This post is to introduce the guide to config LAN to LAN VPN (Site-2-Site) based on WireGuard.
Network Topology
1.Login the web interface of AX1800, go to VPN > WireGuard Server and click on the Start button to enable the WireGuard Server.
Note: make sure the Allow Access Local Network button is enabled.
2.Go to Management and click on Add a New User.
3.Click the file icon on Configurations to review the profile.
[Interface]
Address = 10.0.0.2/32
ListenPort = 41728
PrivateKey = 6DIxs92F5No35606P+6ovQMIIxMWHzZRfVVwm/ILkmg=
DNS = 64.6.64.6
[Peer]
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = 113.116.x.x:51820
PersistentKeepalive = 25
PublicKey = Bagdcu2x7Ekq9UY2qK+jBsRAC0VEPL1C8J7Yi9uUjGY=
Note: make sure the Endpoint is the same as the WAN IP address of this router, if not, you shall config port forward for this IP address. Here in this example, the WAN IP address of this router is 192.168.17.14, I can just use this IP address instead since the client and server are in the same internal subnet.
4.Login the web interface of SFT1200, go to MORE SETTINGS > LAN IP and change the LAN IP to 192.168.10.1
5.Go to VPN > WireGuard Client and click on Set up WireGuard Manually, turn to Configuration and paste the profile.
6.Click on Connect to connect to the WireGuard Server.
7.SSH login the AX1800, and add the subnet 192.168.10.0/24 to the client_ip in this directory /etc/config/wireguard_server.
Guide to use vi to modify the file: https://openwrt.org/docs/guide-user/base-system/user.beginner.cli#editing_files
8.Restart the WireGuard Server with this command.
/etc/init.d/wireguard_server restart
9.Add the static route to access the WireGuard VPN Client with this command.
ip route add 192.168.10.0/24 dev wg0
Note: if you reboot the router, the static route will be lost and you shall config it again. If you want this static router take affect all the time, you shall run this command to add it to the boot process.
sed -i "/rm \/var\/run\/glwgserver.lock -rf/a\ip route add 192.168.10.0\/24 dev wg0" /etc/init.d/wireguard_server
10.The two subnet can access each other.