Building a Site-2-Site network manually using two GL.iNet routers

Technical Support for Routers
1

This post is to introduce the guide to config LAN to LAN VPN (Site-2-Site) based on WireGuard.

Network Topology

image

1.Login the web interface of AX1800, go to VPN > WireGuard Server and click on the Start button to enable the WireGuard Server.

image

Note: make sure the Allow Access Local Network button is enabled.

2.Go to Management and click on Add a New User.

image

3.Click the file icon on Configurations to review the profile.

    [Interface]
    Address = 10.0.0.2/32
    ListenPort = 41728
    PrivateKey = 6DIxs92F5No35606P+6ovQMIIxMWHzZRfVVwm/ILkmg=
    DNS = 64.6.64.6

    [Peer]
    AllowedIPs = 0.0.0.0/0,::/0
    Endpoint = 113.116.x.x:51820
    PersistentKeepalive = 25
    PublicKey = Bagdcu2x7Ekq9UY2qK+jBsRAC0VEPL1C8J7Yi9uUjGY=

Note: make sure the Endpoint is the same as the WAN IP address of this router, if not, you shall config port forward for this IP address. Here in this example, the WAN IP address of this router is 192.168.17.14, I can just use this IP address instead since the client and server are in the same internal subnet.

4.Login the web interface of SFT1200, go to MORE SETTINGS > LAN IP and change the LAN IP to 192.168.10.1

image

5.Go to VPN > WireGuard Client and click on Set up WireGuard Manually, turn to Configuration and paste the profile.

image

6.Click on Connect to connect to the WireGuard Server.

image

7.SSH login the AX1800, and add the subnet 192.168.10.0/24 to the client_ip in this directory /etc/config/wireguard_server.

image

image

Guide to use vi to modify the file: https://openwrt.org/docs/guide-user/base-system/user.beginner.cli#editing_files

8.Restart the WireGuard Server with this command.
/etc/init.d/wireguard_server restart

image

9.Add the static route to access the WireGuard VPN Client with this command.
ip route add 192.168.10.0/24 dev wg0

image

Note: if you reboot the router, the static route will be lost and you shall config it again. If you want this static router take affect all the time, you shall run this command to add it to the boot process.

sed -i "/rm \/var\/run\/glwgserver.lock -rf/a\ip route add 192.168.10.0\/24 dev wg0" /etc/init.d/wireguard_server

10.The two subnet can access each other.

8 Likes
2

Hi Rain … is multi site also possible? Thanks
Geppo

3

Yes, and you will need to add multi subnets in the allowed ip and some more static routing.

4

@rain Can add this in router web UI, i’m need configure many networks and mobile devices, and need access all as default devices to all networks without CLI and without goodcloud?

5

sorry… so far no plan for that

6

Hi, I’ve been able to successfully follow this tutorial and link my two GL.iNet routers. Thank you so much for putting this together!

However, I have a remote wifi-enabled data logger that I need to communicate with its software on a PC in my home network. I’ve learned which ports it uses to establish connection and transfer data via Wireshark, and opened/forwarded those ports. I am able to manually ping the device from the home network, but I think the device’s software is looking for it on the home network’s subnet (ie searching 192.168.8.0/24 when it has the remote router’s assignment in 192.168.10.0.24).

Is there a way for me to assign different LAN ranges within 192.168.8.0/24 to each router and still have a successful S2S tunnel?

Thank you!

7

You should not do it which may cause confusion. For your application, you may need openvpn tab (bridge) which assign same subnet to the devices behind the router.

8

Thank you a lot, I have followed your guide but I cannot connect to the client lan from server.
In more detail I have changed the client lan ip in 192,168.10.0/24 instead of the server one but this should non give any problem.
The 2 Mango routers are both behind the site main router: I attach a figure to show my configuration.

I have also tried to connect the ‘holyday home Mango router’ under the Milano Fastweb router obtaining the same result:

from client I see everything but from server Mango router I do not see the Client subnet 192.168.8.0/24.

Thank you in advance for your help.

Walter

home-holyday_home_network
home-holyday_home_network921×1256 88.9 KB

9

In mango server add wireguard zone to lan and in wireguard config add ‘list subnet 192.168.10.0/24’ without ‘

10

Sorry can you be more detailed:

in wireguard config add ‘list subnet 192.168.10.0/24’ without ‘

in server config which part? peer ?

11

In the section of peer.

12

Tomorrow i try. Thank you.

13

Hey I have a good new but also many questions to be answered.

The good new is that I have bidirectional communication between the subnets.

I have literally followed the procedure from ‘rain’, nothing added or removed. Hereafter the questions left.

14

Note my Milano Mango router acts now as the AX1800 whilst my Holyday Home Mango router acts now as SFT1200. Identical setup and same networks as in rain guide: 192.168.8.1 is the Lan IP in Milano whilst 192.168.10.1 the Lan IP in Holyday Home (inverted wrt the previous unsuccessful test).

