There are self hosted options such as headscale and Netbird etc
What fascinating about about sugar coated WG VPNs is ease of use. Even a noob can use those without any issue.
I think OP has enough info about Tauilscale to make an informed decision by themselves. I guess it's time to wait for OP to ask for further help, if they need it.
1 Like
i think im pretty close to getting this set up, but something escapes me, not sure what 
im able to connect to sitea with my phone via mobile connection (as a peer for sitea)
im able to connect to siteb with my phone via mobile connection (as a peer for siteb)
im able to connect to siteb from my laptop, from sitea's isp connection, but connecting to the wg tunnel on the laptop (config not shown here, i copied files before adding the laptop peer) 
if i deactivate the wg tunnel on the laptop, and ping a server on siteb, it doesnt work
do i need to start the connection from one of the routers to the other ? if that's the case, how ?
im attaching configs for each site, hoping someone can take a look and suggest changes (hopefully i removed all the sensitive bits)
let me know if more info is needed and thanks for the help, really appreciate it
- site a
# /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'allow-51820'
option family 'ipv4'
list proto 'udp'
option src 'wan'
option dest_port '51820'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wg0'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'vpn'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'vpn'
# /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/sitea.lan/'
option domain 'sitea.lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '0'
option ednspacket_max '1232'
option doh_backup_noresolv '-1'
option noresolv '1'
list doh_backup_server '/mask.icloud.com/'
list doh_backup_server '/mask-h2.icloud.com/'
list doh_backup_server '/use-application-dns.net/'
list doh_backup_server '127.0.0.1#5053'
list doh_backup_server '127.0.0.1#5054'
list doh_server '127.0.0.1#5053'
list doh_server '127.0.0.1#5054'
list interface 'lan'
list interface 'wg0'
list rebind_domain '/myunraid.net/'
list rebind_domain '/siteb.lan/'
list server '/mask.icloud.com/'
list server '/mask-h2.icloud.com/'
list server '/use-application-dns.net/'
list server '127.0.0.1#5053'
list server '127.0.0.1#5054'
list server '/siteb.lan/192.168.1.1'
option serversfile '/var/run/adblock-fast/dnsmasq.servers'
config dhcp 'lan'
option interface 'lan'
option start '10'
option limit '240'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
# /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '<redacted>'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config device
option name 'lan1'
option macaddr ''
config device
option name 'lan2'
option macaddr ''
config device
option name 'lan3'
option macaddr ''
config device
option name 'lan4'
option macaddr ''
config device
option name 'lan5'
option macaddr ''
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth1'
option macaddr '<redacted>'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config interface 'wg0'
option proto 'wireguard'
option private_key '<redacted>'
option listen_port '51820'
list addresses '172.22.22.1/24'
config wireguard_wg0
option description 'siteb'
option public_key '<redacted>'
option private_key '<redacted>'
list allowed_ips '172.22.22.10/32'
list allowed_ips '192.168.1.0/24'
option endpoint_port '51820'
option persistent_keepalive '25'
option route_allowed_ips '1'
config wireguard_wg0
option description 'phone'
option public_key '<redacted>'
option private_key '<redacted>'
list allowed_ips '172.22.22.100/32'
option route_allowed_ips '1'
option endpoint_port '51820'
option persistent_keepalive '25'
- site b
# /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option target 'DNAT'
option name 'Intercept-DNS'
option src 'lan'
option src_dport '53'
config rule
option name 'wan-local-wg'
option src 'wan'
option dest_port '51820'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wg0'
config forwarding
option src 'vpn'
option dest 'lan'
config forwarding
option src 'vpn'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'vpn'
# /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/siteb.lan/'
option domain 'siteb.lan'
option expandhosts '1'
option cachesize '10000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '0'
option ednspacket_max '1232'
option doh_backup_noresolv '-1'
option noresolv '1'
list doh_backup_server '/mask.icloud.com/'
list doh_backup_server '/mask-h2.icloud.com/'
list doh_backup_server '/use-application-dns.net/'
list doh_backup_server '127.0.0.1#5053'
list doh_backup_server '127.0.0.1#5054'
list doh_server '127.0.0.1#5053'
list doh_server '127.0.0.1#5054'
option serversfile '/var/run/adblock-fast/dnsmasq.servers'
list rebind_domain '/myunraid.net/'
list rebind_domain '/sitea.lan/'
list server '/mask.icloud.com/'
list server '/mask-h2.icloud.com/'
list server '/use-application-dns.net/'
list server '127.0.0.1#5053'
list server '127.0.0.1#5054'
list server '/sitea.lan/192.168.2.1'
list interface 'lan'
list interface 'wg0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
# /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '<redacted>'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wg0'
option proto 'wireguard'
option private_key '<redacted>'
option listen_port '51820'
list addresses '172.22.22.10/32'
list addresses '192.168.1.0/24'
list dns '192.168.2.1'
config wireguard_wg0
option description 'sitea'
option public_key '<redacted>'
option persistent_keepalive '25'
list allowed_ips '192.168.2.0/24'
list allowed_ips '172.22.22.0/24'
config wireguard_wg0
option description 'phone'
option public_key '<redacted>'
option private_key '<redacted>'
list allowed_ips '172.22.22.200/32'
option route_allowed_ips '1'
Furthermore at least one side either router A or B (and you can actually do that on both sides) has to start a connection to the other side so it needs and Endpoint and Endpoint port and Keepalive just like a WireGuard Client
My notes have a paragraph dedicated to a site-to-site setup but you are mostly done 
:
You need the Server Setup guide, make sure to download the guide, github only shows the first 5 pages
1 Like
change this to 172.22.22.0/24 or 172.22.22.10/24 ?
