Site to site wireguard

jbrodriguez · January 26, 2025, 12:54pm

i have 2 sites,
A - netgear wax206, openwrt (domain .lan)
B - gl.inet mt-6000, openwrt (domain .lan)
i need to access some servers from site B to site A (not so much the other way around)

i have wireguard set up on both routers, and wg clients on some machines i use on site B to access site A

one of the use cases for site A is it runs a storage backup server, so i want to rsync data there periodically

if i turn on wg on a laptop on site B, i can access servers on site A, but can no longer see servers on site B, which is understandable, but how can i solve it ?

id start by changing the domain on one of the 2 sites
site A - domain .lan
site B - domain ???

is there a way to setup router to router wireguard, and make dns resolve through wireguard when using a specific domain ?

any suggestions, id appreciate them

egc · January 26, 2025, 1:44pm

It is perfectly possible.
But why do you have setup wireguard on the routers and on individual lan clients?

With a proper site-to-site setup between your routers, your lan clients can reach the other side without a problem.

Note that all involved subnets have to be different.
DNS resolution is also possible if the domain name is different.

I am not at home atm but can talk you through later today or tomorrow.

But probably someone else will come to the rescue earlier

eduperez · January 26, 2025, 2:31pm

As @egc explained, there is no reason to use wg on the devices. I have two separate sites, with several networks inside each site, and any device on a site can reach any server on any site.

Start with configuring different network segments and domains on each site. Then configure a router-to-router link using wg. Finally, open the traffic on the firewall, and configure DNSs to ask each other for the relevant domains.

jbrodriguez · January 26, 2025, 3:03pm

thanks will accept the guidance

jbrodriguez · January 26, 2025, 3:04pm

thank you, i have some reference now, will google router-to-router wg links

eduperez · January 26, 2025, 5:22pm

If you need it, I can guide you step by step, or share my configs.

KOA · January 26, 2025, 5:31pm

Tailsscale/Net Bird/ zero-tier can do the same

egc · January 26, 2025, 5:36pm

Why would you involve a third party if you can do it yourself ?

jbrodriguez · January 26, 2025, 5:39pm

yea, if you can share configs, that would be helpful, so to not reinvent the wheel, if this has already been done, i might just tweak

KOA · January 26, 2025, 5:44pm

I am behind a CGNAT at least on one side. So I have being using all three of these for testing. While Tailsscale as my main VPN.

egc · January 26, 2025, 5:45pm

If one side has a public wan address you should be good and in no need for tailscale etc.

KOA · January 26, 2025, 5:47pm

How to connect if both are behind a CGNAT?
I could love plain WG or even Headscale if possible with both side behind a CGNAT.

eduperez · January 26, 2025, 9:03pm

Step 1:
Configure different network segments on each site. For example, site A should only have networks in the 192.168.0.0/17 range (from 192.168.0.0/24 to 192.168.128.0/24) and B should only have networks in the 192.168.129.0/17 range (from 192.168.129.0/24 to 192.168.254.0/24).

Step 2:
Configure different domains on each site. From example, use ".sitea.lan" for site A and ".siteb.lan" for site B.

Step 3:
Configure a site-to-site wireguard tunnel, using a different network segment.
In site A:

config interface 'wg0'
	option proto 'wireguard'
	option private_key '[REDACTED]'
	option listen_port '51820'
	list addresses '172.16.0.1/24'

config wireguard_wg0
	option public_key '[REDACTED]'
	option preshared_key '[REDACTED]'
	option endpoint_host '[SITEB.MYDOMAIN.COM]'
	option endpoint_port '51820'
	list allowed_ips '172.16.0.2/32'
	list allowed_ips '192.168.128.0/17'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

In site B:

config interface 'wg0'
	option proto 'wireguard'
	option private_key '[REDACTED]'
	list addresses '172.16.0.2/24'

config wireguard_wg0
	option public_key '[REDACTED]'
	option preshared_key '[REDACTED]'
	option endpoint_host '[SITEA.MYDOMAIN.COM]'
	option endpoint_port '51820'
	list allowed_ips '172.16.0.0/24'
	list allowed_ips '192.168.0.0/17'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

Step 4:
Create a VPN zone, assign it to the wireguard interface, and configure the required forwards:

config zone
	option name 'vpn'
	option device 'wg0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'vpn'
	option dest '[...]'

Step 5:
Configure the DNS on each site to use the DNS on the other site as an upstream DNS for the remote domain:
In site A:

config dnsmasq
[...]
	option local '/sitea.lan/'
	option domain 'sitea.lan'
	list rebind_domain '/siteb.lan/'
	list server '/siteb.lan/172.16.0.2'
[...]

Hope this helps!

jbrodriguez · January 26, 2025, 9:14pm

hey thanks a lot man, this is really helpful !!

just a cpl quick question, then ill dive in

i dont have that many devices on each site, i guess i can use 192.168.x.0/24 for 255 devices on each site, right ?
sitea.mydomain.com / siteb.mydomain.com are the public dns that i can access my server via wg right ?

thanks a lot, ill take a closer look in the coming days

eduperez · January 27, 2025, 6:13am

Yes to both questions.

egc · January 27, 2025, 7:52am

On thing I had to do for DNSMasq is to instruct DNSMasq to also listen on non local IP addresses but I use site B's routers address as DNS server instead of the WG address in this example (list server '/siteb.lan/172.16.0.2'), so probably not necessary here as the WG subnet is local

Disable Local Service only (DNSMasq: -local-service):
Luci DNS-DHCP > Filter > Local service only : untick/disable

option localservice '0'

Otherwise excellent instructions

Summit48 · February 2, 2025, 4:16am

Why would you involve a third party if you can do it yourself ?

If the OP ever wants to access devices in Site A and/or Site B from another location then using Tailscale Mesh VPN makes more sense.

Setting up a Site to Site VPN and then having a setup a Remote Access VPN to Site A and Site B is clunky. Not to mention more resources on the Routers.

egc · February 2, 2025, 7:49am

You can have a site-to-site setup and also have other peers connected to the same WireGuard instances, it is even possible to connect to one site with another peer and then have access to the other site as well, not really rocket science, no third party necessary

Summit48 · February 2, 2025, 8:44am

There is a difference between Site-to-Site VPN and Remote Access VPN.

I am specifically referring to Remote Access VPN with is based a VPN Client connecting to VPN Server.

@jbrodriguez would need to setup an additional Wireguard Server on the Router A & Router B as well as setup a Wireguard Client on the remote device.

egc · February 2, 2025, 8:53am

No that is not necessary you can add just some peers to either site A or Site B and when connected they have access to both sides.

Peers can connect to each other