Wireguard Site2Site (AX88U to AX88U) on version 388.1

[ZebMcKayhan]

Allowed IPs (Server): 10.6.0.0/24,192.168.50.0/24

Im starting to sound like a broken record. AllowedIPs(server) should NOT contain the entire wg 10.6.0.x network. You should change AllowedIPs(server) to 10.6.0.2/32,192.168.50.0/24

Allowed IPs (Client): 10.6.0.0/24,192.168.25.0/24,192.168.50.0/24

And local lan should NOT be included here as it creates a routing confligt. Change AllowedIPs(client) to 10.6.0.0/24,192.168.25.0/24

Besides from that it is looking good! Thanks for sharing!

 

[philote]

Im starting to sound like a broken record. AllowedIPs(server) should NOT contain the entire wg 10.6.0.x network. You should change AllowedIPs(server) to 10.6.0.2/32,192.168.50.0/24

And local lan should NOT be included here as it creates a routing confligt. Change AllowedIPs(client) to 10.6.0.0/24,192.168.25.0/24

Got it. I think I misread one of the earlier posts, I thought if I want multiple clients to be able to connect to the VPN (let’s say from outside these two networks) & connect to each other on the WG subnet, as well as both LAN networks, that I’d need to have the 10.6.0.0/24 in there for the server side.

Is this the right understanding? For the server side allowed IP, each WG connection profile is specific to the connecting client, so it actually can & is good practice to be more specific.

For the client side allowed IP, makes sense that there’s no need to put 192.168.50.0/24 in there, thanks for that catch!

 

[dardar]

Great! Altough if you are talking about AllowedIPs at your site2site client, 192.168.50.0/24 should NOT be there. This is the site local lan and packets to these ips should not be sent over the vpn tunnel at this site.

Hmmm. I'll get back to you after I am able to access my WG server again, but I am pretty sure that was the change I had to make in order to access the 192.168.50.0/24 subnet from a roaming client connected to the 10.6.0.1/32 WG server. It looks like @philote also included the 192.168.50.0/24 subnet in the Allowed IPs for the site-to-site client.

BTW, glad you were able to get things working, @philote!

 

[ZebMcKayhan]

I thought if I want multiple clients to be able to connect to the VPN (let’s say from outside these two networks) & connect to each other on the WG subnet, as well as both LAN networks, that I’d need to have the 10.6.0.0/24 in there for the server side.

Not on the server side, only on client sidf.

Is this the right understanding? For the server side allowed IP, each WG connection profile is specific to the connecting client, so it actually can & is good practice to be more specific.

Yes, as a server peer could be connecting to several other peers, say
Site2site client (10.6.0.2)
Roaming client 1 (10.6.0.3)
Roaming client 2 (10.6.0.4)
It needs to know what data to send where. So on the server side each peer must be explicit regarding peer ip.

On the client side it is not that critical as the client only has its own peer ip so it could (and sometimes should) send all 10.6.0.x over vpn. The only reason for limiting AllowedIPs to /32 would be if you DONT want Roaming clients to access this site. But most people do want access everywere as these are private networks. And its handy to not explicitly add each peer ip as you dont want to update your site2site client everytime you create a new roaming device on your server.

 

[ZebMcKayhan]

I am pretty sure that was the change I had to make in order to access the 192.168.50.0/24 subnet from a roaming client connected to the 10.6.0.1/32 WG server.

There is no way a local lan subnet in AllowedIPs fixed anything. Either we are talking about different things or there are other things at play here.

Test and see, and if you are experiencing issues, post you lan ip, peer ip and AllowedIPs and vpndirector rules here and I take a look.

 

[grottoguy]

Geez. It's definitely me I guess.
After fighting this bidirectional stuff with stock firmware for a good couple / three months, I had the bidirectional working for things like pc's and synology devices on both subnets.
I even had mobile devices working from the same device to one subnet, but not the other..
In trying to solve that (i.e., make it work to both subnets with separate wireguard tunnels), and then also make it where I could see both subnets from either of those two tunnels, things just got more and more weird.
I was completely befuddled by the references to client / server on both sides of a peer connection, etc...
Each time I seemed to get it working on one front, it would stop on another (because I'm sure I had allowedIP errors and such conflicting with each other).
So having seen this thread, I said what the heck, lemme jump to Merlin- I used it once before a while back and it adds some nice features anyway.

So then seeing philotes and dardar and all the others continue to pile on with success, I felt more and more confident.

And yet here I am, having completely started from scratch and followed both dardar and philotes posts (philote's was easiest for me to translate, I thought), where I can see a connection being made (at least bytes coming back and forth), but can't for the life of me ping the router on the server side.

I've only been able to openvpn back into the server side with a standalone laptop (staying away from the router openvpn stuff, as I'm sure I'd get tangled up too!).

So I guess it's me. This has been incredibly frustrating.

I guess I'll start over again and try to mimic you successful folks.
I have to say that I was a little happy to read other people were wrestling with the GUI in the stock, as I also found it quite confusing.
But now you guys have all succeeded and I have completely failed backwards again and again.

Oh well. I guess this has turned into a pathetic confession of my pathetic condition, ha!

But thanks to all of you for sharing all the great details.
I am completely confused as to why I can't seem to replicate one of now multiple examples and get the same outcome.

Anyway- have a great day.

 

[grottoguy]

Maybe I just needed to vent... Just now, I found that having made a VPN director rule per all your guidance on one of my earlier attempts, I hadn't switched it to the latest / active wgc instance I was working on...
So suddenly my bidirectional looks to be working, having fixed that rule to properly apply to the client I was working on.
So I stand by my statement- it had to be me, you guys and your info have been amazingly helpful, and I'd say Merlin wins the gui / implementation battle for this particular feature...

