Wireguard site-to-site configuration no endpoint connectivity

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi all. My first post, and I am new to openwrt configuration so apologies up front for any newbie mistakes. I am looking for setup help on my newly configured routers and Wireguard site to site tunnel.

I am running 2x AC1200 routers with openwrt, in an attempt to create a VPN site to site tunnel to a friend's home network from my home network. I want my friend (site b) to be able to connect to my network shares and traverse through my internet (site a) from any site b endpoint as a test. I have laptops connected to each of the lan ports on the site routers. Each router's WAN port is using a non-routable IP connected to the ISP's router, with an Internet routable IP and wireguard port forwarded in the ISP router to the openwrt router.

image
image1260×609 19.9 KB

I used the instructions provided here to configure openwrt: https://openwrt.org/docs/guide-user/services/vpn/wireguard/site-to-site

I also received an error on this setup, similar to what was experienced here: Problem with Script Automated WireGuard site-to-site VPN

so I manually added the forwarding configuration as described in the solution to above.

In addition to above, I added IP addresses as recommended in another post to each end of the tunnel as a good practice.

The vpn tunnel successfully established, and I am able to ping the site a router from the site b endpoint, and I am able to ping the site b router from the site a endpoint. I have enabled ping on the windows endpoint firewall settings and I am able to ping the endpoints from their respective routers (ie. I can ping endpoint A from site A router). Both endpoints have internet access through their respective gateways (currently not traversing the VPN).

I am unable to ping the site a lan endpoint from the site b lan endpoint or vice versa. I have also tried RDP to initiate a different type of traffic. I do not seem to have any endpoint to endpoint connectivity.

As a first step to troubleshoot, when I use tcpdump and testing ping from endpoints, I see the ICMP request on the lan interfaces, but no response from the endpoint on the lan interfaces. I am not sure where to go next to isolate the issue. I am very keen to learn why a fix is recommended also to understand wireguard and openwrt more deeply.

Here is my configuration with MAC addresses, the two internet routable IPs and the VPN passwords obfuscated..

Site A network and firewall settings..

root@wg_site2site_a:~# uci export network
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdff:ffff:ffff::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config device
        option name 'lan'
        option macaddr 'xx'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '172.16.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr 'xx'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wg_s2s_a'
        option proto 'wireguard'
        option private_key 'xx'
        option listen_port '51830'
        list addresses '10.0.1.1'

config wireguard_wg_s2s_a 's2s_vpn_site_b'
        option public_key 'xx'
        option preshared_key 'xx'
        option description 'Site B, xx'
        list allowed_ips '172.16.2.0/24'
        list allowed_ips 'fdee:eeee:eeee::/48'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'yy'
        option endpoint_port '51830'

root@wg_site2site_a:~# uci export firewall
package firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg_s2s_a'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg_s2s_51830'
        option name 'Allow-WireGuard-51830'
        option src 'wan'
        option dest_port '51830'
        option proto 'udp'
        option target 'ACCEPT'

root@wg_site2site_a:~# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.200.10/24 brd 192.168.200.255 scope global wan
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 172.16.1.1/24 brd 172.16.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: wg_s2s_a: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.0.1.1/32 brd 255.255.255.255 scope global wg_s2s_a
       valid_lft forever preferred_lft forever

root@wg_site2site_a:~# ip -4 ro li tab all
default via 192.168.200.1 dev wan  src 192.168.200.10
[INTERNET IP1] via 192.168.200.1 dev wan
172.16.1.0/24 dev br-lan scope link  src 172.16.1.1
172.16.2.0/24 dev wg_s2s_a scope link
192.168.200.0/24 dev wan scope link  src 192.168.200.10
local 10.0.1.1 dev wg_s2s_a table local scope host  src 10.0.1.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
local 172.16.1.1 dev br-lan table local scope host  src 172.16.1.1
broadcast 172.16.1.255 dev br-lan table local scope link  src 172.16.1.1
local 192.168.200.10 dev wan table local scope host  src 192.168.200.10
broadcast 192.168.200.255 dev wan table local scope link  src 192.168.200.10

root@wg_site2site_a:~# ip -4 ru
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Site B network and firewall settings:

root@wg_site2site_b:~# uci export network
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdee:eeee:eeee::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'

config device
        option name 'lan'
        option macaddr 'yy'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '172.16.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr 'yy'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wg_s2s_b'
        option proto 'wireguard'
        option private_key 'yy'
        option listen_port '51830'
        list addresses '10.0.1.2'

