How to join wireguard mesh and access peer's subnets?

I use a Beryl

I want to have a manual WG mesh that connects two remote sites, both running a glinet router, a cloud VPS running ubuntu, and a roaming device, running android.

The android and ubuntu devices support mesh configs well, allowed Ips can be specified etc.

GLinet only supports 1 peer in client mode - so that doesn’t work
Glinet’s server mode supports multiple peers so I can configure that and then edit /etc/config/wireguard_server as such

config servers 'main_server'
        option address_v6 'fd00:db8:0:abc::1/64'
        option port '51820'
        option fwmark '0x80000'
        option ipv6_enable '0'
        option address_v4 '10.10.0.14/24'
        option private_key ''
        option public_key 'kPrL4QLTyBDV1VQNmA='
        option access 'ACCEPT'
        option masq '0'

config peers 'peer_5223'
        option name 'The VPS'
        option peer_id '5223'
        option end_point 'vpn.mydomain.com:51820'
        option presharedkey_enable '1'
        option presharedkey '5O6hCb'
        option dns '10.10.0.1'
        option mtu '1420'
        option persistent_keepalive '25'
        option public_key 'wxIUgC7='
        option private_key 'l'
        option client_ip '10.10.0.1/24'
        option deprecated '0'
        option allowed_ips '10.10.0.14/32, 192.168.0.1/24'

config peers 'peer_4767'
        option name 'phone'
        option peer_id '4767'
        option presharedkey_enable '0'
        option mtu '1420'
        option persistent_keepalive '25'
        option public_key ''
        option private_key ''
        option client_ip '10.10.0.2/24'
        option deprecated '0'
        option dns '10.10.0.1'
        option allowed_ips '10.10.0.14/32, 192.168.0.1/24'

config peers 'peer_8370'
        option name 'The other router'
        option peer_id '8370'
        option presharedkey_enable '0'
        option mtu '1420'
        option persistent_keepalive '25'
        option public_key ''
        option private_key ''
        option client_ip '10.10.0.6/24'
        option deprecated '0'
        option dns '10.10.0.1'
        option allowed_ips '10.10.0.14/32, 192.168.0.1/24'

When I run the server, devices happily connect and can access my subnet. However, I have two issues that are revealed by the cat /tmp/wireguard/wgserver config.

[Interface]
PrivateKey= redacted
ListenPort=51820
FwMark=0x80000
[Peer]
PublicKey=wxIUgC71xOEu4bdYKF/e+Yrn8vgnrKG2BCGE=
PresharedKey=5O6hCbCPAqDKOSITsCXMeFqz7JEs=
AllowedIPs=10.10.0.1
PersistentKeepalive=25
[Peer]
PublicKey=38dHkA0/mkT8HJwjvmY5w7K1BG4FaCxU=
AllowedIPs=10.10.0.2
PersistentKeepalive=25
[Peer]
PublicKey=4fVyKr2P91QHUeXpsaE/VsVYe4KdNbq0/Xw=
AllowedIPs=10.10.0.6
PersistentKeepalive=25

1. The endpoints for the peers is not specified, so the server waits for the peer to start the connection, all fine for ubuntu and android, but the two Beryl’s will wait for the other to start the connection and thus never connect. (I cant find a documented option endpoint 'somedomain.com' for peers
2. There is no way to specify allowedips for the server, so the server can have no access to the peer’s subnets.

Does anyone have any ideas?
I tried specifying static routes in luci eg. 192.168.99.0/24 via 10.10.0.6 but pings returned a required key not available error or similar.
I’m currently using tailscale but want to move off of it for speed reasons.

Firmware 4.5 wireguard server has a feature to enable “client to client”. Combined with custom route rules for the server, it’s a way to manually set s2s. Is that suitable for your needs?

image1167×264 12.2 KB

Does it allow configuration of more than 1 peer?

Certainly, one wireguard server, several clients as peers.

That’s very interesting. I guess the changelog needs a quick edit as I don’t see it mentioned. What’s the ETA on 4.5 going ‘stable’? Are we getting OWRT 23.05.x on this build?

Good idea.

My colleague told me it should be before Feb 10th.

Is this new ‘C2C’ (instead of the now ‘outdated’ S2S terminology; heh!) also going to set up said routes or is that considered an extra step? If the latter I presume there would be an overt message presented in the overall GL GUI indicating that routes must still be manually configured & point the user over to WG Server Route Rules page.

You guys really have us spoiled when it comes to auto-configuration so I’m sure I’m not the only one who would expect it to be present here too.

adding custom routes is to allow the traffic between the LAN side of wgclients.

For instance.
192.168.8.1(LAN) - 10.0.0.2 ↔ 10.0.0.1 <–>10.0.0.3 -192.168.18.1(LAN)
In the topology,
For 192.168.8.100 to access 10.0.0.3, enable C2C is required.
For 192.168.8.100 to access 192.168.18.100, then enable C2C, and extra custom route rule on wireguad server is needed.

It sounds good to me but I can see I’m going to want to point others to the GL Docs which would ideally feature a diagram.

Add a more detailed description here
possible to add a link from docs somewhere. I’ll query internally.