WireGuard Site-to-Site initiate tunnel

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi all,

I've been running OpenWrt/LEDE on 2 BT HomeHub5a routers for a while now (currently on 19.07) and I've just recently been playing around with WireGuard.
I have successfully configured both and can connect from a mobile device and a laptop from etiher location or using 4G, however I can't get a LAN-to-LAN tunnel working between the two sites.

I have followed the advice here:

My own subnets are 192.168.141.0/24 and 192.168.26.0/24 and, as the BT HH5a routers are VDSL capable, they are also the internet facing devices. I'm using No-IP in WireGuard as my ISP provides dynamic public IP addresses.

There is nothing in LuCI -> Status -> System Log/WireGuard Status to indicate an issue and, like I said, mobile clients can connect to either with no issue.

My question is, what actually starts the LAN-to-LAN tunnel?
With the Android and Windows clients, there is a button or slider to start the connection, but in the configuration as shown on the forum page linked above, there is no way to initiate the tunnel.

I feel like I'm missing something so simple that no-one bothers to include it in any instructions as it's assumed one would know.

If it's at all relevant, I haven't yet configured static routes so clients either side of the tunnel can reach clients on the other end (as I wasn't clear on exactly how to do that yet), though I don't see how that could be affecting the tunnel coming up in the first place.

Would anyone please be able to let me know what I'm missing?

Thanks

2

https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#site-to-site

If the issue persists, post both client and server configs redacting the private parts:

uci show network; uci show firewall; \
ip address show; ip route show; ip rule show; wg show
1 Like
3

Hi,

Thanks for that link, I have already read that (EDIT: perhaps I have MISREAD on further reflection; adding the routes lets the 'network' understand to be looking for the remote network I take it? How would this be achieved in LuCI?). Unfortunately, the nomenclature there is client/server, but if I understand correctly, WireGuard is peer to peer. The client/server model suggests that the server is the host and the client is the guest and, in that relationship, I would expect the guest to initiate the connection (which makes sense with the Android or Windows clients). However, in the WireGuard paradigm, with both peers being equal in the LAN-to-LAN relationship, I'm back to not understanding which end of the tunnel initiates?

I have the results of the commands you requested redacted and ready if you would be willing to examine them?
Do I just paste them into the message box? I don't see a way to attach them as files (because I'm newly registered perhaps)

Thanks for your involvement!

1 Like
4

Yes, WG supports the P2P model, but in most cases it is degraded to client-server model.
The P2P model is typically problematic to use due to lack of public IPs resulting in limited connectivity.
You can use the code tag, or pastebin.com.

1 Like
5

Any interesting traffic, that means something that should go through the tunnel.
Apart from that wireguard is quite silent, unless you enable keepalives to keep the nat binding active.

1 Like
6

For the 192.168.26.0 subnet

Result of uci show network; uci show firewall; ip address show; ip route show; ip rule show; wg show

