[Solved] Site to site VPN with Wireguard and OpenWrt

It seems you are mixing firewall and routing.
The firewall config has nothing to do with bridging or routing.
Firewall defines access permissions.
Routing defines priorities and directions.
While it is possible to mark traffic with firewall to determine routing, that is another story.

1 Like

To give an extract of my routing tables :

192.168.10.0      0.0.0.0         255.255.255.0   U     0      0        0 wg0
10.0.10.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan

Let's say I want to have site-to-site access to 192.168.10.0/24
If I ping 192.168.20.0 which I am not supposed to ping, it is picked up by the second rule.
So br-lan breaks Wireguard setup. How to solve this?

No, it will take the default route as you have no explicit route to 192.168.20.0/24:

ip route show
ip route get 192.168.20.1

I have default gateway, it is:
0.0.0.0 xxxxxxxxxxxx 0.0.0.0 UG 0 0 0 eth1

Let's say my firewall 10.0.10.1 or any machine on br-lan example 10.0.10.20 will pick-up
10.0.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan

What's the rest of your routing table?

1 Like

You'd better stop using deprecated net-tools.
Current Utilities for Networking and Traffic Control

1 Like

Here is the complete and exact routing table

default via xxxxx dev eth1 proto static src xxxxxxxxxxxxxxx 
10.0.10.0/24 dev wg0 proto kernel scope link src 10.0.10.1 
10.0.10.2 dev wg0 proto static scope link 
10.90.20.0/24 dev wg0 proto static scope link 
xxxxxxxxxx/24 dev eth1 proto kernel scope link src xxxxxxxxxxxxxx 
192.168.9.0/24 dev br-lan proto kernel scope link src 192.168.9.1 
xxxxxxxxxxx via xxxxxxxxxxxxxxx dev eth1 proto static

From firewall and br-lan, I can ping 10.90.30.0/24 this is the problem.
We should assign lan and wg0 to the same firewall zone.

What is this on the network? How is it connected?

1 Like

192.168.9.0 br-lan local network on site A
10.0.10.0/24 wg0 network
10.90.20.0/24 remote network (vlan) on site B
10.90.30.0/24 remote network (vlan) on site B

How come that Wireguard is picking-up 10.90.30.0/24?

ip route get 10.90.30.1

ip route get 10.90.30.254

10.90.30.254 via 10.90.30.254 dev eth1 src yyyyyyyyyyyyyyyyyy uid 0 
    cache

yyyyyyyyyyyyyyyyyyyyy is a public address.
So it is the firewall on site B which is faulty?

It means 10.90.30.254 should be routed via the eth1 interface.
If you can ping it, it is reachable.
It doesn't mean that 10.90.30.254 is in the same network that you think of.
It may be a part of the upstream networking, i.e. your ISP.

How come that I have acccess to non-routable machines on my ISP network. It seems unreal.
I can ping 10.90.30.1 but there is no such machine on my network.

OK, I understand, it could be the TV network or Fiber module or SIP phone or someting like that.
So I should not be using 10.90.3.0/24 on site A for clarity.

1 Like

This is normal, many ISPs host their services in private networks reachable only by their clients.

This is a large ISP provider in France (third rank).
Many thanks. Bye bye!

1 Like

It is a big joke, I have access to several machines on 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24 ...
How can I avoid receiving those routes from DHCP? May I loose my fiber module (ONT) wich is on a separate link?

You can override the default route with another route.
Or, filter traffic by source/destination with firewall.
It should be similar to the following:

Although, in my opinion it should not bother you.
Usually your ISP takes care of it.

Avoid receiving them from where?

Can bcp38 block communications with my external fiber ONT?
The reason I am asking is that I am not on site B and this could be a problem to loose fiber ...