Wireguard Questions/Help

Hi everyone, thanks in advance for your help. I am trying to set up a wireguard VPN and I believe due to an invalid config I have caused some issues with my router communicating correctly. So to help - I have drawn up a little bit of a diagram that shows my intended setup as well as what I think each site should have configured for its interface address and peers allowed ip's.

It is a little confusing as to what should go in the address area and what should go in the allowed IP's area - so this is what I would like to check is correct.

I have followed this logic:

  • Each interface has its own address specified (ie. 192.168.9.1/24) as well as the range of the local address' it has access to (ie 192.168.1.0/24)

  • Then in the peer section under allowed IP's, each other connection has its address defined (ie. 192.168.9.2/24) as well as its local network IP range (ie. 192.168.2.0/24).

Is this the correct IP configuration?

Second Question - I have had difficulty accessing hardware with a static IP address through the wireguard VPN, even when the correct gateway is defined on the device. However, when the device is getting an IP from the DHCP server (run from the openWrt on my router) it is accessible. I read somewhere that there may be some extended routing of some kind the DHCP server is doing in the background to make this work - can anyone shed some light on this? I would like to use some static Ip's if possible for organisational purposes.

Thanks so much!

To start with this is wrong:

The address of the WG interface is only 192.168.9.1/24

The allowed IPs depends on how you want to set this up.

You can use a hub and spoke setup with one central server and the other two sites connect to this and communicate through the server,
or
You use a mesh like setup where each site connects to the other two.
From my notes:

Hub and spoke
You can use a hub and spoke setup where site 1 is the hub and site 2 and 3 are the spokes, connection from 2 to 3 is routed via site 1.

Site 1 is a classic server setup (wg interface added to the LAN zone, so no MASQUERADE and allowing incoming WG port).
Site 1 has two peers , site 2 and site 3. Each peer has the subnet and wg address of the respective router as allowed ips.

Sites 2 and 3 are setup as a client with respect to that they have one peer (site 1) and endpoint set to site 1 but they are servers in the sense that they should allow incoming traffic basically as a site-to-site setup, so WG interface added to the LAN zone.
Furthermore site 2 has the subnet of site 1 and site 3 as Allowed IPs and site 3 has as Allowed IPs the subnet of site 1 and 2.
Both site 2 and 3 also have the whole wg subnet as allowed IPs.
Mesh
Alternative is a mesh setup where all sites connect to all other sites of course each site must be reachable via the internet.
Basically all sites are setup as a server with peers to all other sites, but these peers have an endpoint and make a connection, you use PBR on each site to do the routing.
Again each site has just one tunnel.

Note both for this mesh setup and hub and spoke use as WG address a unique address in the same subnet and make sure all subnets are different.

It looks like you are wanting to setup a mesh setup which is fine but in that case you have to use a /32 mask for the 192.168.9.X peers otherwise you have overlap

Thankyou so much for this. From your info, Hub and Spoke are simpler and will work fine for me.

to clarify, does this mean adding 192.168.9.0/24 to all peers as allowed ip's?

I have changed all interface addresses' to /32 anyway.

I relabeled site 1,2,3 so its easier to understand - does this look more correct?

It is the other way around.
For the Address always use a /24
For the individual peers (in the WG subnet 192.168.9.x) use /32

For site 2 and 3 you only have one peer normally you would use 192.168.9.1/32 to allow traffic from the WG server of site 1 but you also want to allow traffic from other connected clients so just use 192.168.9.0/24.
So for site 2 you then have as allowed IPs in the peer:

192.168.9.0/24
192.168.3.0/24
192.168.1.0/24

To allow all connected peers e.g. your phone and laptop and all clients from site 3 and site 1

Do not forget to Enable Route AllowedIPs !

Note that although site 2 and 3 have an endpoint to connect to site 1 they are otherwise setup as a server so allowing all traffic e.g. add the wg interface to the lan zone which also means no masquerading over the WG interface.

If it does not work please post your settings of all three sites, connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

Unfortunately I do not have time to look at it today but there are plenty more knowledgeable users on the forum who can have a look.

Thanks again - I really appreciate your help and time. At the moment I only have my phone with the Wireguard client app to test as I am waiting for mobile routers for site2/3 to arrive. This is working.

I do realise that internet traffic does not pass through this setup - which is OK for me.

I have updated my config given your notes above.

1 Like