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd32:66fb:3bb3::/48'
network.dsl=dsl
network.dsl.xfer_mode='ptm'
network.dsl.ds_snr_offset='0'
network.dsl.annex='b'
network.dsl.tone='a'
network.dsl.line_mode='vdsl'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.26.1'
network.lan.dns='1.1.1.1 1.0.0.1'
network.lan_dev=device
network.lan_dev.name='eth0.1'
network.lan_dev.macaddr='****'
network.wan=interface
network.wan.proto='pppoe'
network.wan.ipv6='1'
network.wan.pppd_options='debug'
network.wan.username='bthomehub@btbroadband.com'
network.wan.ifname='dsl0.101'
network.wan.password='BT'
network.wan_dev=device
network.wan_dev.macaddr='****'
network.wan_dev.name='dsl0'
network.wan6=interface
network.wan6.ifname='@wan'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 4 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='5 6t'
network.Wireguard26=interface
network.Wireguard26.proto='wireguard'
network.Wireguard26.listen_port='51815'
network.Wireguard26.private_key='****************************************************'
network.@wireguard_Wireguard26[0]=wireguard_Wireguard26
network.@wireguard_Wireguard26[0].description='141'
network.@wireguard_Wireguard26[0].persistent_keepalive='25'
network.@wireguard_Wireguard26[0].allowed_ips='192.168.141.0/24'
network.@wireguard_Wireguard26[0].route_allowed_ips='1'
network.@wireguard_Wireguard26[0].public_key='***************************************************'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan Wireguard26'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].src_dport='51548'
firewall.@redirect[0].dest_ip='192.168.26.103'
firewall.@redirect[0].dest_port='51548'
firewall.@redirect[0].name='soulseek'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[1].src_dport='51549'
firewall.@redirect[1].dest_ip='192.168.26.103'
firewall.@redirect[1].dest_port='51549'
firewall.@redirect[1].name='soulseek'
firewall.@redirect[2]=redirect
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].src_dport='5432'
firewall.@redirect[2].dest_ip='192.168.26.105'
firewall.@redirect[2].dest_port='554'
firewall.@redirect[2].name='webcam'
firewall.@redirect[2].proto='tcp'
firewall.@rule[9]=rule
firewall.@rule[9].src='*'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].proto='udp'
firewall.@rule[9].dest_port='51815'
firewall.@rule[9].name='Allow-Wireguard-Inbound'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether **** brd ff:ff:ff:ff:ff:ff
    inet6 ****/64 scope link
       valid_lft forever preferred_lft forever
4: wlan1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether **** brd ff:ff:ff:ff:ff:ff
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether **** brd ff:ff:ff:ff:ff:ff
    inet 192.168.26.1/24 brd 192.168.26.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 ****/60 scope global dynamic noprefixroute
       valid_lft 8589825sec preferred_lft 8589825sec
    inet6 ****/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 ****/64 scope link
       valid_lft forever preferred_lft forever
6: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether **** brd ff:ff:ff:ff:ff:ff
8: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether **** brd ff:ff:ff:ff:ff:ff
    inet6 ****/64 scope link
       valid_lft forever preferred_lft forever
9: dsl0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether **** brd ff:ff:ff:ff:ff:ff
    inet6 ****/64 scope link
       valid_lft forever preferred_lft forever
11: dsl0.101@dsl0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether **** brd ff:ff:ff:ff:ff:ff
    inet6 ****/64 scope link
       valid_lft forever preferred_lft forever
12: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp
    inet **** peer 172.16.19.189/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
    inet6 ****/10 scope link
       valid_lft forever preferred_lft forever
14: Wireguard26: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
default via 172.16.19.189 dev pppoe-wan proto static
**** via 172.16.19.189 dev pppoe-wan proto static
172.16.19.189 dev pppoe-wan proto kernel scope link src ****
192.168.26.0/24 dev br-lan proto kernel scope link src 192.168.26.1
192.168.141.0/24 dev Wireguard26 proto static scope link
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
interface: Wireguard26
  public key: ***************************************
  private key: (hidden)
  listening port: 51815

peer: *******************************************
  allowed ips: 192.168.141.0/24
  persistent keepalive: every 25 seconds

For the 192.168.141.0 subnet

Result of uci show network; uci show firewall; ip address show; ip route show; ip rule show; wg show

