What's new

VPN site to site with additional VPN client to hide IP

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

johndoe85

Senior Member
I have a RT-AX86U on one location and a RT-AX82U on another location. Both of these routers shall use a VPN client (wireguard) to hide the IP of all the LAN devices (except for those devices that are used for gaming).
I want to setup a site to site VPN (wireguard) connection between these two routers where all the clients can reach eachother from both sides.

To setup the site to site works. But when i add another VPN client (wireguard) to hide the IP i either have to choose which client shall be active or it does not work at all.
Is it even possible to do what i want to do (in general)? Or is there some limitations to the software for ASUS routers?
So in short, the site to site connection should be optional and the VPN client to hide IP should be mandatory. I don't want the traffic the be forced routed through the site to site connection.

The RT-AX86U is running the latest of ASUS-Merlin (3004.388.5) and the RT-AX82U is running the latest of stock firmware (3.0.0.4.388_24231-gbc11d13)

Can someone provide me with details of how to setup this?
 
I have a RT-AX86U on one location and a RT-AX82U on another location. Both of these routers shall use a VPN client (wireguard) to hide the IP of all the LAN devices (except for those devices that are used for gaming).
I want to setup a site to site VPN (wireguard) connection between these two routers where all the clients can reach eachother from both sides.

To setup the site to site works. But when i add another VPN client (wireguard) to hide the IP i either have to choose which client shall be active or it does not work at all.
Is it even possible to do what i want to do (in general)? Or is there some limitations to the software for ASUS routers?
So in short, the site to site connection should be optional and the VPN client to hide IP should be mandatory. I don't want the traffic the be forced routed through the site to site connection.

The RT-AX86U is running the latest of ASUS-Merlin (3004.388.5) and the RT-AX82U is running the latest of stock firmware (3.0.0.4.388_24231-gbc11d13)

Can someone provide me with details of how to setup this?
Probably you need to add vpn Director rule for other site ip destination to use site2site vpn. Order of vpns/rules might be nessisary to give this rule priority over other rules. Check rule priority by ssh command
Code:
ip rule

Instead of using site2site client to server, you can use server to server. So setup a server on both sides and use this trix to add endpoint to opposit site.
https://www.snbforums.com/threads/wireguard-server-tweaks.85758/post-852124
One side endpoint is enough but on both sides works to.

Using server peers on both sides would give a more natural implementation where routes end up in main routing table and you don't need any vpn Director rules.
 
Probably you need to add vpn Director rule for other site ip destination to use site2site vpn. Order of vpns/rules might be nessisary to give this rule priority over other rules. Check rule priority by ssh command
Code:
ip rule

Instead of using site2site client to server, you can use server to server. So setup a server on both sides and use this trix to add endpoint to opposit site.
https://www.snbforums.com/threads/wireguard-server-tweaks.85758/post-852124
One side endpoint is enough but on both sides works to.

Using server peers on both sides would give a more natural implementation where routes end up in main routing table and you don't need any vpn Director rules.
Yeah ok.

Code:
0:      from all lookup local
220:    from all lookup 220
10010:  from 192.168.50.23 lookup main
10011:  from 192.168.50.207 lookup main
11210:  from 192.168.50.0/24 lookup wgc1
11410:  from 192.168.50.0/24 lookup wgc2
32766:  from all lookup main
32767:  from all lookup default

I dont have Asus-merlin on the RT-AX82U since it's not supported.
And this guide suggest internet being routed through the site-to-site connection too?
 
Yeah ok.

Code:
0:      from all lookup local
220:    from all lookup 220
10010:  from 192.168.50.23 lookup main
10011:  from 192.168.50.207 lookup main
11210:  from 192.168.50.0/24 lookup wgc1
11410:  from 192.168.50.0/24 lookup wgc2
32766:  from all lookup main
32767:  from all lookup default

I dont have Asus-merlin on the RT-AX82U since it's not supported.
And this guide suggest internet being routed through the site-to-site connection too?
Accordingly wan rules have higher priority than vpn rules. Wgc1 rules have higher priority than wgc2 rules.
Site2site rule would normally have other site lan ip as destination. Not source based. Rearrange to your need.


And this guide suggest internet being routed through the site-to-site connection too?
No, if so, better stick to server-client setup if you need this. But you can't have 2 internet routes for the same clients.
 
Yeah ok.

Code:
0:      from all lookup local
220:    from all lookup 220
10010:  from 192.168.50.23 lookup main
10011:  from 192.168.50.207 lookup main
11210:  from 192.168.50.0/24 lookup wgc1
11410:  from 192.168.50.0/24 lookup wgc2
32766:  from all lookup main
32767:  from all lookup default

I dont have Asus-merlin on the RT-AX82U since it's not supported.
And this guide suggest internet being routed through the site-to-site connection too?
If you disclosed info about your sites (server site: lan ip wg interfaces et.c, client site: lan ip, wg interfaces et.c) and provide details what routing you need I could see if I could provide some pointers.
 
If you disclosed info about your sites (server site: lan ip wg interfaces et.c, client site: lan ip, wg interfaces et.c) and provide details what routing you need I could see if I could provide some pointers.
(Client)
Local ip at my place is 192.168.50.0/24
wgc2

(Server)
Local ip at the other place is 192.168.100.0/24
wgs1
wireguard ip 10.6.0.1/32

EDIT: In addition to this i want both to have a wgc1 client connected to a VPN provider in order to hide a IP for all clients.
I just want this site2site to be optional so i can get access whenver needed to devices in the other side. No internet routing towards this.
 
Last edited:
(Client)
Local ip at my place is 192.168.50.0/24
wgc2

(Server)
Local ip at the other place is 192.168.100.0/24
wgs1
wireguard ip 10.6.0.1/32
So, for site2site you only need 1 rule:
Local ip: blank
Remote ip: 192.168.100.0/25
Iface: wgc2

This rule makes sure all clients access server lan, but not For internet.

