Wireguard Site to site configuration

hello,

like some people i try to configure 3 gl inet AR750 and 1 computer on site to site.
the idea:
1 server : connecting at home behind the internet box (port forwarding on the box open)
2 clients (could be everywhere,most of time connecting by tethering), actually i try with only one
1 computer with wireguard client connect from everywhere on server.

the wireguard config seems work.

server:
wan : 192.168.2.12 (ip give by internet box)
lan : 192.168.110.240
wireguard : 10.0.0.1

computer:
wan?
lan?
wireguard : 10.0.0.2

client1 :
wan : ?
lan : 192.168.0.240
wireguard 10.0.0.3

i'm actually able to have the wireguard working betwwen PC-SERVER and SERVER client.

from the client, i can ping everything on server

from the server or from my computer on other network connect by wireguard
192.168.110.240
192.168.2.250
10.0.0.1/10.0.0.2/10.0.0.3

but i'm not able to ping 192.168.0.240 or everything behind my client.
when i try to ping the lan network ,

answer from 192.168.2.250 : Impossible to reach the destination.
192.168.2.250 is my internet box on wan network of server.

i give you copy of the file inside SERVER
etc/config/wireguard server

config servers
	option local_ip '10.0.0.1'
	option local_port '51820'
	option private_key 'ME'
	option public_key 'b2Y'
	option enable '1'

config peers 'wg_peer_8792'
	option name 'julien'
	option client_key 'sjCK'
	option private_key 'gFJ'
	option client_ip '10.0.0.2/32'

config peers 'wg_peer_1582'
	option name 'client1'
	option client_key 'FjGKu'
	option private_key 'kN'
	option client_ip '10.0.0.3/32'

etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde4:d3a5:ecdf::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option hostname 'GL-AR750-c46'
	option ipaddr '192.168.110.240'
	option ifname 'eth1.1'

config interface 'wan'
	option ifname 'eth0'
	option proto 'dhcp'
	option hostname 'GL-AR750-c46'
	option metric '10'

config interface 'wan6'
	option ifname 'eth0'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 0t'

config interface 'wg0'
	option proto 'static'
	option ifname 'wg0'
	option ipaddr '10.0.0.1'
	option netmask '255.255.255.0'
	option route_allowed_ips '1'
	list allowed_ips '192.168.0.0/24'
	list allowed_ips '192.168.2.0/24'
	list allowed_ips '192.168.110.0/24'

etc/config/firewall


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'lan wg0'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	option forward 'ACCEPT'
	option input 'ACCEPT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
	option reload '1'

config include 'gls2s'
	option type 'script'
	option path '/var/etc/gls2s.include'
	option reload '1'

config include 'glfw'
	option type 'script'
	option path '/usr/bin/glfw.sh'
	option reload '1'

config include 'glqos'
	option type 'script'
	option path '/usr/sbin/glqos.sh'
	option reload '1'

config include 'mwan3'
	option type 'script'
	option path '/var/etc/mwan3.include'
	option reload '1'

config rule 'glservice_rule'
	option name 'glservice'
	option dest_port '83'
	option proto 'tcp udp'
	option src 'wan'
	option target 'ACCEPT'
	option enabled '0'

config rule 'AllowWireguard'
	option name 'Allow-Wireguard'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp tcp'
	option family 'ipv4'
	option dest_port '51820'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'wan'


and now for the client side

etc/config/wireguard

config proxy
	option main_server 'client1'
	option enable '1'

config peers 'wg_peer_3908'
	option name 'client1'
	option address '10.0.0.3/32'
	option listen_port '18876'
	option private_key 'kN+t7VnF4/6V0S3njq+3AA7DfxN17M3H5RWK8pSSznc='
	option dns '64.6.64.6'
	option end_point '82.64.208.94:51820'
	option public_key 'b2YFgD1UwqMziPp+FSW6rEj4v2ap5s+U1+YujkOFGD4='
	option allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'