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd59:1cfb:f165::/48'
network.atm=atm-bridge
network.atm.vpi='1'
network.atm.vci='32'
network.atm.encaps='llc'
network.atm.payload='bridged'
network.atm.nameprefix='dsl'
network.dsl=dsl
network.dsl.annex='b'
network.dsl.tone='a'
network.dsl.line_mode='vdsl'
network.dsl.ds_snr_offset='0'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.141.1'
network.lan.dns='1.1.1.1 8.8.8.8 208.67.222.222'
network.lan_dev=device
network.lan_dev.name='eth0.1'
network.lan_dev.macaddr='****'
network.wan=interface
network.wan.proto='pppoe'
network.wan.ipv6='1'
network.wan.username='bthomehub@btbroadband.com'
network.wan.password='BT'
network.wan.ifname='dsl0.101'
network.wan.peerdns='0'
network.wan.dns='1.1.1.1 8.8.8.8'
network.wan_dev=device
network.wan_dev.macaddr='****'
network.wan_dev.name='dsl0'
network.wan6=interface
network.wan6.ifname='@wan'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[0].ports='2 4 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].vid='2'
network.@switch_vlan[1].ports='5 6t'
network.Wireguard141=interface
network.Wireguard141.proto='wireguard'
network.Wireguard141.listen_port='51815'
network.Wireguard141.private_key='***********************************************'
network.@wireguard_Wireguard141[0]=wireguard_Wireguard141
network.@wireguard_Wireguard141[0].description='motog6'
network.@wireguard_Wireguard141[0].persistent_keepalive='25'
network.@wireguard_Wireguard141[0].allowed_ips='192.168.141.8/32'
network.@wireguard_Wireguard141[0].route_allowed_ips='1'
network.@wireguard_Wireguard141[0].public_key='*******************************************'
network.@wireguard_Wireguard141[1]=wireguard_Wireguard141
network.@wireguard_Wireguard141[1].description='26'
network.@wireguard_Wireguard141[1].persistent_keepalive='25'
network.@wireguard_Wireguard141[1].route_allowed_ips='1'
network.@wireguard_Wireguard141[1].allowed_ips='192.168.26.0/24'
network.@wireguard_Wireguard141[1].public_key='**********************************************'
network.@wireguard_Wireguard141[2]=wireguard_Wireguard141
network.@wireguard_Wireguard141[2].public_key='**********************************************'
network.@wireguard_Wireguard141[2].description='x220'
network.@wireguard_Wireguard141[2].route_allowed_ips='1'
network.@wireguard_Wireguard141[2].persistent_keepalive='25'
network.@wireguard_Wireguard141[2].allowed_ips='192.168.26.0/24' '192.168.141.0/24'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan Wireguard141'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp udp'
firewall.@redirect[0].src_dport='53325'
firewall.@redirect[0].dest_ip='192.168.141.213'
firewall.@redirect[0].dest_port='53325'
firewall.@redirect[0].name='SoulSeek'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp udp'
firewall.@redirect[1].src_dport='53326'
firewall.@redirect[1].dest_ip='192.168.141.213'
firewall.@redirect[1].dest_port='53326'
firewall.@redirect[1].name='SoulSeek Obf'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.@rule[9]=rule
firewall.@rule[9].src='*'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].proto='udp'
firewall.@rule[9].name='Allow-Wireguard-Inbound'
firewall.@rule[9].dest_port='51815'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether **** brd ff:ff:ff:ff:ff:ff
    inet6 ****/64 scope link
       valid_lft forever preferred_lft forever
3: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether **** brd ff:ff:ff:ff:ff:ff
4: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether **** brd ff:ff:ff:ff:ff:ff
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether **** brd ff:ff:ff:ff:ff:ff
    inet 192.168.141.1/24 brd 192.168.141.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 ****/60 scope global dynamic noprefixroute
       valid_lft 8589891sec preferred_lft 8589891sec
    inet6 ****/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 ****/64 scope link
       valid_lft forever preferred_lft forever
13: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether **** brd ff:ff:ff:ff:ff:ff
15: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether **** brd ff:ff:ff:ff:ff:ff
    inet6 ****/64 scope link
       valid_lft forever preferred_lft forever
16: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether **** brd ff:ff:ff:ff:ff:ff
    inet6 ****/64 scope link
       valid_lft forever preferred_lft forever
17: dsl0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether **** brd ff:ff:ff:ff:ff:ff
    inet6 ****/64 scope link
       valid_lft forever preferred_lft forever
19: dsl0.101@dsl0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether **** brd ff:ff:ff:ff:ff:ff
    inet6 ****/64 scope link
       valid_lft forever preferred_lft forever
20: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp
    inet **** peer 172.16.19.189/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
    inet6 ****/10 scope link
       valid_lft forever preferred_lft forever
25: Wireguard141: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
default via 172.16.19.189 dev pppoe-wan proto static
**** via 172.16.19.189 dev pppoe-wan proto static
172.16.19.189 dev pppoe-wan proto kernel scope link src ****
192.168.26.0/24 dev Wireguard141 proto static scope link
192.168.141.0/24 dev Wireguard141 proto static scope link
192.168.141.8 dev Wireguard141 proto static scope link
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
interface: Wireguard141
  public key: ****************************************
  private key: (hidden)
  listening port: 51815