config wireguard_wg_s2s_b 's2s_vpn_site_a'
        option public_key 'yy'
        option preshared_key 'yy'
        option description 'Site A, yy'
        list allowed_ips '172.16.1.0/24'
        list allowed_ips 'fdff:ffff:ffff::/48'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host 'yy'
        option endpoint_port '51830'

root@wg_site2site_b:~# uci export firewall
package firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg_s2s_b'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg_s2s_51830'
        option name 'Allow-WireGuard-51830'
        option src 'wan'
        option dest_port '51830'
        option proto 'udp'
        option target 'ACCEPT'

root@wg_site2site_b:~# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.139/24 brd 192.168.2.255 scope global wan
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 172.16.2.1/24 brd 172.16.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: wg_s2s_b: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.0.1.2/32 brd 255.255.255.255 scope global wg_s2s_b
       valid_lft forever preferred_lft forever

root@wg_site2site_b:~# ip -4 ro li tab all
default via 192.168.2.1 dev wan  src 192.168.2.139
172.16.1.0/24 dev wg_s2s_b scope link
172.16.2.0/24 dev br-lan scope link  src 172.16.2.1
[INTERNET IP2] via 192.168.2.1 dev wan
192.168.2.0/24 dev wan scope link  src 192.168.2.139
local 10.0.1.2 dev wg_s2s_b table local scope host  src 10.0.1.2
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
local 172.16.2.1 dev br-lan table local scope host  src 172.16.2.1
broadcast 172.16.2.255 dev br-lan table local scope link  src 172.16.2.1
local 192.168.2.139 dev wan table local scope host  src 192.168.2.139
broadcast 192.168.2.255 dev wan table local scope link  src 192.168.2.139

root@wg_site2site_b:~# ip -4 ru
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
2

Not really touching your question, but be conservative with the length (and type of characters) for your interface names, maximum length is 15, but netifd adding prefixes on its own steals some of those from you. Keep it short.

3

Thanks @slh ! As you mentioned, not directly related to my issue but would definitely appreciate any further feedback/suggestions on what I can do to troubleshoot my issue.

Having said that - I only made some small modifications to the s2s_combined.sh file and did not increase the interface names provided in that script. Maybe there's a separate thread of opportunity to further improve the s2s_combined.sh script as provided in this page to avoid lengthy interface names: https://openwrt.org/docs/guide-user/services/vpn/wireguard/site-to-site

4

Just to confirm that this is the case, let's see the output of:

wg show

And when you ran those ping tests, can you provide the specific addresses that you were pinging (as well as from what address the ping originated)? This information is useful for both the successful pings as well as the ones that failed. And, for the ones that failed, what OS is the target host in each test?

5

Thanks @psherman! See requested ping and wg show output.

I did not mention earlier, but I am also able to connect to the luci web interface of the Site B openwrt router 172.16.2.1 from the Site A windows 11 endpoint 172.16.1.128 through the VPN.

Fail from Site B openwrt router across all interfaces to Site A windows 11 endpoint

root@wg_site2site_b:~# ping -c 1 -I lan 172.16.1.128
PING 172.16.1.128 (172.16.1.128): 56 data bytes

--- 172.16.1.128 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

root@wg_site2site_b:~# ping -c 1 -I br-lan 172.16.1.128
PING 172.16.1.128 (172.16.1.128): 56 data bytes

--- 172.16.1.128 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

root@wg_site2site_b:~# ping -c 1 -I wan 172.16.1.128
PING 172.16.1.128 (172.16.1.128): 56 data bytes

--- 172.16.1.128 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
root@wg_site2site_b:~# ping -c 1 -I wg_s2s_b 172.16.1.128
PING 172.16.1.128 (172.16.1.128): 56 data bytes

--- 172.16.1.128 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
root@wg_site2site_b:~# ping -c 1 172.16.1.128
PING 172.16.1.128 (172.16.1.128): 56 data bytes

--- 172.16.1.128 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss

Pass from Site A endpoint windows 11 172.16.1.128 to Site A and B openwrt routers' lan interfaces

PS C:\Users\Kevin> ping -n 1 172.16.1.1

Pinging 172.16.1.1 with 32 bytes of data:
Reply from 172.16.1.1: bytes=32 time<1ms TTL=64

Ping statistics for 172.16.1.1:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
PS C:\Users\Kevin> ping -n 1 172.16.2.1

Pinging 172.16.2.1 with 32 bytes of data:
Reply from 172.16.2.1: bytes=32 time=4ms TTL=63

Ping statistics for 172.16.2.1:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 4ms, Maximum = 4ms, Average = 4ms

Fail from Site A windows endpoint 172.16.1.128 to Site B windows endpoint 172.16.2.238

PS C:\Users\Kevin> ping -n 1 172.16.2.238
Pinging 172.16.2.238 with 32 bytes of data:
Request timed out.

