Posted: Sat Jun 04, 2022 2:44 Post subject: PTP Wireguard on same subnets [Now OVPN]
I recently purchased a new home but will not be moving in for at least another month. I have two EA8500 routers, one at my current residence and one at the new residence, connected to two different ISPs. The internal subnets are the same but no IPs will ever overlap. Both places have home automation devices installed. I am wanting to access these devices and map them into Home Assistant at my current location, transparently in order to continuously monitor the new place. Also cameras are involved as well which will be mapped into MotionEye.
Because they both share the same subnet, once I do get moved into the new place, everything should just work by default when all is moved to that location. However, I fear that because both are on the same subnet, using Wireguard may not be possible. But hopefully I am wrong.
I have many questions about this, such as can one DHCP server serve both houses through the Wireguard connection, but until I know for sure whether or not this can even be done, there is no point in continuing until step one is completed and working.
I would not be against having each location on a different subnet, but I have so many ESP8266 devices that are hard coded IPs, that it would be a real PiTA to reprogram them all....and then again after the move. So I need this to work as is, if possible.
Any help and suggestions greatly appreciated! _________________ Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate
Wireless 5ghz only
Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r55779
Features in use: multiple VLANs over single trunk port
Linksys EA8500 WDS Station x2 - DD-WRT r55799
Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port. DD-WRT r55779
OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.
Forum member #248
Last edited by lexridge on Sun Jun 05, 2022 2:12; edited 4 times in total
WG (WireGuard), like any software, has its own limitations, so it's NOT appropriate for all situations. And one of those limitations is that it's NOT intended for bridged configurations, only routed.
WG (WireGuard), like any software, has its own limitations, so it's NOT appropriate for all situations. And one of those limitations is that it's NOT intended for bridged configurations, only routed.
Given this is only a temporary situation, seems to me it would be easier to use OpenVPN, which does support bridged (TAP) tunnels.
Oh, that is a very good point and one that I totally missed. I was wanting to use WG simply for the extended speed advantages. But yes, perhaps you are right. OVPN would probably be my best best choice, albeit much slower.
Thanks for your insight. _________________ Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate
Wireless 5ghz only
Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r55779
Features in use: multiple VLANs over single trunk port
Linksys EA8500 WDS Station x2 - DD-WRT r55799
Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port. DD-WRT r55779
OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.
Okay I switched to OVPN. I set up the tunnel using TAP for bridging mode. Got it kinda working. I can see my devices on the remote side. However, as weird as it may seem, when connected I lose connection to my local router. I cannot even ping it, but yet the VPN is working and I can ping the remote router and devices behind it, but my local access disappears. I am sure this is something simple that I have overlooked.
I don't need to serve dhcp addresses via the VPN, in either direction as most of my IPs are static. I also want each side to maintain local Internet access since each side has really good service. I am pretty sure it's an iptables rule that I either missed or put in wrong. Not sure. I will probably give up on this for today and pick it back up tomorrow. _________________ Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate
Wireless 5ghz only
Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r55779
Features in use: multiple VLANs over single trunk port
Linksys EA8500 WDS Station x2 - DD-WRT r55799
Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port. DD-WRT r55779
OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.
You need to block DHCP across the tunnel in order to ensure devices on each side of the tunnel are only configured by their local DHCP server and use the appropriate ISP. You do that using ebtables.
Interesting indeed. I had enabled "Block DHCP across the tunnel" on the server side (remote) but I guess this was not good enough.
I am embarrassed to say that I have never heard of ebtables. So I Googled it, of course and found this:
"ebtables is an application program used to set up and maintain the tables of rules (inside the Linux kernel) that inspect Ethernet frames. It is analogous to the iptables application, but less complicated, due to the fact that the Ethernet protocol is much simpler than the IP protocol."
Makes sense. I will give this a shot sometime tomorrow.
Thank you! _________________ Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate
Wireless 5ghz only
Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r55779
Features in use: multiple VLANs over single trunk port
Linksys EA8500 WDS Station x2 - DD-WRT r55799
Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port. DD-WRT r55779
OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.
While I followed @egc guide(s) to do this, I did NOT add the iptables rules from his documents, as it seemed those would not be necessary for my application. Perhaps that is where I erred. I will re-read those documents and see if there is something I really needed to add to iptables. What complicates matters is the fact that each router, both local and remote, has multiple VLANs on them. I think this could be part of the problem. Can VLANs even be used through OVPN? _________________ Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate
Wireless 5ghz only
Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r55779
Features in use: multiple VLANs over single trunk port
Linksys EA8500 WDS Station x2 - DD-WRT r55799
Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port. DD-WRT r55779
OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.
Yeah, that makes perfect sense. It was late last night and I was not thinking clearly.
So, I added the ebtables rules on both sides. However it didn't seem to make any difference. I connect just fine and can access all remote IPs. However, I lose local access to the router and no local Internet access. I am unable to look at the local EA8500 logs as I cannot connect to it at all. I can't even ping it but I can still ping everything else on the local network. Just not the router. Very weird! Here is the log from the remote server side:
Code:
Serverlog:
20220605 18:11:18 config = '/tmp/openvpn/openvpn.conf'
20220605 18:11:18 mode = 1
20220605 18:11:18 NOTE: --mute triggered...
