I totally agree it's best to run on the least complex setup.
My configuration is above in the thread with small changes added as recommended in this thread.
Hopefully this is a reasonable question - what settings would I strip out in order to run on this leaner config?
Thanks again for all the help!
Unless you have any other reason to have a DDNS for Site B (which seems unlikely if you're forwarding all internet traffic through Site A) then on Site A, remove
option endpoint_host 'yy'
option endpoint_port '51830'
from
config wireguard_wg_s2s_a 's2s_vpn_site_b'
You can probably also delete the DDNS setup from site B.
Edit: Changed incorrect information about which site to remove endpoint details from (originally stated Site B when it should be Site A)
If you remove DDNS on site B should you then not remove
option endpoint_host 'yy'
option endpoint_port '51830'
on site A?
Or do I have brain freeze?
Anyway we all agree that you really only need to setup the tunnel from one side 
I will try that! Could I then clone Site B's config into a 'Site C' that also connects to Site A (understanding all traffic for B and C would route through A)?
You are right, my bad.
@thema5on remove the endpoint host and port from Site A, not Site B.
That should work. As long as all your subnets/keys etc. are different of course.
In this new config:
Yes to both.
Site A will no longer attempt to connect to any peers, it'll just receive requests from remote peers so there's no use in it running any sort of watchdog to check the connection status.
Connectivity over the established tunnel is completely separate to the connectivity to establish it. There should be no impact to the ability to access resources at either end of the tunnel.
Awesome!
I removed the > lines from Site A:
config interface 'wg_s2s_a'
option proto 'wireguard'
option private_key 'xx'
option listen_port '51830'
list addresses '10.0.1.1/24'
config wireguard_wg_s2s_a 's2s_vpn_site_b'
option public_key 'xx'
option preshared_key 'xx'
option description 'Site B, xx'
option route_allowed_ips '1'
option persistent_keepalive '25'
> option endpoint_host 'site b xx'
> option endpoint_port '51830'
list allowed_ips '172.16.2.0/24'
list allowed_ips 'fdee:eeee:eeee::/48'
list allowed_ips '10.0.1.2/32'
after reboot, the tunnel came back up cleanly, initiated by Site B.
I will tinker with Site C now - thank you!
Hello again @krazeh
re: Site C setup, do I create a new interface on Site A for connectivity? See proposed config.. I will also add the firewall rule for Wireguard-51840 to A and C.
Site A /etc/config/network VPN config (additional lines):
config interface 'wg_s2s_ac'
option proto 'wireguard'
option private_key 'new_private_key'
option listen_port '51840' < new port listener
list addresses '10.0.2.1/24' < new wg subnet (do not share with Site AB wg subnet 10.0.1.x/24)
config wireguard_wg_s2s_ac 's2s_vpn_site_ac'
option public_key 'new_public_key'
option preshared_key 'new_preshared_key'
option description 'Site C'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '172.16.3.0/24' < Site C subnet
list allowed_ips 'fdee:ffff:ffff::/48'
list allowed_ips '10.0.2.2/32' < Site C wg interface IP
Site C /etc/config/network VPN config
config interface 'wg_s2s_c'
option proto 'wireguard'
option private_key 'new_private_key'
option listen_port '51840' < new port as above
list addresses '10.0.2.2/24' < new wg interface IP, same subnet as Site A wg
config wireguard_wg_s2s_c 's2s_vpn_site_a'
option public_key 'new_public_key'
option preshared_key 'new_preshared_key'
option description 'Site C'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_host '[DDNS Internet address for Site A]'
option endpoint_port '51840' < new port
list allowed_ips '172.16.1.0/24' < Site A lan network
list allowed_ips 'fdff:ffff:ffff::/48' < Site A lan network
list allowed_ips '10.0.2.1/32' < Site A new WG IP
list allowed_ips '0.0.0.0/0' < force internet through Site A
Thanks again for the advice!
Do not make an extra interface.
