Does it make Site B defaut gateway for site A and the converse? I would like to avoid such a situation and have site A with default gateway A and site B default gateway B. Is that the case?
OKay, thanks, this is why we need to set: uci set network.wgserver.route_allowed_ips="1"
However I wonder how it can coexist with my roadwarrior settings. Will try ...
Maybe I need to set up a second wg1 interface running on a separate port for site-to-site, don't you think?
You can also had transparent routing between site A and site B, with dns resolution... etc !
So the WG link will be a bridge and give access to both sites from any of them...
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wg0'
I think this breaks everything. All routes inside wg0 can now communicate in either direction. I want to rely on Wireguard routing configuration itself. How do I do that ?
It seems you are mixing firewall and routing.
The firewall config has nothing to do with bridging or routing.
Firewall defines access permissions.
Routing defines priorities and directions.
While it is possible to mark traffic with firewall to determine routing, that is another story.
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
10.0.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
Let's say I want to have site-to-site access to 192.168.10.0/24
If I ping 192.168.20.0 which I am not supposed to ping, it is picked up by the second rule.
So br-lan breaks Wireguard setup. How to solve this?
default via xxxxx dev eth1 proto static src xxxxxxxxxxxxxxx
10.0.10.0/24 dev wg0 proto kernel scope link src 10.0.10.1
10.0.10.2 dev wg0 proto static scope link
10.90.20.0/24 dev wg0 proto static scope link
xxxxxxxxxx/24 dev eth1 proto kernel scope link src xxxxxxxxxxxxxx
192.168.9.0/24 dev br-lan proto kernel scope link src 192.168.9.1
xxxxxxxxxxx via xxxxxxxxxxxxxxx dev eth1 proto static
From firewall and br-lan, I can ping 10.90.30.0/24 this is the problem.
We should assign lan and wg0 to the same firewall zone.