Wireguard on Asus: Can only see router, not LAN Devices!

[ZebMcKayhan]

I have used the same IP-form on peer/client side so now I can access the client-side LAN from server side-LAN but I can not the other way around.

Better post pictures on how your setup is. Both the server config and the client config with vpndirector rules.
Are you running more vpn services on any routers except this one on either side?
I'm don't want to see any keys or Endpoint public ips so please obfuscate these.

Tried to use ping(network tools) from the client router to ping the internal IP of the router on server-side but I can not find out why it does not work?

The router may use the wg ip when communicating over the tunnel and the result may differ from if you use a lan client.

 

[netnrd]

Better post pictures on how your setup is. Both the server config and the client config with vpndirector rules.
Are you running more vpn services on any routers except this one on either side?
I'm don't want to see any keys or Endpoint public ips so please obfuscate these.



The router may use the wg ip when communicating over the tunnel and the result may differ from if you use a lan client.

Hi, I hope this pic will explain the setup. from the WG-serverside LAN I can access WG-clientside LAN but not the other way.

 

[ZebMcKayhan]

Hi, I hope this pic will explain the setup. from the WG-serverside LAN I can access WG-clientside LAN but not the other way.

Thanks, close enough.

On your client config you need to disable NAT (set to "nej") if this is site-2-site usage.

Also on you client side you seem to have put in 2 ipv4 under Interface, Address. This would not be allowed/ok. You Interface Address should be 10.6.0.2/32 nothing else.

2 things are missing information though.

Server side AllowedIPs, you will find it on the server under the client right about the area with the qrcode there should be a site-2-site settings button allowing you to see/change AllowedIPs (server) and AllowedIPs (Client)

Client side vpndirector/vpnfusion rules. Wg client always requires you to add rules in vpndirector/vpnfusion, otherwise it won't be used.

 

[netnrd]

I tried to follow your advise but then I could not access LAN either way, it worked one way at least with the settings I posted.
Perhaps it is best to make a new connection or try IPsec instead.

 

[ZebMcKayhan]

I tried to follow your advise but then I could not access LAN either way, it worked one way at least with the settings I posted.
Perhaps it is best to make a new connection or try IPsec instead.

Understood. It means there is more to the picture. Probably AllowedIPs (server) not including lan on the other side.

Nat have that side-effect - while it may make thing work in one direction, 2 way direct access will not be possible. But for 2 way to work properly nat need to be off and both sides needs to be setup to be aware of other lan, not just the wg ip which is default.
This is handled by AllowedIP (server) on the server side and vpndirector/fusion, or together with AllowedIPs on the client side.
Unfortunately you did not disclose these.

 

[ZebMcKayhan]

I tried to follow your advise but then I could not access LAN either way, it worked one way at least with the settings I posted.
Perhaps it is best to make a new connection or try IPsec instead.

After doing some thinking (I'm alittle slow sometimes). 2 way could work with nat, maybe. As only new packets are treated but im not sure. It would not add any value, just slow everything down.

Looking at your picture your server can ping lan (10.6.0.1 -> 192.168.60.x) so server is aware of other lan. And client is aware of server 10.6.0.1

What is not working is client pinging server lan (10.6.0.2 -> 192.168.50.x), if you instead tried to ping server wg ip it would probably work?
If not, then server is not aware of 10.6.0.2, which needs to be added on AllowedIPs (server). But it does not make sense since you are using nat and it works the other way.

so the obvious conclusion is that the client is not aware of server lan and the scheme of adding this to the address field is not providing the routes needed. Your issue is likely on the client vpndirector as rules are needed to point server lan destinations to wg vpn interface.

For vpndirector (merlin) it's easy, just add remote ip: 192.168.50.0/24 to this wgc Interface. While you are at it you should probably make a second rule for Remote ip: 10.6.0.0/24 to use this wgc interface as well. Leave local IP blank.

When this is done and things start to work you can test to remove nat and reset the interface Address to what it should be.