Site C is just another peer with address 10.0.1.3/24
So set in allowed ips for that peer 10.0.1.3/32 and the subnet address e.g. 172.16.3.0/24
@egc I've setup the peer as you recommended, and deployed Site C to another friend's home. That friend has an ISP with IPv6 fully deployed. I found I cannot ping from Site C to Site A using IP v6. I may not have setup IP v6 correctly as its new to me, or there may be some other issue. See my configuration:
Site C /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdee:ffff:ffff::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan'
config device
option name 'lan'
option macaddr 'xx'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '172.16.3.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr 'xx'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option metric '1024'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option peerdns '0'
list dns '2001:4860:4860::8888'
list dns '2001:4860:4860::8844'
config interface 'wg_s2s_c'
option proto 'wireguard'
option private_key 'privkey'
option listen_port '51830'
list addresses '10.0.1.3/24'
config wireguard_wg_s2s_c 's2s_vpn_site_a'
option public_key 'pubkey'
option preshared_key 'preshared key'
option description 'Site A, wgsite2site-a'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_host 'INTERNET IP SITE A'
option endpoint_port '51830'
list allowed_ips '172.16.1.0/24'
list allowed_ips 'fdff:ffff:ffff::/48'
list allowed_ips '10.0.1.1/32'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
Site A /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdff:ffff:ffff::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan'
config device
option name 'lan'
option macaddr 'xx'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '172.16.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr 'xx'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option metric '1024'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option peerdns '0'
list dns '2001:4860:4860::8888'
list dns '2001:4860:4860::8844'
config interface 'wg_s2s_a'
option proto 'wireguard'
option private_key 'privkey'
option listen_port '51830'
list addresses '10.0.1.1/24'
config wireguard_wg_s2s_a 's2s_vpn_site_b'
option public_key 'pubkey'
option preshared_key 'presharedkey'
option description 'Site B, wgsite2site-b'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '172.16.2.0/24'
list allowed_ips 'fdee:eeee:eeee::/48'
list allowed_ips '10.0.1.2/32'
option private_key 'bprivkey'
config wireguard_wg_s2s_a 's2s_vpn_site_c'
option description 'Site C'
option public_key 'pubkey'
option preshared_key 'cpresharedkey'
list allowed_ips '172.16.3.0/24'
list allowed_ips 'fdee:ffff:ffff::/48'
list allowed_ips '10.0.1.3/32'
option private_key 'cprivkey'
option route_allowed_ips '1'
option persistent_keepalive '25'
Site C wg
interface: wg_s2s_c
public key: pubkley
private key: (hidden)
listening port: 51830
peer: peerkey
preshared key: (hidden)
endpoint: [INTERNET IP SITE A]:51830
allowed ips: 172.16.1.0/24, fdff:ffff:ffff::/48, 10.0.1.1/32, 0.0.0.0/0, ::/0
latest handshake: 57 seconds ago
transfer: 178.38 KiB received, 187.45 KiB sent
persistent keepalive: every 25 seconds
Ping health
Site C 172.16.3.1
* ping -4 www.google.ca (pass)
* ping -6 www.google.ca or 2607:f8b0:400b:80c::2003 (fail)
* ping 172.16.1.1 (pass)
* ping 10.0.1.1 (pass)
Site C 172.16.3.1 traceroute to 8.8.8.8 shows the path through Site A internet which is correct.
I think I need help to correct the IP6 setting on br-lan or help turning off IP v6 for br-lan? I left in the IP v6 IP as set in the original s2s_shared.sh (but made it slightly unique per site) thinking it was private IP6 space..
Why not just use IPv4?
To get this working you need at least a fully functioning IPv6 on site A.
As the GUA address prefix is often dynamic it is more difficult to setup with IPv6, when I setup with IPv6 (but I am not an expert (yet) on IPv6) I use NAT66 with ULA addresses.
But setting up IPv6 is outside the scope of this thread, you better start a new thread on that
@egc I am all for the least complex config.
How do I effectively disable / remove the config for the IPv6 settings from Site C openwrt (see configs above)? or do I just leave as-is?
Remove:
and
Yes, the allowed_ips ::0 is causing site C to send all IPv6 Internet use down the tunnel, which doesn't work because site A does not have an IPv6 ISP-- it breaks site C being able to use IPv6 through its local ISP. You could keep the ULAs active but there isn't a reason to if sites A and B are running everything IPv4.
After making these changes, the traceroute results:
Site C traceroute -4 www.google.ca traverses the VPN through Site A internet
Site C traceroute -6 www.google.ca traverses the local Site C internet
Is there anything I need to do to make sure the Site C br-lan interface does not support IPv6 IP address that would bypass the VPN through Site A?
It appears to have an IPv6 setting as per:
To have a v4 only lan, remove the ip6assign from the lan section of /etc/config/network. Also set dhcpv6 and ra to disabled in the lan section of /etc/config/dhcp.
@mk24 Please confirm, to remove IPv6 from the lan interface, you are recommending removal of lines >
/etc/config/network
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '172.16.3.1'
option netmask '255.255.255.0'
> option ip6assign '60'
/etc/config/dhcp
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
> option dhcpv6 'server'
> option ra 'server'
> list ra_flags 'managed-config'
> list ra_flags 'other-config'
Curious - if ISPs are using IPv6 to their internet router (where I port fwd to openwrt WAN interface - still on IPv6), should I use DDNS to register the IPv6 address as a target for Wireguard? (is there any efficiency/improved performance as a result over IPv4, understanding its on IPv4 internal after tunnel termination at the openwrt WAN interface)
I do not think so.
On my internet connected router which has IPv6 and IPv4 I have a separate IPv6 DDNS address I use for testing but normal connection is just IPv4.