etc/config/network


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdcf:39f4:0b02::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option hostname 'GL-AR750-882'
	option ipaddr '192.168.0.240'

config interface 'wan'
	option ifname 'eth0'
	option proto 'dhcp'
	option hostname 'GL-AR750-882'

config interface 'wan6'
	option ifname 'eth0'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 0t'

config interface 'wwan'
	option proto 'dhcp'
	option metric '20'

config interface 'wg0'
	option proto 'static'
	option ifname 'wg0'
	option ipaddr '10.0.0.3'
	option netmask '255.255.255.0'
	option route_allowed_ips '1'
	list allowed_ips '192.168.110.0/24'
	list allowed_ips '192.168.2.0/24'
	list allowed_ips '192.168.0.0/24'

etc/config/firewall


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg0'
	option masq '1'
	option mtu_fix '1'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 wwan'
	option forward 'ACCEPT'
	option input 'ACCEPT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
	option reload '1'

config include 'gls2s'
	option type 'script'
	option path '/var/etc/gls2s.include'
	option reload '1'

config include 'glfw'
	option type 'script'
	option path '/usr/bin/glfw.sh'
	option reload '1'

config include 'glqos'
	option type 'script'
	option path '/usr/sbin/glqos.sh'
	option reload '1'

config include 'mwan3'
	option type 'script'
	option path '/var/etc/mwan3.include'
	option reload '1'

config rule 'glservice_rule'
	option name 'glservice'
	option dest_port '83'
	option proto 'tcp udp'
	option src 'wan'
	option target 'ACCEPT'
	option enabled '0'

config rule 'AllowWireguard'
	option name 'Allow-Wireguard'
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp tcp'
	option family 'ipv4'
	option dest_port '18876'

config forwarding
	option dest 'lan'
	option src 'wan'

config forwarding
	option dest 'wan'
	option src 'lan'
	**option enabled '0'**

**config zone 'wireguard'**
**	option name 'wireguard'**
**	option input 'ACCEPT'**
**	option forward 'ACCEPT'**
**	option output 'ACCEPT'**
**	option masq '1'**
**	option mtu_fix '1'**
**	option device 'wg0'**

**config forwarding 'wireguard_wan'**
**	option src 'wireguard'**
**	option dest 'wan'**

**config forwarding 'wireguard_lan'**
**	option src 'wireguard'**
**	option dest 'lan'**

**config forwarding 'lan_wireguard'**
**	option src 'lan'**
**	option dest 'wireguard'**

**config forwarding 'guest_wireguard'**
**	option src 'guestzone'**
**	option dest 'wireguard'**

**config forwarding 'wireguard_guest'**
**	option src 'wireguard'**
**	option dest 'guestzone'**


i don't know why, but each time i restart the server the line in bold are add to this file, i delete it each time...

and i don't know why i'm not able to reach client lan side

this is what i see in my client over LUCI/status/routes

Active IPv4-Routes
Network	Target	IPv4-Gateway	Metric	Table
wlan-sta	0.0.0.0/0	192.168.43.1	0	2
wg0	0.0.0.0/1	-	0	main
wlan-sta	0.0.0.0/0	192.168.43.1	20	main
wg0	10.0.0.0/24	-	0	main
wlan-sta	82.64.208.94	192.168.43.1	0	main
wg0	128.0.0.0/1	-	0	main
lan	192.168.0.0/24	-	0	main
wlan-sta	192.168.43.0/24	-	20	main

i don't know how to modify that

on my server

Active IPv4-Routes
Network	Target	IPv4-Gateway	Metric	Table
wan	0.0.0.0/0	192.168.2.250	0	1
wan	0.0.0.0/0	192.168.2.250	10	main
wg0	10.0.0.0/24	-	0	main
wan	192.168.2.0/24	-	10	main
lan	192.168.110.0/24	-	0	main

That syntax does not match OpenWrt WireGuard configuration.
You'd best follow to the official support channel for your device:

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.