[Solved]Wireguard site to site

I finally have multiple public ip address so I can finally test wireguard from within my office before I send openwrt out in the wild :wink:

I have 2 OpenWrt machines. Each with it's own public ip address
On machine A I have

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xx'
        option listen_port '51820'

config wireguard_wg0
        option description 'remote1'
        option public_key 'xx'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'public ip of machine B'
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0'

On Machine B I have

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xx'
        option listen_port '51820'

config wireguard_wg0
        option description 'main'
        option public_key 'xx'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'public ip of machine A'
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0'

If added both wg0 interfaces (one on each machine) to the lan firewall zone and also created an udp firewall accept rule to 'this device'

I can see that they handshake so the connection is successful but I can't ping anything on the lan of the remote site.

Can someone please advice what information I should offer in order to enable you to help setting this up?

You cannot have on both sides allowed_ips 0.0.0.0. First it is wrong, as it means only one address, which is not used, and doesn't pass anything. You'll add there the IPs behind that peer.

1 Like
route_allowed_ips

Set to 0 and install routes either staticly or i e. with ospf.
But 0.0.0.0/0 or ::/0 is totally fine WHEN route_allowed_ips is set to 0.

1 Like

I went with trendy's suggestion to explicitly list allowed IP addresses.
@_bernd thank you for your suggestion but i'd rather not touch static routes yet :wink: I still consider myself a newcomer to the field and am happy I am getting this far after almost 2 years of headbanging :wink:

Generally it is, but if you looked more carefully you'd notice that it is 0.0.0.0 and not 0.0.0.0/0.

1 Like

What is route_allowed_ips? I don't understand what it is for.

I am not sure but I guess it set wheter or not a new route is created in the routes table to each of the listed ip addresses

1 Like

Additional routes did show up there to myy listed ip address so it seems related

Adds a static route for the allowed IPS in the routing table via the wire guard tunnel.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.