN port of the modem who is the DHCP server

For initial testing, place wg0 in the lan zone, since the default allows intra-zone forwarding, a wg to and from lan forwarding is inherent.

Typically in site to site you would not set up vpn->wan forwarding. Each site continues to use its local ISP for Internet access.

When the VPN terminus is not the main router, you also need to install a route in the main router so that it knows to reach the remote LAN via the lan device (OpenWrt router) that is running Wireguard.

I'm new to this. Can you please give me more detailed instructions on how to do that?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.