Site to site with MT300n-v2 and Wireguard VPN

b00ter · January 10, 2021, 2:52pm

Just testing out the connection between the office and a test site.

I have sucessfully setup the VPN connection, only problem is the server side (office) cannot talk to any devices on the client side (doesn’t know the subnet to route to) but the client connected has full access to all the devices on there.

What would I add route wise on either side to connect bi directionally for full access?

mt300n-v2 (server side, this is the Wireguard VPN server)
Public IP (static)
Internal 192.168.250.X
VPN subnet 10.0.0.1 *default wireguard)

mt300n-v2 (client side, test office)
Public IP (DHCP)
internal 192.168.15.X
VPN subnet 10.0.0.1 (default wireguard, I copied the config)

would I add the route on the client side or the server side in order for the server side to see the 192.168.15.X subnet on the client side VPN?

b00ter · January 11, 2021, 7:43pm

anyone know if this document is basically the same idea?

https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

I’m so close just need to figure out why the reversal isn’t working (wireguard server ping wireguard client)

thanks

alzhao · January 19, 2021, 3:30pm

You are suggested to use the Goodcloud managed solution and learn how to making the config correct.

lockyt · October 4, 2021, 5:52am

Hi - did you ever figure this out? I am wanting to do something similar - in that I am wanting to make a site to site connection between the gl.inet device and AWS - which of course means I cannot use a GL.iNet router the other end and use the good cloud feature.

I have successfully installed wireguard on AWS and can connect the router via the wireguard VPN client and access the server in the cloud no issue. But like you I want the server to see clients back down in the client’s subnet.

I found this which gives some great hints: GitHub - mjtechguy/wireguard-site-to-site: Wireguard site-to-site (network-to-network) VPN Configuration examples. I managed to make the change needed on the server side fine, but I am not sure what files to use to make the change on the router. I can get into the router’s CLI via ssh, but don’t know which file to make the PostUp PostDown additions.

Any advice would be appreciated.

Thanks.

Lachlan.

lockyt · October 4, 2021, 6:02am

I think I may have just worked it out - I just realised you paste in the config as shown in the link when creating the vpn client connection on the gl.inet. I will try just add the postup/postdown when creating the client.

lockyt · October 4, 2021, 11:21pm

Unfortunately that didn’t work. @alzhao do you know if this is possible? I understand the site-to-site feature is available in good cloud and would use it if I could, but I am trying to do a site-to-site between a Wireguard docker container in AWS and a Mango. It works perfectly as a traditional VPN (can access the server from the client) however I require the network in AWS to access the clients in the local network (notably wireless) of the Mango. Unfortunately I am limited to the client being on the mango and the server in the cloud. Any hints or advice would be very much appreciated.

alzhao · October 6, 2021, 2:53am

Sorry I am not very professional in this.

Do something like:

Client side config. In the client side, pls tick the “Allow access to local network” when you start.

Server side config

The allowedIPs 192.168.8.0/24 means the client side subnet. Not sure if any route need to added.

mothaibabon · October 6, 2021, 10:16am

it will be more easy if you install winscp and connect to router, after making a connection to router just go to ect/config/wireguard_server and open it then add this info into it.

config peers ‘wg_peer ..*’

   list  subnet '192.168.15.0/24'

list subnet will tell wireguard server route subnet of client so it can go to all client subnet .

small router one work greate and very stable .

wbx · February 2, 2022, 10:14am

Hello, I have tried the solution you propose without success.
In more detail I have been trying to implement a Wireguard VPN connecting my home with my holyday mountain home to monitor remote Wi-Fi devices and some cameras as well as to control other devices typically heaters in different rooms.

For the purpose I have bought 2 GL.iNET GL-MT300N-V2 (Mango) routers that I have connected behind the main routers of each site to setup a Wireguard VPN that is independent from the choice of the site ISP in view of a possible change without impacts.

The main router in my home is the Fastgate from FASTWEB ISP and connects to optical fiber. It has a public IP address.

The holyday home router is instead a TP-LINK M7200 with ILIAD SIM without a public ip.

I have connected each Mango router in Wi-Fi to the main site router and setup a Wireguard Server at my home due to public IP availability and the Client at my holyday home.

For the purpose I have selected the wiki setup of the Mango router firmware for the Server and added a client so copying the configuration file content at the Client side.

The connection establishes successfully, I can easily see every device at my home from holyday home but not in the reverse way.

I have tried port forwarding at client side but doesn’t work. I have tried to modify the configuration at the server side adding as Allowed Ips the subnet of the client (192.168.8.0/24) but again it doesn’t work. I have tried to add list subnet ‘192.168.15.0/24’ but again it doesn’t work.

I know that the problem can be solved by setting the server at the holyday home but as often happens in Italy there you don’t have optical fiber and public ip. It is fine to use a sim based connection with a provider that does not ask you to pay the fee of 12 months internet service when you use the service for 3 months a year.

In addition to this I think that it should be possible to establish with Wireguard VPN or other solutions a site to site network connection that allows a symmetrical behaviour in both directions. Let’s think for example to a corporate network in which the core site wants to access to remote sites. I don’t think the solution can be to setup a Wireguard Server in each remote site !!

Another approach can be the access to an intelligent device (instead of the control panel of a Mango router) that can be at the same time a router and a remote controller for IOT not intelligent devices like Wi-Fi switches as well as intelligent ones like a Nest mini Speaker or a PC (e.g. Raspberry like solutions…).

Can you please help in the solution of the problem ?

Thank you in advance.

Walter

wcs2228 · February 3, 2022, 7:07pm

Can explain in more detail what specific settings you tried on both the client and server side?
The client subnet is 192.168.8.0/24, but what is the server subnet?

wbx · February 4, 2022, 1:27pm

The server subnet is 192.168.10.0/24 whilst the client is 192.168.8.0/24. The list subnet ‘192.168.8.0/24’ statement has been added following mothaibabon suggestion. 15 instead of 8 is a typing error.

wbx · February 4, 2022, 1:33pm

The server has been setup by means of the router application: activate wireguard server and copy the config file at the client side by connecting my notebook in wifi to the client mango router. Nothing else in router console or in more setups…

wcs2228 · February 4, 2022, 9:17pm

Did you try the suggestion from antifascista in the other thread that you posted on?

Here is an older thread with that procedure:

wbx · February 6, 2022, 1:31am

Yes I have tried without success. Perhaps I have made some mistake, i will retry.