Ping statistics for 172.16.2.238:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Mixed results from the Site A openwrt router interfaces to the Site A windows 11 endpoint 172.16.1.128

root@wg_site2site_a:~# ping -c 1 -I lan 172.16.1.128
PING 172.16.1.128 (172.16.1.128): 56 data bytes

--- 172.16.1.128 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
root@wg_site2site_a:~# ping -c 1 -I wan 172.16.1.128
PING 172.16.1.128 (172.16.1.128): 56 data bytes

--- 172.16.1.128 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
root@wg_site2site_a:~# ping -c 1 -I wg_s2s_a 172.16.1.128
PING 172.16.1.128 (172.16.1.128): 56 data bytes
ping: sendto: Required key not available
root@wg_site2site_a:~# ping -c 1 -I br-lan 172.16.1.128
PING 172.16.1.128 (172.16.1.128): 56 data bytes
64 bytes from 172.16.1.128: seq=0 ttl=128 time=1.177 ms

--- 172.16.1.128 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.177/1.177/1.177 ms

root@wg_site2site_a:~# ping -c 1 172.16.1.128
PING 172.16.1.128 (172.16.1.128): 56 data bytes
64 bytes from 172.16.1.128: seq=0 ttl=128 time=1.111 ms

--- 172.16.1.128 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.111/1.111/1.111 ms

wg show results

root@wg_site2site_a:~# wg show
interface: wg_s2s_a
  public key: xx
  private key: (hidden)
  listening port: 51830

peer: xx
  preshared key: (hidden)
  endpoint: [INTERNET IP 2]:51830
  allowed ips: 172.16.2.0/24, fdee:eeee:eeee::/48
  latest handshake: 1 minute, 10 seconds ago
  transfer: 4.12 MiB received, 791.81 KiB sent
  persistent keepalive: every 25 seconds


root@wg_site2site_b:~# wg show
interface: wg_s2s_b
  public key: yy
  private key: (hidden)
  listening port: 51830

peer: yy
  preshared key: (hidden)
  endpoint: [INTERNET IP 1]:51830
  allowed ips: 172.16.1.0/24, fdff:ffff:ffff::/48
  latest handshake: 57 seconds ago
  transfer: 557.39 KiB received, 3.24 MiB sent
  persistent keepalive: every 25 seconds
6

Instead of specifying the interface for the pings to traverse, what happens if you just simply do:

Site A > Site B

  • from 172.16.1.1: ping 10.0.1.2
  • from 172.16.1.1: ping 172.16.2.1
  • from 172.16.1.1: ping 172.16.2.238
    (then repeat from 172.16.1.128 to the same destinations)

now reverse it:
Site B > Site A

  • from 172.16.2.1: ping 10.0.1.1
  • from 172.16.2.1: ping 172.16.1.1
  • from 172.16.2.1: ping 172.16.1.128
    (then repeat from 172.16.2.238 to the same destinations)

And to simplify the results, just say "pass" or fail" for each of those tests rather than posting ping results.

It appears the mixed results are caused by sending the pings out an irrelevant interface (i.e. the wan -- we'd expect that to fail when it should go over the lan). If in doubt, just run ping <address> with no other command line switches and let OpenWrt (or Windows) handle the interface/routes as it should by default.

7

The lan clients will have their own firewall which will not allow traffic from other subnets.
So make sure the LAN clients of 172.168.1.0/24 will allow traffic from 172.168.2.0/24 and the other way around.