I haven't tried the mobile device yet but I'm counting this as major progress.

THANKS GUYS!

 

[philote]

Yes, as a server peer could be connecting to several other peers, say
Site2site client (10.6.0.2)
Roaming client 1 (10.6.0.3)
Roaming client 2 (10.6.0.4)
It needs to know what data to send where. So on the server side each peer must be explicit regarding peer ip.

Right so for my Site #2 WG client config, I remove the 192.168.50.0/24 allowed IP because that site's LAN itself is already that & so should be able to connect to those IPs without going through the VPN.

However, for my roaming client #1 WG client config, I would need to add 192.168.50.0/24 into the allowed IPs because that client's LAN will not be on that subnet (let's say Starbucks Wi-Fi), so if it wants to connect to Site #2's subnet via Site #1's VPN connection, that routing needs to be specified. Is that right?

Thanks for taking the time to go through this, super helpful!

 

[ZebMcKayhan]

However, for my roaming client #1 WG client config, I would need to add 192.168.50.0/24 into the allowed IPs because that client's LAN will not be on that subnet (let's say Starbucks Wi-Fi), so if it wants to connect to Site #2's subnet via Site #1's VPN connection, that routing needs to be specified. Is that right?

Correct! The roaming clients would either have 0.0.0.0/0 to send ALL data over the tunnel and use server wan for internet. Or it could be the 3 networks: <wg network>/24, <server lan>/24, <s2s client lan>/24 and internet will go out the roaming device wan.

 

[philote]

Correct! The roaming clients would either have 0.0.0.0/0 to send ALL data over the tunnel and use server wan for internet. Or it could be the 3 networks: <wg network>/24, <server lan>/24, <s2s client lan>/24 and internet will go out the roaming device wan.

Awesome!!! Thanks for walking through it.

Ok so then to be complete for others that were having trouble, think this would be the updated full config for site2site as well as roaming clients connecting to site 1 via WG:

Site 2 Site WG Setup:

Site #1:
AX88U Asus Merlin 388.1
LAN: 192.168.25.1
VPN Host: 10.6.0.1/32
WG Server Access Intranet: Yes
WG Server Allow DNS: Yes
WG Server Enable NAT: No
Pre-shared Key: Yes
Allowed IPs (Server): 10.6.0.2/32,192.168.50.0/24

Site #2:
AX88U Asus Merlin 388.1
LAN: 192.168.50.1
VPN Client: 10.6.0.2/32
WG Client Enable NAT: No
WG Client Inbound Firewall: Allow
Allowed IPs (Client): 10.6.0.0/24,192.168.25.0/24
VPN Director Rule 1: Remote IP 10.6.0.0/24, Interface WGC1 ### make sure the interface is correct
VPN Director Rule 2: Remote IP 192.168.25.0/24, Interface WGC1 ### make sure the interface is correct

Roaming Client #1 WG Setup:

Site #1
AX88U Asus Merlin 388.1
LAN: 192.168.25.1
VPN Host: 10.6.0.1/32
WG Server Access Intranet: Yes
WG Server Allow DNS: Yes
WG Server Enable NAT: No
Pre-shared Key: Yes
Allowed IPs (Server): 10.6.0.3/32 ### change this for each roaming client

Laptop
LAN: some public Wi-Fi
VPN Client: 10.0.6.3/32 ### change this for each roaming client
WG Client Enable NAT: No
WG Client Inbound Firewall: Allow
Allowed IPs (Client): 10.6.0.0/24,192.168.25.0/24,192.168.50.0/24 ### add 0.0.0.0/0 if internet should be routed through Site #1's internet connection.
### Also add 10.7.0.0/24 if you want Site #2 to also be a WG server that roaming clients can connect to & have Site #1's roaming clients to be able to connect to Site #2's roaming clients

EDIT to add (& updated above to reflect), if you want a roaming device to use Site #2's internet connection instead

Roaming Client #2 WG Setup:

Site #2
AX88U Asus Merlin 388.1
LAN: 192.168.50.1
VPN Host: 10.7.0.1/32
WG Server Access Intranet: Yes
WG Server Allow DNS: Yes
WG Server Enable NAT: No
Pre-shared Key: Yes
Allowed IPs (Server): 10.7.0.2/32 ### change this for each roaming client

Laptop
LAN: some public Wi-Fi
VPN Client: 10.7.0.2/32 ### change this for each roaming client
WG Client Enable NAT: No
WG Client Inbound Firewall: Allow
Allowed IPs (Client): 10.7.0.0/24,192.168.25.0/24,192.168.50.0/24 ### add 0.0.0.0/0 if internet should be routed through Site #2's internet connection.
### Also add 10.6.0.0/24 if you want Site #2's roaming clients to be able to connect to clients of Site #1's roaming clients

 

[dardar]

Test and see, and if you are experiencing issues, post you lan ip, peer ip and AllowedIPs and vpndirector rules here and I take a look.

Thanks, @ZebMcKayhan. Now that my remote system is powered up again, I took your advice and reverted the 192.168.50.1's WG Client Allowed IPs to 10.6.0.0/24,192.168.25.0/24. Everything works as expected, both locally and when connected by a roaming client. Hurray!

Thanks again also to @ThomsBe and @philote for posting their configurations. I am going to start up the WG server on my 192.168.50.1 router as a backup in case my Site2Site connection goes out for some reason. Good to know that the second WG server should be on its own VPN subnet (i.e., 10.7.0.0/24). Makes sense, but Wireguard World is still a bit mysterious to me.

[Edited to correct typo in WG Client Allowed IPs address (from 10.0.0.6/24 to 10.6.0.0/24).]