[Solved] Site to site VPN with Wireguard and OpenWrt

192.168.9.0 br-lan local network on site A
10.0.10.0/24 wg0 network
10.90.20.0/24 remote network (vlan) on site B
10.90.30.0/24 remote network (vlan) on site B

How come that Wireguard is picking-up 10.90.30.0/24?

ip route get 10.90.30.1

ip route get 10.90.30.254

10.90.30.254 via 10.90.30.254 dev eth1 src yyyyyyyyyyyyyyyyyy uid 0 
    cache

yyyyyyyyyyyyyyyyyyyyy is a public address.
So it is the firewall on site B which is faulty?

It means 10.90.30.254 should be routed via the eth1 interface.
If you can ping it, it is reachable.
It doesn't mean that 10.90.30.254 is in the same network that you think of.
It may be a part of the upstream networking, i.e. your ISP.

How come that I have acccess to non-routable machines on my ISP network. It seems unreal.
I can ping 10.90.30.1 but there is no such machine on my network.

OK, I understand, it could be the TV network or Fiber module or SIP phone or someting like that.
So I should not be using 10.90.3.0/24 on site A for clarity.

1 Like

This is normal.
Many ISPs host their services in private networks reachable only from their clients.

This is a large ISP provider in France (third rank).
Many thanks. Bye bye!

1 Like

It is a big joke, I have access to several machines on 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24 ...
How can I avoid receiving those routes from DHCP? May I loose my fiber module (ONT) wich is on a separate link?

You can override the default route with another route.
Or, filter traffic by source/destination with firewall.
It should be similar to the following:

Although, in my opinion it should not bother you.
Usually your ISP takes care of it.

Avoid receiving them from where?

Can bcp38 block communications with my external fiber ONT?
The reason I am asking is that I am not on site B and this could be a problem to loose fiber ...

What exactly is it that you're wanting (or think you need) to block with bcp38?

Noting special.This OpenWRT router is a bypass. I simply don't like the idea of my WAN of being accessible from dozen of hosts on private networks.

The router is linked to the fiber ONT via an ethernet cable. May I loose connectivity with the ONT if I install bcp38 and its LuCi app?

Probably not, but I don't think you really know what you're doing and randomly installing apps isn't the best approach. Where are these dozens of hosts you don't want to have internet access? Are they on your own networks?

1 Like

No, they are behind my WAN and the WAN is filtering access. So I have access to them, but they don't have access to me. Anyhow, I don't like it.

WAN interface is assigned to the WAN firewall zone which has restrictive input and forward policies by default, that's why you don't really need to bother about it.

Well, then the package bcp38 should help.

Then what's the issue? Messing around with things you clearly don't understand simply because you don't like it is going to cause more problems than it solves.

1 Like

Why should it cause problems? My WAN is unaccessible from my ISP. I installed bcp38 and LuCi app and it works perfectly. So what could happen because of bcp38? It is still time to uninstall it.

I just don't understand how ISPs can communicate with a public adress WAN using a private address. I don't understand why I could ping a private address using my WAN. I could even connect using SSH (failed). This is beyond my understanding.

1 Like

They provide connectivity, that is, the default route.
Thus, they can use any IPs excluding the ones reserved for localhost/link-local/zeroconf/etc.

It is just an IP address with limited scope.
This is not much different from any other public address from the point of threat modelling.