I would make a few changes but I do not think those are show stoppers.
For both addresses of site A and B use a /24 mask that will ensure that there is a route via the WG interface for that subnet e.g.:
list addresses '10.0.1.1/24' and list addresses '10.0.1.2/24'

Furthermore on Site A add the list address of site B as allowed ips:
list allowed_ips 10.0.1.2/32

and on site B add:
list allowed_ips 10.0.1.1/32

Reboot both routers afterwards

2 Likes
8

Hi @psherman, see the revised ping results:

Site A > Site B

  • from 172.16.1.128: ping 10.0.1.2 (pass)
  • from 172.16.1.128: ping 172.16.2.1 (pass)
  • from 172.16.1.128: ping 172.16.2.238 (fail) (win10 endpoint)
  • from 172.16.1.1: ping 10.0.1.2 (pass)
  • from 172.16.1.1: ping 172.16.2.1 (pass)
  • from 172.16.1.1: ping 172.16.2.238 (fail) (win10 endpoint)

Site B > Site A

  • from 172.16.2.238: ping 10.0.1.1 (pass)
  • from 172.16.2.238: ping 172.16.2.1 (pass)
  • from 172.16.2.238: ping 172.16.2.128 (fail) (win11 endpoint)
  • from 172.16.2.1: ping 10.0.1.1 (pass)
  • from 172.16.2.1: ping 172.16.2.1 (pass)
  • from 172.16.2.1: ping 172.16.2.128 (fail) (win11 endpoint)

I have also made the changes recommended by @egc:

list allowed_ips 10.0.1.2/32 under wg_s2s_a (Site A)
changed wg_s2s_a IP subnet from 10.0.1.1/32 to 10.0.1.1/24
list allowed_ips 10.0.1.1/32 under wg_s2s_b (Site B)
changed wg_s2s_a IP subnet from 10.0.1.2/32 to 10.0.1.2/24

Both routers rebooted after those changes, then ping tests performed above.

I continue to be able to access Site A openwrt LUCI interface via Site B windows browser endpoint (and vice versa).

9

As a test enable MASQUERADING on the LAN interface of the router

1 Like
10

@egc @psherman

As @egc suggested, the windows endpoint firewalls were not configured to respond to pings from another subnet. I had enabled pings, but failed to expand scope beyond the local subnet. Reference: https://bitlaunch.io/blog/how-to-make-windows-10-pingable/

With that change in place, windows endpoint to endpoint ping is now working (thanks!)

The second part of the configuration is redirect Internet traffic from Site B through the VPN to Site A's internet. What configuration is required to make that happen? Thanks again for the amazing help thus far!

1 Like
11

On site B, change the wireguard "allowed IPs" field to 0.0.0.0/0 (you'll find this in the peer config stanza on the site B router in /etc/config/network).

Then, on site A, make sure you have forwarding from your wireguard zone to the wan zone in the firewall. If it is still configured as it was early in the thread, wireguard is part of the lan zone, which means it will 'just work' -- but if you've changed wg to a new zone, just allow forwarding from that zone to wan.

1 Like
12

As you said, it 'just worked' after adding "allowed IPs" 0.0.0.0/0 to wireguard interface, huge thanks @psherman and @egc !

13

Glad you got it working my MASQUERADING lan test was to see if the windows firewall was the problem but you already figured that out :slight_smile:

1 Like
14

Hi @psherman @egc.

The VPN tunnel failed some time after setting the default gateway through the wireguard. I should have anticipated that I needed to maintain some route to the local internet for DDNS. The DDNS is currently showing both Internet IPs as Site A as the Site B router registered with DDNS through Site A's internet with the new default routing in place.

Can you please suggest a configuration to maintain the DDNS to route through Site B WAN (to Internet), and the rest of the network through WG VPN to Site A? Thanks!

15

Is there any reason you need a DDNS for Site B?

1 Like
16

I think in DDNS configuration you can add the interface DDNS needs to query, so if you add the WAN it should query the WAN interface for IP address.

Otherwise create a route for the external IP check website (I have to check which is used) via the WAN

But as @krazeh already pointed out you only need to setup the route from one side so you can consider deleting the endpoint on the other side and the DDNS on this side

1 Like
17

Hi @krazeh. I followed the instructions from https://openwrt.org/docs/guide-user/services/vpn/wireguard/site-to-site. Quote from the s2s_combined.sh script:

# The site configurations are symmetric, each is a server with the
# other as a peer.
18

Only one side needs to configure the other side with a global reachable address.
Downside, only one side can init the connection but besides that not really...

2 Likes
19

Perhaps a security benefit can be gained by adding a configuration allowing only listed DDNS names to attempt to establish a VPN connection? assuming that's a feature of openwrt..

20

Unless the connection attempt has the correct keys WG will just ignore it, so there isn't really any security benefits to be gained.

1 Like