For internet go ahead and add local ips on other rules.

The problem is that any rule pointing to wan or wgc1 will bypass this rule.

For you internet client you could switch to wgc3 to get around that problem. For your wan rules, I'm not sure what your intention is, prevent access to server lan or wan internet access.

If you disclose how you want your routing to work I may be able to help you better.

If you have complex requirement there is a chance it's not possible with vpndirector. How are you feeling about adding custom rules via ssh?
 
Last edited:
So, for site2site you only need 1 rule:
Local ip: blank
Remote ip: 192.168.100.0/25
Iface: wgc2

This rule makes sure all cloents access server lan, but not For internet.

For internet go ahead and add local ips on other rules.

The problem is that any rule pointing to wan or wgc1 will bypass this rule.

For you internet client you could switch to wgc3 to get around that problem. For your wan rules, I'm not sure what your intention is, prevent access to server lan or wan internet access.

If you disclose how you want your routing to work I may be able to help you better.

If you have complex requirement there is a chance it's not possible with vpndirector. How are you feeling about adding custom rules via ssh?
Well, i could try to add custom rules via ssh. I'm not savvy enough to understand this routing business myself though :p

The scenario is this.

On RT-AX82U (the other place)
Runs WireGuard server
Work related devices (must have direct access to internet)
The rest of devices: Hidden IP when surfing the web, downloading and whatnot.
There is a NAS device here that i want access to from all clients that are connected to Wireguard Server

On RT-AX86U (where i live)
Runs WireGuard client
Gaming comp + Playstation (must have direct access to internet for short ms reasons)
The rest of devices: Hidden IP when surfing the web, downloading and whatnot.
I want access to the NAS.
 
Well, i could try to add custom rules via ssh. I'm not savvy enough to understand this routing business myself though :p

The scenario is this.

On RT-AX82U (the other place)
Runs WireGuard server
Work related devices (must have direct access to internet)
The rest of devices: Hidden IP when surfing the web, downloading and whatnot.
There is a NAS device here that i want access to from all clients that are connected to Wireguard Server

On RT-AX86U (where i live)
Runs WireGuard client
Gaming comp + Playstation (must have direct access to internet for short ms reasons)
The rest of devices: Hidden IP when surfing the web, downloading and whatnot.
I want access to the NAS.
Well, access to your nas gets abit in the way. The problem with using a wg client for these things is that it cannot be combined with wan internet access.

You could add a custom rule at ssh prompt for server lan (nas) access with higher priority than wan rules to fix this:
Code:
ip rule add to 192.168.100.0/24 lookup wgc2 prio 9000

Adding this rule means you don't have to worry about nas access and you can more freely create vpn director rules as you please to control internet access without affecting nas access.

You should also remove all vpndirector rules related to nas access to prevent conflicts.

To remove the rule:
Code:
ip rule del prio 9000

To make this persistent, put them in wgclient-start/stop hook scripts. Let me know if you need help with this.
https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts
 
Last edited:
Well, access to your nas gets abit in the way. The problem with using a wg client for these things is that it cannot be combined with wan internet access.

You could add a custom rule at ssh prompt for server lan (nas) access with higher priority than wan rules to fix this:
Code:
ip rule add to 192.168.100.0/24 lookup wgc2 prio 9000

Adding this rule means you don't have to worry about nas access and you can more freely create vpn director rules as you please to control internet access without affecting nas access.

You should also remove all vpndirector rules related to nas access to prevent conflicts.

To remove the rule:
Code:
ip rule del prio 9000

To make this persistent, put them in wgclient-start/stop hook scripts. Let me know if you need help with this.
https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts
Ok, what is a better way to do this? OpenVPN perhaps?
Only reason i want to use WireGuard is for speed enhancements.
I could also skip VPN altogeather and do sshfs instead.
 
Ok, what is a better way to do this? OpenVPN perhaps?
There is no escaping this. VpnDirector could only take you so far. It is made for ease of use which doesn't combine well with flexibility. OpenVPN will be the same (I think).

As you don't need your server for internet vpn if you have local vpn, then the other option is to use my first link and setup a server peer for the site2site vpn. This would make your lan routes accessible for everyone and you can use your vpn client as you wish combining wan/vpn access as you are now.

Easier? Yes/no? You decide...
 
There is no escaping this. VpnDirector could only take you so far. It is made for ease of use which doesn't combine well with flexibility. OpenVPN will be the same (I think).

As you don't need your server for internet vpn if you have local vpn, then the other option is to use my first link and setup a server peer for the site2site vpn. This would make your lan routes accessible for everyone and you can use your vpn client as you wish combining wan/vpn access as you are now.

Easier? Yes/no? You decide...
A problem is that one of the devices cant run ASUS-Merlin, since the device is not supported by it.
The easiest solution would be to fall back on the sshfs option.
In the end it's not ALL devices that needs access to the NAS, just one or two.
 
A problem is that one of the devices cant run ASUS-Merlin, since the device is not supported by it.
Well, as I understood it, you server is not the problem, it's the client, right?


The easiest solution would be to fall back on the sshfs option.
Your choice.


In the end it's not ALL devices that needs access to the NAS, just one or two.
This info was not part of your routing setup. But if no device require simultaneously nas and wan access it may be possible to work around.
 
Well, as I understood it, you server is not the problem, it's the client, right?



Your choice.



This info was not part of your routing setup. But if no device require simultaneously nas and wan access it may be possible to work around.
No dude, i want it to be accessible everywhere by all clients that are connected to the network. Not that all clients have the need for it, but i want the access nevertheless. No restrictions on the LAN. It's not fort knox at these places.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top