Wireguard site2site (Server AC86U Peer AX86U)

[ZebMcKayhan]

Did you import the config as type=server as in my guide? Or did you do a normal import as a client?

 

[helio58]

I export from ax86u and import on ac86u as a client , the name got change to wg11

 

[ZebMcKayhan]

I export from ax86u and import on ac86u as a client , the name got change to wg11

Ok, normally, thats not the way I would have done it. Non-conflicting routes belong in the main routing table, not policy routes table and access control should be handled by firewall, not by policy routes.

But ok, it should work anyway altough there might be issues down the road.

Please list all your policy rules regarding wg11.

 

[helio58]

I have just setup this one.Thanks
Client Auto IP Endpoint DNS MTU Annotate
wg11 P 10.6.0.2/32 xxx.xxx.xxx.xxx:51811 10.6.0.1 Auto # N/A

Selective Routing RPDB rules
ID Peer Interface Source Destination Description
1 wg11 WAN 192.168.0.87 Any wan macbookairold


Configuration rules for Peer wg11

 

[ZebMcKayhan]

I tried to exclude one computer from vpn but I can still acess all the computers on the remote.

That does not make any sense. You should not be able to access any remote lan ips. Perhaps you need to restart wg11 to have the routes move to policy table?

Then you need to setup rules for anything that should be able to access remote lan (peer wg11 rule add vpn src=0.0.0.0/0 dst=<remote lan>/24)

 

[helio58]

That was just the rules. The config looks like this:

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxx=
Address = 10.6.0.2/32
DNS = 192.168.0.45,10.6.0.1


[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxx=
PresharedKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
AllowedIPs = 10.6.0.1/32,192.168.2.0/24,192.168.1.0/24
Endpoint = xxx.xxx.xxx.xxx:51811
PersistentKeepalive = 25

Running this way Ican acess all my remote lan and keep my ip adress.

I will like to exclude a computer from this route.
I tried to use :
peer wg11 rule add wan 192.168.0.87 comment My Computer To Wan

But that is not working

 

[ZebMcKayhan]

But that is not working

Did some readup in wgm code and it turns out only AllowedIPs = 0.0.0.0/0 gives a policy route table. All others end up in main table. Since your AllowedIPs does not contain this, the rules (and policy mode) have virtually no effect.

There is another issue with your way of doing this. As Client import in WGM implies internet client only one-way communication is allowed.

You will also get nat again and wierd dns handling thats not really appropriate for site-2-site.

But however you wish to play this you will need to make custom firewall rules.

1. Remake your import as client but change AllowedIPs = 0.0.0.0/0 and setup rules for your current AllowedIPs (dst). Make custom firewall rules to allow inbound access and remove nat.

2. Remake your import as it is but do it as type=server. You will need to put _public.key and _private.key files with your conf file. Create custom firewall rules for blocking access to the tunnel from your ip you want to block.

Let me know how you want to make it and I will try to support.

 

[helio58]

@ZebMcKayhan

Thanks for all your help.

The reason I did not follow your guide is I did not find the location of the server on the AX86U.
Just now I m in the remote location and the main features are working.
I will change when I m back home.
I came with a work around when I want to isolate a computer. I connect to a openvpn server locate at my present place and it does work as i intend.

Once more thanks for your help