First question:
why everything works without adding wireguard zone to lan and in wireguard config adding ‘list subnet 192.168.10.0/24. What is the use of the above tweaks ?

Second question:
In mango router control panels at Milano site (wireguard server) the wireguard symbol has a X whilst at client site the wireguard symbol has a V or working ok. Why ?

Third question:
from inside Client subnet I am able to reach not only the subnet in Milano site but also the Fastweb router console and every other network device whilst from Milano site I cannot reach the TP-link M7200 router console and devices under it but only the devices under Holyday Home Mango router. Why ?

Fourth question:
When I restart the server Mango router by the console command : “/etc/init.d/wireguard_server restart” I have errors in the command feedback:

iptables: No chain/target/match by that name.

  • Running script ‘/var/etc/gls2s.include’
    ! Skipping due to path error: No such file or directory
  • Running script ‘/usr/bin/glfw.sh’
  • Running script ‘/usr/sbin/glqos.sh’
    /sbin/uci: Invalid argument
    /sbin/uci: Invalid argument
    uci: Entry not found.

I attach also the file.
Comment it is difficult to follow and understand the steps to connect site to site 2 lan by means of 2 Mango Routers. Part of the setup is done by Mango firmware, part via console commands and part via luci ?

By the way I cannot upload the file due to format not accepter, I paste the text in next reply.

15

Hi, I was trying to implement the site 2 site, but i was not able to do it.
My goal:
–In the office I have a Mango acting as server, connected by Wifi to the router
–Some where in the world there is another mango connected to internet by a hotspot created by phone mobile.
–Once VPN is active i want to be able to ping devices connected to LAN port of the mobile Mango from the office.

imagen
imagen1124×646 78.3 KB

16

In the mango acting as server:

Has been generated this file:

[Interface]
Address = 10.0.0.2/32
ListenPort = 12873
PrivateKey = 4GhHqirD9LYgYzl3Ak/0YqJvc2RSrnaxKszwV08CNWA=
DNS = 64.6.64.6

[Peer]
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = 95.60.xxx.xxx:51820
PersistentKeepalive = 25
PublicKey = RuH3QudgEjVwNt3zmO46GWRxEFZtP6XPEp0jtzojG0M=

In the mango acting as client:

I did (i think that properly) the routing addition indicated, but for now I cannot ping.

In the layout image, there is Siemens PLC connected, but for now I have connected to the LAN port of the mobile device a laptop, from which one I can access to the web server of the mango mobile and tryiing to do the pings to the other laptop…

imagen
imagen1996×1010 155 KB

What I am missing?
What does mean the orange colour in the client side? should it be green?

17

Why do you change the Wireguard server’s IP address to 192.168.0.242?

You should just keep it as default, i.e. 10.0.0.1

Also in your figure that you use 192.168.0.x subnet everywhere which is not correct.

18

Hello
Thank you for the tutorial unfortunately I have the same problem the WireGuard client does not turn green but remains yellow… did I miss something or did I do something wrong ?

[Interface]
Address = 10.0.0.2/32
ListenPort = 38605
PrivateKey = xxx
DNS = 64.6.64.6

[Peer]
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = xx.xx.xx:51820
PersistentKeepalive = 25
PublicKey = xxx

I have opened the ports in the home network ( 51820, 51830 )

I kept to the addresses as best I could:

GL-MV1000
WireGuard Server
Wan IP:192.168.1.5
Lan IP 192.168.8.1
( there is also an OpenVPN server running in the IP range 192.168.60.1)

GL-MT300N-V2 Mango
WireGuard Client
Wan IP : 192.168.8.101 ( is predefined by the UMTS stick)
Lan IP: 192.168.10.1

There should be another

GL-MT300N-V2 Mango
WireGuard Client 2
Wan IP : 192.168.100.101
?? Lan IP: 192.168.10.1 ??
can I use the same IP here or do I have to make a different one here?

19

All the subnets have to be unique, so you have two problems here. First, the UMTS stick is setting up the xx.xx.8.xx subnet. You have to change that, or you have to change the Wireguard server’s LAN subnet. It’s okay for that Mango’s subnet to be in the 10.xx range, but the other one can’t be in that, so you need to change that to 11.xx or something else unique.

I don’t quite follow your topology here, because there must be other routers in the mix serving up .1.xx and .100.xx addresses.

1 Like
20

Hello Elorimer
Thanks for your quick reply

ok that means I can change the Lan IP of WireGuard Server from
IP 192.168.8.1 to e.g. IP 192.168.50.1 without problems ?

The IP range of the UMTS stick I can not change unfortunately that is fixed :disappointed: so the Wan IP of the Mango must remain on 192.168.8.x

Great now that I changed the x.x.8.x the dot is green.

Thanks