Wireguard site to site help - AVM Fritzbox strange behavior

Hi,
I'm trying to setup a site-to-site wireguard vpn beetween my AX68U and a Fritxbox modem/router.
The configuration is pretty basic and it works with other equipment, (openwrt routers).

My AX68U is on 192.168.1.0/24 subnet
Wireguard tunnel is 10.6.0.1/32
Site to site allowed IP on Server 10.6.0.5/32,192.168.12.0/24

Client Config is this
[Interface]
PrivateKey =XXX
Address = 10.6.0.5/32
DNS = 10.6.0.1

[Peer]
PublicKey = XXX
AllowedIPs = 192.168.12.0/24 (fritzbox subnet)
Endpoint = XXX:51820
PersistentKeepalive = 25

When I import it in Fritzbox the connection is established and I can ping a see everything on 192.168.1.0/24 (my home) and if I ping internet the connection goes outside the tunnel (like I want, a site to site split tunnel wireguard only)
But from my home I can't see anything on 192.168.12.0/24 (Fritzbox subnet).
It's like a one direction only vpn.
After a lot of head banging I found a way to extract the wireguard configuration from fritzbox and I see some changes made by it.
The configuration after import has become this:

[Interface]
PrivateKey =XXX
Address = 192.168.12.1/24,10.6.0.5/32 (why 192.168.12.1/24 ??)
DNS = 192.168.12.1
DNS = fritz.box

[Peer]
PublicKey = XXX
AllowedIPs = 192.168.1.0/24
Endpoint = XXX:51820
PersistentKeepalive = 25

Any idea to make this a proper two side tunnel apart from ditching the fritzbox and buying a 40€ operwrt router which works?
Thank you all

DocUmibozu said:

AllowedIPs = 192.168.12.0/24 (fritzbox subnet)

Click to expand...

Dont know details about fritzbox but if this is the config you imported its not going to work. AllowedIPs on the client side must be destinations on the other side of the tunnel. You imported that the fritzbox should connect to its own lan over vpn? It should likely be: 10.6.0.1/32, 192.168.1.0/24
Which is wg server peer ip and server lan. Those are the 2 destinations that should be sent over vpn from the fritzbox.

DocUmibozu said:

But from my home I can't see anything on 192.168.12.0/24 (Fritzbox subnet).

Click to expand...

Sounds like the firewall of the fritzbox are blocking inbound connections. Look for an option to allow inbound connections over vpn.

ZebMcKayhan said:

Sounds like the firewall of the fritzbox are blocking inbound connections. Look for an option to allow inbound connections over vpn.

Click to expand...

Seems this is the problem... I've asked for help on a fritz forum and it's a common bug.

Well, in the end there's no easy solution to the problem.
Fritzboxes have a non-standard wireguard implementation and the only way to fix it is to build a firmware from Freetz (a github project) with standard wireguard and flash it.
The solution is appealing, but impossibile for me: fritzbox is not mine, is given to me by the ISP and I'll have to return it when I quit the contract.
However, if you own a Fritzbox be warned, you won't be able to create a site to site wireguard split tunnel with any other modem/router. Only Fritzbox to Fritzbox.

Slightly different, but about 18 months ago I was trying to set up Wireguard from Fritz 7530 to Asus RT-AX86S. - I gave up after Christmas, so didn't spot this - you got further than I did.
Just tried again and absolutely same issue despite numerous updates on both ends in terms of firmware.

I can import the config on the Fritz but it never completes a setup. I spent a few weeks with Fritz support (Asus wasn't interested as all the other connections I had worked fine) but got nowhere they kept coming back having looked at logs and said it should work - It really doesn't!

As I wanted a two way link like you, I'm not going to bother at this point if it's a non-standard implementation etc.. I'll go back to anther VPN type. Shame as Wireguard is very quick, simple to configure and on the whole reliable with the Asus router.

I was able to setup it between a Fritzbox 7530AX (FritzOS 8.02) and a RT-AX58Uv2 (gnuton merlin, but was also working with stock Firmware) by starting the process on the Friztbox (acting then as the server, creating the ) and then import config into the Asus

Step 1
In the Friztbox wizard, just select Site-to-Site // No // No // Router. then define the ASUS Network details.

My IP and networks are : Fritzbox : 192.168.178.1, Asus : 192.168.50.1/24
This generate this .conf file (Keys replaced by ZZZ, XXX, YYY and 2 remarks (1) & (2) on DNS commented later below)

Step 2
On Asus side, open VPN menu and create a new VPN Client - Wireguard Client profile :

• Enable Wireguard : Yes
• Enable NAT : NO
• Inbound Firewall : Allow
• Killswitch : NO (otherwise it will cut your ASUS local internet connection whenever VPN to Fritzbox is disabled !)
• Import Config : upload here the .conf file generated on FritzBox

It will populate the "Interface" and "Peer" tabs.

NOTE : You should empty the field "DNS Server" (1) if you want to keep your current DNS server defined on ASUS Network (ie : your ASUS router IP, hee 192.168.50.1) active When the VPN tunnel is established. Otherwise, it will take the Frizbox as default DNS server after connection (even if the queries will remain answered by the local DNS server IP - I presume the DNS ASUS router queries are just forwarded to the new DNS server defined here)
I did it on my network because the Fritzbox was not redirecting back the ASUS local DNS domainname queries (*.lan by defaut) back to the ASUS router (even if you specify "lan" as local DNS in the Fritzbox wizard at (2) ) and I needed to have *.lan name resolutions still working once VPN was up.

--> If someone know how to fix this DNS missing behaviour (I think this is an issue on Fritzbox side btw, since the wizard have the filed defined, but it is not saved when you apply a change), happy to receive some help/guidance here.

Step 3
Important : if you have merlin/gnuton Firmware on the ASUS, you NEED to add additional VPN Director rules ( for firewall openings) which will be activated as soon as the VPN is defined, otherwise the bi-directional flows will be blocked :

Rule 1 :
Interface : WireGuard 1 : xxx (WGC1) (which is the virtual interface associated to the VPN profile defined above)
Enable : yes
Description : WireGuard Rule Source
Local IP : 192.168.50.0/24
Remote IP : leave Blank

Rule 2 :
Interface : WireGuard 1 : xxx (WGC1) (which is the virtual interface associated to the VPN profile defined above)
Enable : yes
Description : WireGuard Rule Destination
Local IP : (Leave Blank)
Remote IP : 192.168.178.0/24

References
These pages were a important source of information, which I had to combine and complement to come to a working config above between the FritzBox and the ASUS :
https://www.asus.com/support/faq/1048281/ (scenario 3)
https://www.ivpn.net/setup/router/asuswrt-merlin-wireguard/
https://www.snbforums.com/threads/asuswrt-merlin-388-1-wireguard-site-to-site-on-2xax88u.82272/