[Solved] Site to site VPN with Wireguard and OpenWrt

Dear Friends,

I am wondering what happens when two sites are linked with Wireguards. This is described here in the documentation:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/extra

Does it make Site B defaut gateway for site A and the converse? I would like to avoid such a situation and have site A with default gateway A and site B default gateway B. Is that the case?

Kind regards,

1 Like

By default, this only allows routing for the peer's subnets.

Though it's possible to use one peer as the default gateway for the other and its whole subnet:

uci add_list network.wgserver.allowed_ips="0.0.0.0/0"
uci add_list network.wgserver.allowed_ips="::/0"

OKay, thanks, this is why we need to set:
uci set network.wgserver.route_allowed_ips="1"

However I wonder how it can coexist with my roadwarrior settings. Will try ...
Maybe I need to set up a second wg1 interface running on a separate port for site-to-site, don't you think?

1 Like

No. You only need one interface.

1 Like

You can also had transparent routing between site A and site B, with dns resolution... etc !
So the WG link will be a bridge and give access to both sites from any of them...

This is done, thanks.

Now I am having another problem :
Site B is used for roadwarrior of my familly. They have access to 0.0.0.0/0 and /0 for roadwarrioring.

Site A and Site B are site-to-site VPN. Routes are limited.

Sites A has several vlan with firewalling rules.

Now from any machine in site B, I can ping any machine in site A on private IPv4.
This is quite incredible ...

Is that because wg0 is bridged with br-lan?

On this wiki page, it is written:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/basic
Consider VPN network as private and assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone.

I think it breaks routing because all routes are considered by kernel as part of the bridge.

Sure...
You may define firewalls rules for your sites br-lan and for your wg-A and wg-B to be coherent with the rules you need !

1 Like

You shouldn't do that.

Instead, set up firewall zones and forwardings.

1 Like

So what are the correct zones for Wireguard, I am lost, thanks.
I prefer to ask because all my familly is connected and I cannot break everything.

Typically, you can trust your own VPN enough to assign it to the LAN zone.

My configuration is

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg0'

I think this breaks everything. All routes inside wg0 can now communicate in either direction. I want to rely on Wireguard routing configuration itself. How do I do that ?

wg0 and lan are on the same firewall zone.
If routing is correct, all devices will communicate...
all is normal !

1 Like

It seems you are mixing firewall and routing.
The firewall config has nothing to do with bridging or routing.
Firewall defines access permissions.
Routing defines priorities and directions.
While it is possible to mark traffic with firewall to determine routing, that is another story.

1 Like

To give an extract of my routing tables :

192.168.10.0      0.0.0.0         255.255.255.0   U     0      0        0 wg0
10.0.10.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan

Let's say I want to have site-to-site access to 192.168.10.0/24
If I ping 192.168.20.0 which I am not supposed to ping, it is picked up by the second rule.
So br-lan breaks Wireguard setup. How to solve this?

No, it will take the default route as you have no explicit route to 192.168.20.0/24:

ip route show
ip route get 192.168.20.1

I have default gateway, it is:
0.0.0.0 xxxxxxxxxxxx 0.0.0.0 UG 0 0 0 eth1

Let's say my firewall 10.0.10.1 or any machine on br-lan example 10.0.10.20 will pick-up
10.0.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan

What's the rest of your routing table?

1 Like

You'd better stop using deprecated net-tools.
Current Utilities for Networking and Traffic Control

1 Like

Here is the complete and exact routing table

default via xxxxx dev eth1 proto static src xxxxxxxxxxxxxxx 
10.0.10.0/24 dev wg0 proto kernel scope link src 10.0.10.1 
10.0.10.2 dev wg0 proto static scope link 
10.90.20.0/24 dev wg0 proto static scope link 
xxxxxxxxxx/24 dev eth1 proto kernel scope link src xxxxxxxxxxxxxx 
192.168.9.0/24 dev br-lan proto kernel scope link src 192.168.9.1 
xxxxxxxxxxx via xxxxxxxxxxxxxxx dev eth1 proto static

From firewall and br-lan, I can ping 10.90.30.0/24 this is the problem.
We should assign lan and wg0 to the same firewall zone.

What is this on the network? How is it connected?

1 Like