What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Challenge with tunneling internet for WG site to site from the server side

ivannn

Occasional Visitor
Hi folks,

I have 2 Asus routers running latest Merlin as of today configured for Wireguard site to site tunnel which works beautifully.

Site P: RT-BE86U (3006.102.3) - server
Site O: RT-AX86U (3004.388.8_4) - client


Server side config includes the LAN for the client side in the allowed list.
Client allows all (0.0.0.0/0) + VPN director rule for the server side lan through the WG client interface.

Any host from any LAN can reach to any host on the other LAN.

When I want to redirect internet for any host on the WG client side LAN (Site O) through the server side internet (Site P) I only need a VPN director rule.

How can I achieve the same in the reverse way? Routing the traffic for a host with a static IP on the WG server side (Site P) to access internet through the tunnel at the WG client side (Site O)?

A few options I am thinking about are a static route, the VPN director or tunnel configuration but I can't figure it out.

This is the first time I am configuring a WG tunnel. Previously I had OpenVPN tunnel between another pair of Asus routers and I never tried to achieve this because site O had the VPN server and site P had the client, hence I was using the VPN director for this purpose.
 
How can I achieve the same in the reverse way? Routing the traffic for a host with a static IP on the WG server side (Site P) to access internet through the tunnel at the WG client side (Site O)?
Simple answer is that you can't.

The more complicated answer is: of cource you can, but you will have to do everything via scripting yourself.

One option is to setup a client on both sides. You will just need to put in firewall rules to allow incoming connections and probably add listen-port directive in the config file. If you have other clients connecting in it would be inconvenient with dnsmasq and generate new configs.

Another option is to setup your own vpn-director (new route table and rules) and adjust the AllowedIPs for that peer.

None of these options are really simple and if you are not used to scripting I would go for my simple answer above.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Back
Top