Wireguard site to site , only client--->server works?

I try to build a site-to-site wireguard vpn .
server:
vpn_ip: 10.10.10.1/24
lan_ip: 192.168.0.250/24
client:
vpn_ip: 10.10.10.5/24
lan_ip: 192.168.5.254/24

Server side config

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd25:b72a:2b4d::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'lan0 lan1 usb0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option hostname 'GL-MV1000-e71'
	option ipaddr '192.168.0.250'

config interface 'wan'
	option ifname 'wan'
	option proto 'static'
	option ipaddr '123.123.218.109'
	option netmask '255.255.255.0'
	option gateway '123.123.218.254'
	option dns '1.1.1.1'
	option metric '10'

config interface 'lan0'
	option ifname 'lan0'
	option macaddr '94:83:c4:09:de:72'

config interface 'lan1'
	option ifname 'lan1'
	option macaddr '94:83:c4:09:de:72'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'YITLZ51LGIsCxxr7+B12312312B5wkGJ81Pn0l4='
	option listen_port '12000'
	list addresses '10.10.10.1/24'

config wireguard_vpn 'wgclient'
	option public_key 'FR/yG+HEAJGyB6FPspqX123123y0kN1VM4Cc='
	option preshared_key 'yJ7ouCdtGBGcEAwC6s+W3xzRlV7N0z2xfpwOCdI74Qg='
	list allowed_ips '10.10.10.20/32,192.168.5.0/24'
	option route_allowed_ips '1'

/etc/config/firewall (only show rules about wireguard here)

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'zone_wg'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wg0'

config forwarding
	option dest 'zone_wg'
	option src 'lan'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '12000'
	option proto 'udp'
	option target 'ACCEPT'

Client config

/etc/config/network
	
	config interface 'vpn'
	option proto 'wireguard'
	option private_key 'QFKxiNOhDd6Oa0nH9nL1R2riolbjEoMenhsewDjao04='
	list addresses '10.10.10.20/24'

config wireguard_vpn 'wgserver'
	option public_key '7yRFmrxatpCxedHpx8M2KzVWUPRQFBCm1SRomMxUYVo='
	option preshared_key 'yJ7ouCdtGBGcEAwC6s+W3xzRlV7N0z2xfpwOCdI74Qg='
	option endpoint_host '123.123.218.109'
	option endpoint_port '12000'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '192.168.0.0/24,10.10.10.1/32'

/etc/config/firewall

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '12000'
	option name 'Allow-Wireguard-Inbound'
	option src '*'

config zone
	list network 'wg0'
	option name 'zone_wg'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option output 'ACCEPT'

config forwarding
	option dest 'zone_wg'
	option src 'lan'

I basically follow the instruction here

and

but now I can only ping from client to server_lan_ip

root@OpenWrt:~# ping 192.168.0.250
PING 192.168.0.250 (192.168.0.250): 56 data bytes
64 bytes from 192.168.0.250: seq=0 ttl=64 time=7.096 ms
64 bytes from 192.168.0.250: seq=1 ttl=64 time=6.154 ms
64 bytes from 192.168.0.250: seq=2 ttl=64 time=8.470 ms
64 bytes from 192.168.0.250: seq=3 ttl=64 time=7.188 ms
64 bytes from 192.168.0.250: seq=4 ttl=64 time=5.926 ms
^C
--- 192.168.0.250 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 5.926/6.966/8.470 ms
root@OpenWrt:~# 

from server to client , ping does not work

root@GL-MV1000:~# ping -c4 192.168.5.254
PING 192.168.5.254 (192.168.5.254): 56 data bytes

--- 192.168.5.254 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
root@GL-MV1000:~# 

so I run traceroute in server to client

root@GL-MV1000:~# traceroute 192.168.5.254
traceroute to 192.168.5.254 (192.168.5.254), 30 hops max, 46 byte packets
 1  dw-219.84.236.so-net.net.tw (123.123.236.254)  3.682 ms  2.320 ms  2.728 ms
 2^C
root@GL-MV1000:~# 

it goes to wan first , I guess thats routing problem
so I add a static route

root@GL-MV1000:~# route add -net 192.168.5.0/24 dev vpn
root@GL-MV1000:~# ip r
default via 123.123.218.254 dev wan proto static metric 10 
10.10.10.0/24 dev vpn proto kernel scope link src 10.10.10.1 
192.168.0.0/24 dev br-lan proto kernel scope link src 192.168.0.250 
192.168.5.0/24 dev vpn scope link 
123.123.218.0/24 dev wan proto static scope link metric 10 
root@GL-MV1000:~# 

but it does not help. ping still not work.

Did I miss something ?? any suggestions ??

Bidding on this project ?
https://www.upwork.com/ab/jobs/search/details/~01a9e8f4e4565c80c9/?from_recent_search=true&q=openwrt&sort=recency

You shouldn't create static routes manually. They should be created automatically.

Change (on both sides)

list allowed_ips '10.10.10.20/32'
list allowed_ips '192.168.5.0/24'

and restart the network. You should see two additional static routes like this:

10.10.10.20 dev vpn proto static scope link
192.168.5.0/24 dev vpn proto static scope link
3 Likes

@pavelgl thanks!

after seperate the allowed_ips , it works.

1 Like

@changchichung I'm glad it's working. I note that you displayed the private_key and preshared_key in the original post.

Now that you know it's working, you should be sure to generate new private keys. Best regards,

thanks for the hint, I already redo the whole process , that key is invalid anymore.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.