VPN - how to set routes

Hi,
i have a little problem with a routing-configuration.

The situation: i need to connect a remote office via vpn and wifi-bridge.

Main office (1) w. server (s) -> Internet -> Remote office (2) -> External building (3) with computer (c)

I want to use tplink cpe510 v1 and v3 (because i have a lot of them here).

The v1 has 2 seperate network-ports, the v3 only one. I configured (1) on a v1 as wireguard "master", (2) as wireguard "slave" and accesspoint and (3) as wifi client.

Currently: I can connect from (c) to (1) (2) (3) (s) and also the internet without any problems, but i can´t connect from (s) to anywhere. I can only reach the internal wireguard-ip from (2), which makes sense - but i dont see how to change it. I´m missing the correct route and firewall-settings - but even when i turn of masquerading on (3) i can´t reach (2) from (c) anymore...

Additional: All 3 have unique networks - but that is not important for me.

Have anyone a idea what i´ve missed?

Thanks

Maybe it´s better to show it by picture...

Currently i can connect from c to s - what makes sense, but i can´t see how set it up without natting so s can also reach c.

It looks like you are needing a site-to-site setup:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/site-to-site

Alternatively you can post the the setup of both routers on which you have installed WireGuard.
In that case, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show

Hi,

this is from (1)

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "Atheros AR9344 rev 2",
        "model": "TP-Link CPE510 v1",
        "board_name": "tplink,cpe510-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '<hidden>'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '192.168.97.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config interface 'vpn'
        option proto 'wireguard'
        option private_key <hidden>
        option listen_port '24365'
        list addresses '192.168.9.1/24'
        list addresses 'fd00:9::1/64'

config wireguard_vpn 'wgclient'
        option public_key <hidden>
        option preshared_key <hidden>
        list allowed_ips '192.168.9.2/32'
        list allowed_ips 'fd00:9::2/128'
        option description 'LinkZurAntenne'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '24365'
        option proto 'udp'
        option target 'ACCEPT'

root@OpenWrt:~# ip route show
default via 192.168.101.1 dev eth0  src 192.168.101.50
192.168.9.0/24 dev vpn scope link  src 192.168.9.1
192.168.97.0/24 dev eth1 scope link  src 192.168.97.1
192.168.101.0/24 dev eth0 scope link  src 192.168.101.50
root@OpenWrt:~# wg show
interface: vpn
  public key: <hidden>
  private key: (hidden)
  listening port: 24365

peer: <hidden>
  preshared key: (hidden)
  endpoint: <hidden>:55919
  allowed ips: 192.168.9.2/32, fd00:9::2/128
  latest handshake: 15 seconds ago
  transfer: 28.66 MiB received, 324.09 MiB sent

and this is from (2)

root@LinkEntfernt:~# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "LinkEntfernt",
        "system": "Atheros AR9344 rev 2",
        "model": "TP-Link CPE510 v3",
        "board_name": "tplink,cpe510-v3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
root@LinkEntfernt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '<hidden>'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'phy0-ap0'
        option proto 'static'
        option ipaddr '192.168.98.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wwan'
        option proto 'dhcp'
        option device 'eth0'

config interface 'vpn'
        option proto 'wireguard'
        option private_key <hidden>
        list addresses '192.168.9.2/24'
        list addresses 'fd00:9::2/64'

config wireguard_vpn 'wgserver'
        option public_key <hidden>
        option preshared_key <hidden>
        option endpoint_host <hidden>
        option endpoint_port '24365'
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'

root@LinkEntfernt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
        list network 'vpn'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

root@LinkEntfernt:~# ip route show
default dev vpn scope link
<hidden public ip> via 192.168.101.1 dev eth0
192.168.9.0/24 dev vpn scope link  src 192.168.9.2
192.168.98.0/24 dev phy0-ap0 scope link  src 192.168.98.1
192.168.101.0/24 dev eth0 scope link  src 192.168.101.53
root@LinkEntfernt:~# wg show
interface: vpn
  public key: <hidden>
  private key: (hidden)
  listening port: 55919

peer: <hidden>
  preshared key: (hidden)
  endpoint: <hidden>
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 3 seconds ago
  transfer: 323.60 MiB received, 28.32 MiB sent
  persistent keepalive: every 25 seconds
root@LinkEntfernt:~#

On site 1 add the subnet of the other side to the allowed IPs and enable Route Allowed IPs e.g.:

On site 2
Not related but I think this is wrong here, in the wireless config you connect this radio to the lan interface:

For WireGuard add the interface to the lan firewall zone instead of the wan firewall zone.

Reboot both routers and check again

Okay, after changing that (2) was unreachable. No idea why... But i was thinking i can simplify it by changing the vpn endpoint.

image

Basically the same as before - but instead a tunnel between (1) and (2) i make one between (1) and (3). (2) is a dumb accesspoint and gives (3) a ip-adress from the router. So far so good, but the situation is not better...

