WireGuard Site-to-Site initiate tunnel

Hi both,

With regards to AllowedIPs, I'm a little confused I must admit. Are they IPs the Android/Windows client is allowed to use at the far end or are they what the 'host' will allow a connection FROM?

'Required. IP addresses and prefixes that this peer is allowed to use inside the tunnel. Usually the peer's tunnel IP addresses and the networks the peer routes through the tunnel.' This just isn't plain english to me!

Krazeh, that peer is a Thinkpad x220; I added both subnets as I could not access the far end without doing so.

I'm concerned about doing this incorrectly as, if I do so, I may lose access to the far end to continue configuration.

For the LAN-to-LAN, presumably the entire subnet should be in there?

For a remote device, do I add a single address?

Yes for both.
Each peer should list unique address and/or non-overlapping subnets in the allowed IPs.

Thank you, that's the REMOTE subnet (for clarification)?

1 Like

Yes, or 0.0.0.0/0 if you want access the internet via that peer.

So if I put 0.0.0.0/0 for AllowedIPs for the 2 client devices and the LAN-to-LAN, this will work?

Check out the config examples: WireGuard configuration examples

The AllowedIPs field has 2 functions. The first is to allow Wireguard to determine what should be allowed in or out of the tunnel. Packets have to come from an 'allowed IP' to exit the tunnel and be going to an 'allowed IP' to enter the tunnel. The second function is to tell Wireguard what routes it should add if you have route_allowed_ips set to 1.

The peer at each end of the site to site VPN should have the subnet for the other end in their allowed IPs field. Remote devices such as laptops should have either 0.0.0.0/0 if you want them to use the internet from the router you're connecting to, or the LAN subnet if you just want to access local resources.

2 Likes

Thanks for the clarification Krazeh.
Unfortunately, I have now lost access to the far end, so won't be able to try anything until I next visit that site :sigh: :slight_smile: I thought WireGuard was meant to be lightweight and easy (part of the difficulty stems from most of the configuration being demonstrated via SSH rather then LuCI where we do the monitoring.

If you wouldn't mind clarifying one more thing for me?
In the Android WireGuard client [Interface] section, there is (under the 'Public key' field) a field labelled Addresses; what belongs here?

The VPN network addresses such as 192.168.9.2/24 listed in the example above.

1 Like

Thanks, I have looked at these, but they also make some assumptions which left me unsure.
In the link you provided, the actual anchor is the 'Static addressing of WireGuard tunnel'; that section uses some IP addresses for illustration, but nowhere does it clarify what they relate to. E.g. 192.168.9.1 and 192.168.9.2 (both on the same subnet)
Why would both client and server be using IPs on the same subnet?

So in that instance, 192.168.9.2 is the address of the WireGuard 'server'?
Why plural though (i.e. Addresses)? Would you want to specify more than one WireGuard host here?

Once you understands the concepts it is. But there can be an initial learning curve.

The address you want to assign to the wireguard interface. Generally if you're connecting a number of remote devices (say laptops and phones) to your router you'd pick a subnet you're not using locally and just assign each device a /32 address out of that subnet. That's what goes in the address field on the device. The same value goes into the 'Allowed IPs' field for the peer on the router.

You can, if you wish, assign an address to the wireguard interface on the router, but it's not necessary. All it really does is simplify some of the routing rules that get added, but that's all behind the scenes.

1 Like

No, 192.168.9.2 is the client.

Assuming dual stack by default, i.e. IPv4 + IPv6.

Note that some services reject queries arriving on an interface they are not listening to.

1 Like

krazeh
I would like to fully grok all this so I could distill it and write a blog post somewhere in plain english :smiley:

vgaetera
Ahhhhh (IPv4 and IPv6)
The CIDR stuff is still a little confusing :stuck_out_tongue: /24 is the entire subnet and /32 is a single address (if we're in 192.168), correct?

Thanks both for your help, I have to prepare for the day job now (sleep)
EDIT: I will reread all this when I have access to the far end again and see if I can get the LAN-to-LAN working

Yes, altho the subnet can be bigger or smaller than /24 depending on how many addresses it contains.

2 Likes

Yeah, that could be the case, but how many of these sorts of services are you a) likely to be running directly on your router and b) need remote access to?

I'm afraid this depends on the user, so I believe that in general case, adding another IP doesn't hurt to minimize potential issues.

1 Like

Hi,

I made it back to the 141 subnet and when I look in WireGuard Status, it says my mobile client is connected.

