Hello everyone,
I am trying to configure a wg site to site.
I used this "automated" script. I only added a different port for each site. And yes, I test on a single box. The script went perfectly. The interfaces, the rules... are created.
Unfortunately, I don't see any packets received on either site. They transmit but do not receive.
I give you some capture of one site (the second router). For the first this the same but adapted.
If you could help me for today I would be very happy. Thank you.
Rules:
DDNS
Output : wg show
Everey time I've hit the Tx: n and Rx: 0 problem, it's been a key issue.
Hello @frollic
Please, share your config files from all three devices.
thanks for your help. What conffile do you want? networks ,.... ?
got lazy, used one of the online config generators
@eduperez ,
ROUTER A port 51001 (see diagram at top)
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd96:db62:f953::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.0.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '10.0.1.0'
option broadcast '10.0.1.255'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wg_s2s_a'
option proto 'wireguard'
option private_key 'K...........Fo='
option listen_port '51001'
config wireguard_wg_s2s_a 's2s_vpn_site_b'
option public_key '/E...........U='
option preshared_key 'q...........I='
option description 'pollution: no, ............ovh'
list allowed_ips '10.0.2.0/24'
list allowed_ips '...........::/48'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_host '...........39'
option endpoint_port '51002'
config/firewall
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn_grey'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wg_s2s_a'
config rule 'wg_s2s_51001'
option name 'Allow-WireGuard-51001'
option src 'wan'
option dest_port '51001'
option proto 'udp'
option target 'ACCEPT'
option dest 'lan'
ROUTER B port 51002
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '................::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.0.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '10.0.2.0'
option broadcast '10.0.2.255'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wg_s2s_b'
option proto 'wireguard'
option private_key 'C................U='
option listen_port '51002'
config wireguard_wg_s2s_b 's2s_vpn_site_a'
option public_key 'Z................E='
option preshared_key 'q................I='
option description 'pollution: yes, .................ovh'
list allowed_ips '10.0.1.0/24'
list allowed_ips '................::/48'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_host '.................ovh'
option endpoint_port '51001'
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config zone
option name 'vpn_green'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wg_s2s_b'
config rule 'wg_s2s_51002'
option name 'Allow-WireGuard-51002'
option src 'wan'
option dest_port '51002'
option proto 'udp'
option target 'ACCEPT'
autoamted script [OpenWrt Wiki] WireGuard site-to-site automated is good. But i make one mistake, that's why it doesn't work.
Sorry, but... are you trying to use wireguard to connect two devices on the same network? May I ask why?
If both are on the same network, I guess (but it depends on how is it configured) that you do not need any port forwarding on the "box", just point of each router to the other.
I follow one tuto : this How to Create a Site to Site VPN // OpenWrt, Wireguard (youtube.com)
I ve a error routing and a bad definition of vpn @address .
Solved
1 Like
system
March 11, 2024, 11:19pm
13
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
