Posted: Mon Jan 15, 2024 21:44 Post subject: Wireguard Hub and 2 spokes Troubleshooting
So up until last week, I had a single site to site based wireguard setup between 2 dd-wrt routers. That all worked fine. Now i'm trying to add an additional site and I can get it will say connected on both the server and the client router, but the new client router can't access the internet.
So in essence there's 3 routers:
Main Server Side Router - R9000
Client Router A - R7000
Client Router B - R7450
Client Router A does everything I want it to. Connects to Main Server Side Router, limits the connection to source PBR, can access the internet and local resources.
Client Router B I'm trying to replicate to do exactly what Client Router A is doing, but it's not working. It can't connect to the internet at all.
Here are some screenshots of the configuration.
Main Server Side Router:
Main Server Side Router - Client A Configuration (Working)
Main Server Side Router - Client B Configuration (Not Working)
Client A Top Configuration (Working)
Client A Client Configuration (Working)
Client B Top Configuration (Not Working)
Client B Client Configuration (Not Working)
Firewall Configuration on Server
Firewall Configuration on Client A
Firewall Configuration on Client B
Last edited by usaf-lt-g on Mon Jan 15, 2024 22:07; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12923 Location: Netherlands
Posted: Tue Jan 16, 2024 6:28 Post subject:
What are the LAN subnets of server, client A and client B ?
I guess:
Server: 192.168.3.0/24
A: 192.168.6.0/24
B: 192.168.4.0/24
hint:
For Client A and B the Allowed IPs in a site to site setup have to be the subnets of the other routers.
The only thing you cannot do is set the routers own subnet as Allowed IP, if so you will loose internet access as its own subnet is now routed via the WG interface instead of via br0
What are the LAN subnets of server, client A and client B ?
I guess:
Server: 192.168.3.0/24
A: 192.168.6.0/24
B: 192.168.4.0/24
hint:
For Client A and B the Allowed IPs in a site to site setup have to be the subnets of the other routers.
The only thing you cannot do is set the routers own subnet as Allowed IP, if so you will loose internet access as its own subnet is now routed via the WG interface instead of via br0
For Client A and B just using 0.0.0.0/1, 128.0.0.0/1 is enough (actually you can use 0.0.0.0/0 nowadays as that is translated in 0.0.0.0/1, 128.0.0.0/1) as that encompasses all the subnets already.
Ok this is helpful. For clarification,
Does the allowed IPs need to be changed on both the Server Router for the Client and the Client Router? Both places?
Asked another way.... If i login to the router (Client B) - 192.168.4.0 subnet, The peer has "allowed IPs" set to: 0.0.0.0/1, 128.0.0.0/1, 10.4.0.0/24. And on the Server Router (192.168.3.0 subnet), the peer has "allowed IPs" set to: 10.4.0.10/32, 192.168.4.0. So do I have to change in both places to 0.0.0.0 or only the peer config on the Client B router?