In the [peer] section on the router for this device, I now have 'Allowed IPs' 0.0.0.0/0

In the [Interface] section on the Android client, I have 'Addresses' 192.168.141.8/32

So, although I am connected, I have no route to any device on the 141 subnet. I tried to access LuCI from a browser on the Android device and I tried opening a shell with JuiceSSH on the Android device.
Also, with the tunnel up on the Android device, I have no access to anything else from that device either.

I know I'm not grasping something here lol, gonna re-read what you all kindly said above and see if I can figure out the Allowed IP/Addresses concepts as it still isn't clear what router and client are expecting in their respective fields.

EDIT:
Below are what I see in LuCI for the WireGuard config, and the 'Motog6' peer

[Network > Interfaces > WireGuard141 > General Settings]
Status: Device: WireGuard141
Uptime: 0h 5m 31s
RX: 320B (3 Pkts.)
TX: 664B (17Pkts.)

Protocol: WireGuard VPN

Bring up on boot : checked

Private Key: ********************************
Required: Base 64-encoded private key for this interface.

Listen Port: 51815
Optional. UDP port used for outgoing and incoming packets.

IP Addresses: blank
Recommended. IP addresses of the WireGuard interface.

[Network > Interfaces > WireGuard141 > Peers]
Description: motog6
Optional. Description of peer.

Public Key: ***********************************
Required. Base64-encoded public key of peer

Preshared Key: blank
Optional. Base64-encoded preshared key. Adds in an additional layer of symmetric-key cryptography for post-quantum resistance.

Allowed IPs: 0.0.0.0/0
Required. IP addresses and prefixes that this peer is allowed to use inside the tunnel. Usually the peer's tunnel IP addresses and the networks the peer routes through the tunnel.

Route Allowed IPs: checked
Optional. Create routes for Allowed IPs for this peer.

Endpoint Host: blank
Optional. Host of peer. Names are resolved prior to bringing up the interface.

Endpoint Port: blank
Optional. Port of peer.

Persistent Keep Alive: 25
Optional. Seconds between keep alive messages. Default is 0 (disabled). Recommended value if this device is behind a NAT is 25.

[Status -> WireGuard Status]
Peer: motog6

Public Key: ************************************
Endpoint: DDNS resolved Public IP of router:random port
Allowed IPs: none
Persistent Keepalive: 25s
Latest Handshake: Thu, 29 Oct 2020 09:47:42 GMT (1m ago)
Data Received: 2 KiB
Data Transmitted: 3 KiB

Below is the config from the WireGuard client on the Android device motog6
[Interface]
Name
141

Public key


Addresses
192.168.141.8/32

[Peer]
Public key


Allowed IPs
0.0.0.0/0

Endpoint:
addnsdotnetname:51815

Transfer
rx 632 B, tx 8.95 KiB

Both router and Android show as connected and the log on Android confirms it has done key exchange and is sending keep alive packets.
On the Android device, with the tunnel up, I have no access to anywhere as far as I can tell.

Add the network.Wireguard26.addresses='172.16.0.1/24' and network.@wireguard_Wireguard26[0].endpoint_port='51815'

Add: network.Wireguard141.addresses='172.16.0.2/24' '172.16.1.1/24'

This is some Android Phone I guess.

network.@wireguard_Wireguard141[0].allowed_ips='192.168.141.8/32'

use IPs from another subnet. WG doesn't bridge, it routes. So use network.@wireguard_Wireguard141[0].allowed_ips='172.16.0.2/32'

network.@wireguard_Wireguard141[0].route_allowed_ips='1' is not necessary.

Then add the 172.16.0.2/24 to the phone and for allowed networks use 0.0.0.0/0 if you want to route everything via the tunnel or the above subnets if you prefer split tunnel.

Add the 172.16.0.1/32. Also network.@wireguard_Wireguard141[1].endpoint_port='51815'

For x220 follow the same structure as with motog6

1 Like

Hi Trendy,

Thanks for the reply.
I thought it was unnecessary to use an intermediary subnet for WireGuard?

Just to clarify what you're suggesting above, with regards to the LAN-to-LAN configuration:

On the 26 router:
Use a WireGuard subnet of 172.16.0.1/24 on the router with DHCP subnet 192.168.26.1/24
In the peer section for the router with DHCP subnet 192.168.141.1/24, add Allowed IPs of its own DHCP subnet (i.e. 192.168.141.1/24) and the IP address of the 141 WireGuard interface (i.e. 172.16.0.2/32)

On the 141 router
Give this WireGuard instance an IP address of 172.16.0.2/24 (why does this address end with 24?)
Use a WireGuard subnet of 172.16.1.1/24 on the router with DHCP subnet 192.168.141.1/24
What goes in the [peer] section?