Wireguard site to site with more than 2 sites

I've had more than 2 OpenWRT (19.07) routers communicating site to site (and peer to peer actually) with tinc. Since OpenWRT 20.x changed a lot (and broke a lot of stuff for no good reason from my perspective) in networking and my tinc p2p/s2s config stopped working I've stayed on 19.07 for a while. Since I want to stay up to date I'd like to use [OpenWrt Wiki] Automated WireGuard site-to-site VPN configuration, but this is outlined for 2 sites.

  1. Should I go this route or do something else?
  2. If I should use it, how would I adapt it for more than 2 sites?
  3. (bonus question) is there a way to make it work for sites with no external IP (like I could for tinc tunnels)?

Neither of the two OpenWrt versions you mentioned actually exist... I'm guessing you mean 19.07 and 21.02?

19.07 is EOL and unsupported. There subsequent two versions (21.02 and 22.03) have patches for several significant security vulnerabilities that will never be fixed in 19.07, so it is highly recommended that you upgrade to the newest.

There have been some major changes introduced recently, but everything should still work in general. Some things may work differently, though, so you may need to learn a bit about the differences and updated syntax... details are very much dependent on your devices. All of the changes introduced were done for very good reasons in terms of the long term, but the short term can be rocky at first (for example: swconfig > DSA). We're here to help you out, though.

Since you have a working WG config, you can actually migrate that over without any (significant) changes simply by copy/pasting the WG related stanzas from your current config into the new one... you don't need to start from scratch.

Yes, provided that it can connect to a site that does have a public IP. Basically, the one without a public IP will initiate the connection to one (or more) of the sites that does have a public IP. Once established, the tunnel will allow bidirectional traffic.

1 Like

Yes I meant 19.07 (actually 19.07.9 r11405-2a3558b0de to be exact) and 21.02 (and following versions).

As stated in [OpenWrt Wiki] Tinc starting with

NOTE: I (user mnlipp, neither the author of this guide) found that things stopped working with OpenWrt 21.02 (probably 21.0, but I didn't try that).

OpenWrt 21.02 did introduce some breaking changes (which effectively broke my tinc config).
No, I don't have any site-to-site WireGuard config (just some client configuration).

Tinc allowed traffic (directly between sites, when both had a public IP address) without explicitly configuring it between each site. Is such thing possible with WG, or do I have to configure 2 tunnels between each site (I have 5 of them, 2 do NOT have a public IP)?

Ah... so you were referring to breakages with Tinc, not the system in general. Sorry, I misunderstood.

Again, I guess I misunderstood your initial premise -- I thought you already had the WG configurations setup. So, are you talking about creating a new WG tunnel to replace Tinc?

You could use the script to automate the first two sites, then add the 3rd semi-manually.

Like I mentioned I have 5 sites (connected with tinc now). Will this be maintaineable with wireguard at all?

I don't see why not. Should work fine.