Can't access lan behind wireguard server

liagpap · October 24, 2023, 12:27pm

Hi everyone,
I m trying to set up a bi-directional site-to-site wireguard vpn between my office and home. At home I have a Brume-2 connected with PPPoE with my router acting as a wireguard server. These are the settings:
wg ip 10.0.0.1/24 lan address 192.168.9.0
I ve created a route as follows

On the client side in my office I have a SF1200 router
with wg ip 10.0.0.2/24 lan address 192.168.8.0
and following settings

In Allowed IPs 10.0.0.0 is included.
Allow Remote Access LAN option is turned on in both server and client.
The problem is that I can connect to the lan behind the client from any computer on the server side but I cant connect to the server side lan from the computers on the client lan.
When I use the wg app on my phone as the client I can connect both ways with no problem.
I have tried disabling all firewalls both windows and norton 360 but can’t get it work.
I’d appreciate any help

hansome · October 25, 2023, 3:40pm

For sf1200 3.x firmware, you have two options to make traffic work from client LAN to server LAN.

change allowed IP to default one,i.e.“0.0.0.0/0,::/0”
manually add route go through wireguard interface.:

ip route add 192.168.9.0/24 dev wg0

liagpap · October 25, 2023, 6:15pm

Many thanks for the response. I tried both. When I set the allowed IP to 0.0.0.0/0 all traffic including internet gets routed through the wg vpn. I only want the smb/lan traffic.
If I add the route it works fine until I restart the router and then the route disappears. I tried some solutions to make the route permanent but I wasn’t successful. Do you have any advice on that maybe?

kavie87 · October 26, 2023, 3:38am

Could you set the ip allowed to that address instead?

hansome · October 26, 2023, 4:15am

I tried Luci but failed.
4.x has built-in ability to customize route rules for such cases.
If you use sft1200 you can upgrade to 4.x.

liagpap · October 26, 2023, 4:49am

Hi. I ve already added 192.168.9.0 to allowed IPs. Doesn’t seem to make a difference

liagpap · October 26, 2023, 4:51am

I am using the sf1200. I couldn’t find a firmware for that to upgrade to 4.x. Is there another way to upgrade?

hansome · October 27, 2023, 7:26am

Use this command to change code:

sed -i '/ip route add 128\/1 dev wg0/{n;n;s/^/ip route add 192.168.9.0\/24 dev wg0\n/}' /etc/init.d/wireguard

This does manually route add every time you turn on wireguard.

To revert it:

cp /rom/etc/init.d/wireguard /etc/init.d/wireguard

liagpap · October 27, 2023, 9:11am

Works like a charm. Many thanks

AdamK · April 2, 2025, 2:42pm

Sorry to revive an old thread but why doesn’t “Allow Remote LAN Access” just work? It seems a common theme that extra configuration is always needed to get LAN behind the WG server to be accessible to clients even when the LAN access is turned ON.