Challenge with tunneling internet for WG site to site from the server side

Hi folks,

I have 2 Asus routers running latest Merlin as of today configured for Wireguard site to site tunnel which works beautifully.

Site P: RT-BE86U (3006.102.3) - server
Site O: RT-AX86U (3004.388.8_4) - client


Server side config includes the LAN for the client side in the allowed list.
Client allows all (0.0.0.0/0) + VPN director rule for the server side lan through the WG client interface.

Any host from any LAN can reach to any host on the other LAN.

When I want to redirect internet for any host on the WG client side LAN (Site O) through the server side internet (Site P) I only need a VPN director rule.

How can I achieve the same in the reverse way? Routing the traffic for a host with a static IP on the WG server side (Site P) to access internet through the tunnel at the WG client side (Site O)?

A few options I am thinking about are a static route, the VPN director or tunnel configuration but I can't figure it out.

This is the first time I am configuring a WG tunnel. Previously I had OpenVPN tunnel between another pair of Asus routers and I never tried to achieve this because site O had the VPN server and site P had the client, hence I was using the VPN director for this purpose.

ivannn said:

How can I achieve the same in the reverse way? Routing the traffic for a host with a static IP on the WG server side (Site P) to access internet through the tunnel at the WG client side (Site O)?

Click to expand...

Simple answer is that you can't.

The more complicated answer is: of cource you can, but you will have to do everything via scripting yourself.

One option is to setup a client on both sides. You will just need to put in firewall rules to allow incoming connections and probably add listen-port directive in the config file. If you have other clients connecting in it would be inconvenient with dnsmasq and generate new configs.

Another option is to setup your own vpn-director (new route table and rules) and adjust the AllowedIPs for that peer.

None of these options are really simple and if you are not used to scripting I would go for my simple answer above.

ZebMcKayhan said:

The more complicated answer is: of cource you can, but you will have to do everything via scripting yourself.

Click to expand...

Thank you for sharing your thoughts. All right. I get there is no OOB GUI based solution and I want to keep the solution low maintenance hence I am not going to script for this use case.

Thinking out loud:

Perhaps we should be able to redirect a guest lan through a vpn using GUI though I never tried to do that on my own. I would have to bridge the guest lan to the prod lan in addition to routing the internet through the tunnel. This could be a solution for me that I would like to explore.

Another solution could be redirecting ALL traffic through the WG tunnel and using VPN director to creating routing for hosts through the WAN as an exception to this. Perhaps I need to add 0.0.0.0/0 to the server allowed IPs to achieve do so? I am really a WG noob

Does any of this sounds feasible?

ivannn said:

Thank you for sharing your thoughts. All right. I get there is no OOB GUI based solution and I want to keep the solution low maintenance hence I am not going to script for this use case.

Thinking out loud:

Perhaps we should be able to redirect a guest lan through a vpn using GUI though I never tried to do that on my own. I would have to bridge the guest lan to the prod lan in addition to routing the internet through the tunnel. This could be a solution for me that I would like to explore.

Another solution could be redirecting ALL traffic through the WG tunnel and using VPN director to creating routing for hosts through the WAN as an exception to this. Perhaps I need to add 0.0.0.0/0 to the server allowed IPs to achieve do so? I am really a WG noob

Does any of this sounds feasible?

Click to expand...

in a general sense, this problem boils down to any server peers does not use VPNDirector. so, for WG itself, AllowedIPs for each peer needs to contain ALL destinations reachable over the tunnel. if you want to use this for general internet usage, it needs to be set to 0.0.0.0/0 (all ips). if/when you do this to a server peer, the firmware (and any other WG implementation) will put this as a route in the main route table. so it will compete/conflict with your WAN and everything else routing wise.

what you would need to do is to update the peer AllowedIPs after it have started using wg userspace tool to prevent the firmware to put the route there. this is the easy part. then you will need to duplicate the main routing table in a custom route table where you can override default/WAN routing with your default route and finally place in route rules to only use this custom route table for sources you decide. basically your own version of VPN-Director (with all its pro's and con's).

a.f.a.i.k you cannot change AllowedIPs to 0.0.0.0/0 without interfering with the default route and potentially mess up your config. even if you can, you will never be able to control what goes where.

now, if you have a very confined address space you may be able to add it to peer AllowedIPs and get that part of internet going "the other way". you will probably need to set client to allow inbound firewall to allow forwarding incoming traffic. but for all internet I dont see any way using the GUI

Come to think of it, this discussion is based on using existing client/server... but if you have public ips on both ends, why not setup a server/client the other way? Only use this "reverse" tunnel for internet which means you can use nat on new client to avoid routing conflicts. And you get vpn director on the other side to pick and choose this side internet output. That would work, I think.

@ZebMcKayhan Is not the OP objective here is just to add a server side VPN Director rule?

I don't use Asus's WG implementation. Have never even played with it. My home brew scripts I wrote for my server, client, and Oracle VPS gateway (site to site) back when I was using a AC86U have worked so well that I just kept bringing them forward from the AC86U to a AX88U and now my AC86 Pro.

I don't use the Oracle gateway anymore now that I have Fibre with a static address, but I may spin the VPS up and dig out the AC86U and how VPN director uses iptables to achieve things. I am thinking a simple firewall/nat script will resolve the OP's issue.

Or do you think I am barking up the wrong tree?

Jeffrey Young said:

@ZebMcKayhan Is not the OP objective here is just to add a server side VPN Director rule?

Click to expand...

The thing is that you can't. There are no policy route table associated with server peers. It will not show up in the Iface list so there is nowhere to point it.

Jeffrey Young said:

I am thinking a simple firewall/nat script will resolve the OP's is issue.

Click to expand...

The OP requested a way without scripting. I see more of a route issue than a firewall thingy.

bottom of line is that you will need one of the server peer AllowedIP to be 0.0.0.0/0 (otherwise wg won't pass all data) which will create a mess in the main routing table. Best case it just won't work. Then you will have to arrange policy routing yourself. It could be fairly simple when you know what you are doing.

Now, if you make your own scripts for everything there wouldn't be any issues, but VPNDirector was not designed to work for server peers. I'm not saying it can't be done, I just don't see any way purely using the GUI options. But I may be missing something. Only way I see, purely using the gui, is to setup a server-client peer in the other way.

You may setup a dummy client peer, just to have the fw setup the policy route table for it. Add the AllowedIP after the server peer is started so it won't add any routes, then overwrite the default route in the dummy client policy table with your server peer and it may just work, with minimal scripting (depending on how picky the fw is that the dummy peer must appear working).

If you have the time and interest, please try it. Maybe you think of something I've missed. But the AC86U does not have Wireguard in Gui, only script/addon, so no vpndirector.

Yeah, I knew you could not do this via the GUI. I'd be ok with just scripting a solution, but as you pointed out, the OP wants to stay away from that. I'm working on a couple of other projects at the moment, but I am going to have to look at this again.