From C i can reach only the wg addresses from 3 and 1, not S and not I

From S i can reach also the wg addresses and also I, but not C

From 1 i can ping the same as from S

From 3 i can reach everything

Again the configuration: from 1

ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "Atheros AR9344 rev 2",
        "model": "TP-Link CPE510 v1",
        "board_name": "tplink,cpe510-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '<hidden>'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '192.168.97.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config interface 'vpn'
        option proto 'wireguard'
        option private_key '<hidden>'
        option listen_port '24365'
        list addresses '192.168.9.1/24'
        list addresses 'fd00:9::1/64'

config wireguard_vpn 'wgclient'
        option public_key '<hidden>'
        option preshared_key '<hidden>'
        list allowed_ips '192.168.9.2/32'
        list allowed_ips '192.168.98.0/24'
        list allowed_ips '192.168.99.0/24'
        list allowed_ips 'fd00:9::2/128'
        option description 'LinkZurAntenne'



cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '24365'
        option proto 'udp'
        option target 'ACCEPT'



ip route show
default via 192.168.101.1 dev eth0  src 192.168.101.50
192.168.9.0/24 dev vpn scope link  src 192.168.9.1
192.168.97.0/24 dev eth1 scope link  src 192.168.97.1
192.168.101.0/24 dev eth0 scope link  src 192.168.101.50


wg show
interface: vpn
  public key: <hidden>
  private key: (hidden)
  listening port: 24365

peer: <hidden>
  preshared key: (hidden)
  endpoint: <hidden>:50577		<- his own public ip?
  allowed ips: 192.168.9.2/32, 192.168.98.0/24, 192.168.99.0/24, fd00:9::2/128
  latest handshake: 1 minute, 5 seconds ago
  transfer: 1.63 MiB received, 289.13 KiB sent

from 3

ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "<hidden>",
        "system": "Atheros AR9344 rev 2",
        "model": "TP-Link CPE510 v3",
        "board_name": "tplink,cpe510-v3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}


cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '<hidden>'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.99.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'bridge'
        option proto 'dhcp'

config interface 'vpn'
        option proto 'wireguard'
        option private_key '<hidden>'
        list addresses '192.168.9.2/24'

config wireguard_vpn 'wgserver'
        option public_key '<hidden>'
        option preshared_key '<hidden>'
        option endpoint_host '<hidden>'
        option endpoint_port '24365'
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        list allowed_ips '192.168.9.1/24'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        list allowed_ips '192.168.97.0/24'



cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'bridge'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'


ip route show

default dev vpn scope link
<hidden> via 192.168.101.1 dev phy0-sta0
192.168.9.0/24 dev vpn scope link
192.168.99.0/24 dev br-lan scope link  src 192.168.99.1
192.168.101.0/24 dev phy0-sta0 scope link  src 192.168.101.57


wg show

interface: vpn
  public key: <hidden>
  private key: (hidden)
  listening port: 50577

peer: <hidden>
  preshared key: (hidden)
  endpoint: <hidden>:24365
  allowed ips: 0.0.0.0/0, ::/0, 192.168.9.0/24
  latest handshake: 13 seconds ago
  transfer: 264.61 KiB received, 1.47 MiB sent
  persistent keepalive: every 25 seconds

After restart wireguard my previous tested routes are working fine... No idea why - but i would say your changes are gamechangers :wink:

It looks like sometimes the tunnel goes down and (only) a restart fixed it. The wireguard-watchdog works not as i expected, so i created a script for that.

#!/bin/sh
# /usr/bin/test.sh

DATE=$(date +%Y-%m-%d" "%H:%M:%S)
TARGET="192.168.9.1"
IFACE="vpn"
SOFTERROR=0
HARDERROR=0

logger $(echo "${DATE} - $0: VPN-Stabilizer")

while true
do
	ping -c1 $TARGET &> /dev/null

	if [ $? -gt 0 ]; then
		SOFTERROR=$((SOFTERROR+1))
		if [ $SOFTERROR -gt 5 ]; then
			SOFTERROR=0
    			echo "Schnittstelle getrennt!"
    			logger $(echo "${DATE} - $0: VPN getrennt!")
			HARDERROR=$((HARDERROR+1))
			if [ $HARDERROR -gt 15 ]; then
				echo "Box neustart"
				reboot
			else
				ifdown $IFACE
    				ifup $IFACE
			fi
		fi
	fi

	sleep 30
done

When i start it manually it works fine, but my cronjob isn´t starting
@reboot /usr/bin/test.sh

Is there anything special?

Thank you!

Okay, use watchcat instead... Route is working fine after random reboot.

Thanks all.