right, how can i start a connection to the other side while sitting on router a (let's say), i can ssh into the router, but don't know how to start the connection, ill google/chatgpt a bit
absolutely, this was very helpful, as well as eduperez notes, kept comparing them
i ran wg show on sitea router, still haven't made any changes
root@openwrt:~# wg show
interface: wg0
public key: <redacted>
private key: (hidden)
listening port: 51820
peer: <sitea/redacted>
endpoint: <redacted>
allowed ips: 172.22.22.10/32, 192.168.1.0/24
latest handshake: 2 minutes, 14 seconds ago
transfer: 95.73 KiB received, 67.39 KiB sent
persistent keepalive: every 25 seconds
peer: <phone/redacted>
endpoint: <redacted>
allowed ips: 172.22.22.100/32
latest handshake: 4 hours, 37 minutes, 30 seconds ago
transfer: 10.04 MiB received, 179.11 MiB sent
persistent keepalive: every 25 seconds
this one:
One side also has to make a connection to the other side
Lets designate site a as the "server" as your phone seems to be able to connect from outside so we know that is possible
So site b has to start a connection to site a.
So site b in this case is the WireGuard client and should be setup as a WireGuard client in respect to it making a connection, in other respects e.g. firewall and allowed IPs it is setup as a WireGuard server to allow bidrectional traffic.
In your specific case the peer for site a has to have this in order to start a connection.
got it working !!! 
, although its kind of weird, a cpl of notes after the config
sitea
config interface 'wg0'
option proto 'wireguard'
option private_key '<redacted>'
option listen_port '51820'
list addresses '172.22.22.1/24'
config wireguard_wg0
option description 'siteb'
option public_key '<redacted>'
option private_key '<redacted>'
option endpoint_port '51820'
option persistent_keepalive '25'
option route_allowed_ips '1'
list allowed_ips '192.168.1.0/24'
list allowed_ips '172.22.22.0/24'
option endpoint_host 'sitea.public.com'
siteb
config interface 'wg0'
option proto 'wireguard'
option private_key '<redacted>'
option listen_port '51820'
list dns '192.168.2.1'
list addresses '192.168.1.0/24'
list addresses '172.22.22.0/24'
config wireguard_wg0
option description 'sitea'
option public_key '<redacted>'
option persistent_keepalive '25'
list allowed_ips '192.168.2.0/24'
list allowed_ips '172.22.22.0/24'
option route_allowed_ips '1'
option endpoint_host 'sitea.public.com'
option endpoint_port '51820'
weird things:
1 - site b endpoint_host for peer site a is sitea.public.com 
, i did try to change this to siteb.public.com, but it broke the connection
2- i started tinkering before your reply egc, so i left
- list allowed ips '172.22.22.0/24' (instead of 172.22.22.10/24)
- list allowed_ips '192.168.1.0/24' (instead of removing)
it's fully working: i already rsynced from sitea to siteb successfully and accessed services on sitea from siteb, so im VERY afraid to tinker again 
just curious why it works like this though, especially the endpoint_host on siteb
thanks for the help egc and eduperez 
Site b connects to site a
So site b has to have the endpoint of site a
It also works the other way around
So site a connects to site b so has to have the endpoint of site b.
A site cannot connect to itself!
But having one site connecting is enough it does not matter which site initiates the connection
2 Likes
Please read my comment carefully that is not what I said
I said to remove an address which is wrong and which you should really remove.
It is ok to leave 172.22.22.0/24 in place might even be useful in some scenarios
mmm, if i remove '192.168.1.0/24' from sitea, peer siteb, the tunnel breaks
The other side's LAN needs to be an allowed_ip. The only Addresses on the tunnel should be one unique (but within the same /24, and specified with a /24 netmask) 172 for each peer. This is actually optional if it is only site to site (no road warriors) but it is useful for testing to be able to ping the other site's tunnel IP.
3 Likes
This is what I said to remove
2 Likes
finally got it !
yea removed the 192.168.1.0/24 on siteb addresses
thanks egc and mk24!
learning as i go, this has been an awesome experience
2 Likes