Wireguard site to site help - AVM Fritzbox strange behavior

[DocUmibozu]

Hi,
I'm trying to setup a site-to-site wireguard vpn beetween my AX68U and a Fritxbox modem/router.
The configuration is pretty basic and it works with other equipment, (openwrt routers).

My AX68U is on 192.168.1.0/24 subnet
Wireguard tunnel is 10.6.0.1/32
Site to site allowed IP on Server 10.6.0.5/32,192.168.12.0/24

Client Config is this
[Interface]
PrivateKey =XXX
Address = 10.6.0.5/32
DNS = 10.6.0.1

[Peer]
PublicKey = XXX
AllowedIPs = 192.168.12.0/24 (fritzbox subnet)
Endpoint = XXX:51820
PersistentKeepalive = 25

When I import it in Fritzbox the connection is established and I can ping a see everything on 192.168.1.0/24 (my home) and if I ping internet the connection goes outside the tunnel (like I want, a site to site split tunnel wireguard only)
But from my home I can't see anything on 192.168.12.0/24 (Fritzbox subnet).
It's like a one direction only vpn.
After a lot of head banging I found a way to extract the wireguard configuration from fritzbox and I see some changes made by it.
The configuration after import has become this:

[Interface]
PrivateKey =XXX
Address = 192.168.12.1/24,10.6.0.5/32 (why 192.168.12.1/24 ??)
DNS = 192.168.12.1
DNS = fritz.box

[Peer]
PublicKey = XXX
AllowedIPs = 192.168.1.0/24
Endpoint = XXX:51820
PersistentKeepalive = 25

Any idea to make this a proper two side tunnel apart from ditching the fritzbox and buying a 40€ operwrt router which works?
Thank you all

 

[ZebMcKayhan]

AllowedIPs = 192.168.12.0/24 (fritzbox subnet)

Dont know details about fritzbox but if this is the config you imported its not going to work. AllowedIPs on the client side must be destinations on the other side of the tunnel. You imported that the fritzbox should connect to its own lan over vpn? It should likely be: 10.6.0.1/32, 192.168.1.0/24
Which is wg server peer ip and server lan. Those are the 2 destinations that should be sent over vpn from the fritzbox.

But from my home I can't see anything on 192.168.12.0/24 (Fritzbox subnet).

Sounds like the firewall of the fritzbox are blocking inbound connections. Look for an option to allow inbound connections over vpn.

 

[DocUmibozu]

Sounds like the firewall of the fritzbox are blocking inbound connections. Look for an option to allow inbound connections over vpn.

Seems this is the problem... I've asked for help on a fritz forum and it's a common bug.

 

[DocUmibozu]

Well, in the end there's no easy solution to the problem.
Fritzboxes have a non-standard wireguard implementation and the only way to fix it is to build a firmware from Freetz (a github project) with standard wireguard and flash it.
The solution is appealing, but impossibile for me: fritzbox is not mine, is given to me by the ISP and I'll have to return it when I quit the contract.
However, if you own a Fritzbox be warned, you won't be able to create a site to site wireguard split tunnel with any other modem/router. Only Fritzbox to Fritzbox.

 

[rappel]

Slightly different, but about 18 months ago I was trying to set up Wireguard from Fritz 7530 to Asus RT-AX86S. - I gave up after Christmas, so didn't spot this - you got further than I did.
Just tried again and absolutely same issue despite numerous updates on both ends in terms of firmware.

I can import the config on the Fritz but it never completes a setup. I spent a few weeks with Fritz support (Asus wasn't interested as all the other connections I had worked fine) but got nowhere they kept coming back having looked at logs and said it should work - It really doesn't!

As I wanted a two way link like you, I'm not going to bother at this point if it's a non-standard implementation etc.. I'll go back to anther VPN type. Shame as Wireguard is very quick, simple to configure and on the whole reliable with the Asus router.