Hello,
I have tried to solve my problem by reading the good documentation and the posts here on the forum, but unfortunately I am stuck and hope that you can help me.
I have two Site2Site Wireguard VPNs that connect to my main router (Draytek 2962). One of the “branches” is the AXT1800. This works very well so far. Both subnets of the “branches” can access the Draytek network and vice versa.
My problem: I can't access the devices in the other VPN from the AXT1800 VPN. Routing doesn't work here and I don't know how to solve it.
Here is a diagram:
I spoke to DrayTek support and compared the settings. They told me that all the routes are set up correctly in the DrayTek and that the routing error must be in the AXT1800.
I have already specified in the WG VPN configuration that the route to 192.168.30.0/24 should run over the VPN. However, this does not seem to be sufficient, because access or pinging of 192.168.30.1, for example, is not possible. I can access all clients in the 192.168.20.0 network.
Do I need to specify additional routes? If so, how do I do that on the AXT1800?
Edit: If I connect to the WG server as a WG client (and not as S2S), then access to the 192.168.30.0 network also works. In this case, however, the AXT1800 has an IP from the 192.168.20.0 network and all AXT clients route with this IP into the VPN network. I am currently using this as a workaround. However, I would prefer accessible networks.
Could you run a tracert to see if you can see the different hops? If possible, a debug on Draytek to see that the traffic is arriving (and with which IP) and also on the Fritzbox (same, check the log if possible).
On the Fritzbox, do you also have the 192.168.6.0/24 network routed through the VPN interface?
Since you indicate that you can reach Draytek without problems and that the route is configured correctly on Draytek, it seems the problem is between Draytek and the Fritzbox. If you have access policies configured, testing with an any to make sure that's not the problem would also be a good idea.
The debugs would provide visibility in case the devices are doing NAT (I had this problem and yesterday I solved it through LuCi management of the gl.inet router)
In fact, a traceroute shows that the request is correctly forwarded via 192.168.6.1 (AXT1800) to 192.168.20.254 (DrayTek 2962). However, the request gets stuck there.
So the problem seems to be with the Draytek rather than the AXT1800.
Make sure you present the 192.168.6.0/24 network to Draytek and that it's routed from Draytek to Fritzbox. And on Fritzbox, the same goes in reverse. Network 192.168.6.0/24 is routed through the tunnel to Drytek. NATs are not applied on any hops. The 192.168.6.0/24 network must also be tunneled on Fritzbox.