peer: *******************************************
  endpoint: ****:51484
  allowed ips: 192.168.26.0/24, 192.168.141.0/24
  latest handshake: 1 minute, 5 seconds ago
  transfer: 2.26 MiB received, 4.20 MiB sent
  persistent keepalive: every 25 seconds

peer: *******************************************
  allowed ips: (none)
  persistent keepalive: every 25 seconds

peer: *******************************************
  allowed ips: 192.168.141.8/32
  persistent keepalive: every 25 seconds
7

I take it ICMP is not interesting traffic? I tried pinging the 192.168.141.1 router from the 192.168.26.0 subnet, but nothing happens.
Would this change if I had the static routes configured?

8

Remove your own subnet from the peer routes:

Remove duplication:

1 Like
9

What's this peer for?

Either end can initiate the connection. Have you added endpoints to the peer config on each end?

1 Like
10

Hi both,

With regards to AllowedIPs, I'm a little confused I must admit. Are they IPs the Android/Windows client is allowed to use at the far end or are they what the 'host' will allow a connection FROM?

'Required. IP addresses and prefixes that this peer is allowed to use inside the tunnel. Usually the peer's tunnel IP addresses and the networks the peer routes through the tunnel.' This just isn't plain english to me!

Krazeh, that peer is a Thinkpad x220; I added both subnets as I could not access the far end without doing so.

I'm concerned about doing this incorrectly as, if I do so, I may lose access to the far end to continue configuration.

For the LAN-to-LAN, presumably the entire subnet should be in there?

For a remote device, do I add a single address?

11

Yes for both.
Each peer should list unique address and/or non-overlapping subnets in the allowed IPs.

12

Thank you, that's the REMOTE subnet (for clarification)?

1 Like
13

Yes, or 0.0.0.0/0 if you want access the internet via that peer.

14

So if I put 0.0.0.0/0 for AllowedIPs for the 2 client devices and the LAN-to-LAN, this will work?

15

Check out the config examples: WireGuard configuration examples

16

The AllowedIPs field has 2 functions. The first is to allow Wireguard to determine what should be allowed in or out of the tunnel. Packets have to come from an 'allowed IP' to exit the tunnel and be going to an 'allowed IP' to enter the tunnel. The second function is to tell Wireguard what routes it should add if you have route_allowed_ips set to 1.

The peer at each end of the site to site VPN should have the subnet for the other end in their allowed IPs field. Remote devices such as laptops should have either 0.0.0.0/0 if you want them to use the internet from the router you're connecting to, or the LAN subnet if you just want to access local resources.

2 Likes
17

Thanks for the clarification Krazeh.
Unfortunately, I have now lost access to the far end, so won't be able to try anything until I next visit that site :sigh: :slight_smile: I thought WireGuard was meant to be lightweight and easy (part of the difficulty stems from most of the configuration being demonstrated via SSH rather then LuCI where we do the monitoring.

If you wouldn't mind clarifying one more thing for me?
In the Android WireGuard client [Interface] section, there is (under the 'Public key' field) a field labelled Addresses; what belongs here?

18

The VPN network addresses such as 192.168.9.2/24 listed in the example above.

1 Like
19

Thanks, I have looked at these, but they also make some assumptions which left me unsure.
In the link you provided, the actual anchor is the 'Static addressing of WireGuard tunnel'; that section uses some IP addresses for illustration, but nowhere does it clarify what they relate to. E.g. 192.168.9.1 and 192.168.9.2 (both on the same subnet)
Why would both client and server be using IPs on the same subnet?

20

So in that instance, 192.168.9.2 is the address of the WireGuard 'server'?
Why plural though (i.e. Addresses)? Would you want to specify more than one WireGuard host here?