Wireguard can't access devices behind asus router

[evlo]

I'm trying to setup "site to peer" wireguard VPN, but can't access asus router or anything behind it from the other side of the VPN.

Setup is described in the attached image.

WG settings on asus
Inbound Firewall = Allow
Enable nat = yes

no firewall blocking ping on 192.168.50.1 or 192.168.50.2
i did not manually add any routes to the asus router

maybe I need to set route on the side with server to route 192.168.50.0/24 to 192.168.110.162 - but i think autogenerated route table on server in screenshot should be enough?

 

[evlo]

In the past I did setup up site to site success fully in similar way, so pretty sure asus can do it. I just don remember if I did anything special. And mainly I do not know whether to focus on server or asus to debug where there is routing issue.

I think if asus could not do incoming there would not be an option to set inbound firewall

This is site to peer that I want to work both ways.

if i try tracepath on the server it just ends on localhost
tracert from client behind asus says it goes to router and then to server (which is correct)
it kinda makes me believe the issue is on the server side, but i dunno how to debug more, as in route on the server it says

192.168.50.0/24 dev wg0 scope link

which as I understand it should mean it should send traffic to 192.168.50.* to wg0 interface

 

[DJones]

I think my confusion is your picture didn’t show which is the WGS and which is the WGC. The laptop is trying to ping the WGS which is the server looking picture. It’s possible your server/client isn’t setup to respond to ICMP echo requests. From Wan or another subnet might be the problem. If it can ping itself it’s internal to its dhcp server range.

I’m guessing. I don’t do a lot of vpn stuff to be frank.

 

[evlo]

I figured it out, in vpn director

I guess it kinda maybe goes against wireguard idea, but whatever, if it works in the end

 

[DJones]

I figured it out, in vpn director

I guess it kinda maybe goes against wireguard idea, but whatever, if it works in the end

Hey if it works it works. Sorry I couldn’t give a definitive answer.

 

[ZebMcKayhan]

I'm trying to setup "site to peer" wireguard VPN, but can't access asus router or anything behind it from the other side of the VPN.

Setup is described in the attached image.

WG settings on asus
Inbound Firewall = Allow
Enable nat = yes

no firewall blocking ping on 192.168.50.1 or 192.168.50.2
i did not manually add any routes to the asus router

maybe I need to set route on the side with server to route 192.168.50.0/24 to 192.168.110.162 - but i think autogenerated route table on server in screenshot should be enough?

There is a couple of things that may need correction for your setup to behave the way yu want.

1. Remove Nat on your asus client. This setting have no use in site-2-site and only complicates things.
2. In you vpn director rule you may remove the source ip field and leave it blank.
3. If you want/need access to wg vpn client ips, you will need another vpn director rule as: Local IP =blank, Remote IP 192.168.62.0/24, Iface: Wgc5.

Edit: just saw you worked it out.