20220605 18:11:18 241 variation(s) on previous 3 message(s) suppressed by --mute
20220605 18:11:18 I OpenVPN 2.5.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 18 2022
20220605 18:11:18 I library versions: OpenSSL 1.1.1n 15 Mar 2022 LZO 2.10
20220605 18:11:18 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:14
20220605 18:11:18 W NOTE: when bridging your LAN adapter with the TAP adapter note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
20220605 18:11:18 W WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
20220605 18:11:18 net_route_v4_best_gw query: dst 0.0.0.0
20220605 18:11:18 net_route_v4_best_gw result: via 204.111.180.1 dev vlan2
20220605 18:11:18 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20220605 18:11:18 ECDH curve secp384r1 added
20220605 18:11:18 W WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1400)
20220605 18:11:18 TLS-Auth MTU parms [ L:1553 D:1212 EF:38 EB:0 ET:0 EL:3 ]
20220605 18:11:18 I TUN/TAP device tap2 opened
20220605 18:11:18 do_ifconfig ipv4=0 ipv6=0
20220605 18:11:18 W WARNING: Failed running command (--route-up): external program exited with error status: 2
20220605 18:11:18 Data Channel MTU parms [ L:1553 D:1450 EF:121 EB:394 ET:32 EL:3 ]
20220605 18:11:18 Socket Buffers: R=[262144->262144] S=[262144->262144]
20220605 18:11:18 I UDPv4 link local (bound): [AF_INET][undef]:1194
20220605 18:11:18 I UDPv4 link remote: [AF_UNSPEC]
20220605 18:11:18 MULTI: multi_init called r=256 v=256
20220605 18:11:18 IFCONFIG POOL IPv4: base=local.local.local.2 size=98
20220605 18:11:18 I Initialization Sequence Completed
20220605 18:12:50 MULTI: multi_create_instance called
20220605 18:12:50 remote.remote.remote.remote:54011 Re-using SSL/TLS context
20220605 18:12:50 W remote.remote.remote.remote:54011 WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1400)
20220605 18:12:50 remote.remote.remote.remote:54011 Control Channel MTU parms [ L:1553 D:1212 EF:38 EB:0 ET:0 EL:3 ]
20220605 18:12:50 remote.remote.remote.remote:54011 Data Channel MTU parms [ L:1553 D:1450 EF:121 EB:394 ET:32 EL:3 ]
20220605 18:12:50 remote.remote.remote.remote:54011 Local Options String (VER=V4): 'V4 dev-type tap link-mtu 1466 tun-mtu 1432 proto UDPv4 cipher CHACHA20-POLY1305 auth [null-digest] keysize 256 key-method 2 tls-server'
20220605 18:12:50 remote.remote.remote.remote:54011 Expected Remote Options String (VER=V4): 'V4 dev-type tap link-mtu 1466 tun-mtu 1432 proto UDPv4 cipher CHACHA20-POLY1305 auth [null-digest] keysize 256 key-method 2 tls-client'
20220605 18:12:50 remote.remote.remote.remote:54011 TLS: Initial packet from [AF_INET]remote.remote.remote.remote:54011 sid=8091848d af4655ca
20220605 18:12:51 remote.remote.remote.remote:54011 VERIFY OK: depth=1 CN=jim-ca
20220605 18:12:51 remote.remote.remote.remote:54011 VERIFY OK: depth=0 CN=179M-client1
20220605 18:12:51 I remote.remote.remote.remote:54011 peer info: IV_VER=2.5.6
20220605 18:12:51 I remote.remote.remote.remote:54011 peer info: IV_PLAT=linux
20220605 18:12:51 I remote.remote.remote.remote:54011 peer info: IV_PROTO=6
20220605 18:12:51 I remote.remote.remote.remote:54011 peer info: IV_NCP=2
20220605 18:12:51 I remote.remote.remote.remote:54011 peer info: IV_CIPHERS=AES-128-GCM:AES-256-GCM:CHACHA20-POLY1305
20220605 18:12:51 I remote.remote.remote.remote:54011 peer info: IV_LZ4=1
20220605 18:12:51 I remote.remote.remote.remote:54011 peer info: IV_LZ4v2=1
20220605 18:12:51 I remote.remote.remote.remote:54011 peer info: IV_LZO=1
20220605 18:12:51 I remote.remote.remote.remote:54011 peer info: IV_COMP_STUB=1
20220605 18:12:51 I remote.remote.remote.remote:54011 peer info: IV_COMP_STUBv2=1
20220605 18:12:51 I remote.remote.remote.remote:54011 peer info: IV_TCPNL=1
20220605 18:12:51 remote.remote.remote.remote:54011 Control Channel: TLSv1.3 cipher TLSv1.3 TLS_AES_256_GCM_SHA384 peer certificate: 2048 bit RSA signature: RSA-SHA256
20220605 18:12:51 I remote.remote.remote.remote:54011 [179M-client1] Peer Connection Initiated with [AF_INET]remote.remote.remote.remote:54011
20220605 18:12:51 I 179M-client1/remote.remote.remote.remote:54011 MULTI_sva: pool returned IPv4=local.local.local.2 IPv6=(Not enabled)
20220605 18:12:51 179M-client1/remote.remote.remote.remote:54011 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_23cb0b646e4dae0b.tmp
20220605 18:12:51 179M-client1/remote.remote.remote.remote:54011 Data Channel: using negotiated cipher 'AES-256-GCM'
20220605 18:12:51 179M-client1/remote.remote.remote.remote:54011 Data Channel MTU parms [ L:1481 D:1450 EF:49 EB:394 ET:32 EL:3 ]
20220605 18:12:51 179M-client1/remote.remote.remote.remote:54011 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20220605 18:12:51 179M-client1/remote.remote.remote.remote:54011 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
20220605 18:12:51 179M-client1/remote.remote.remote.remote:54011 SENT CONTROL [179M-client1]: 'PUSH_REPLY redirect-gateway def1 route-gateway local.local.local.10 ping 10 ping-restart 120 ifconfig local.local.local.2 255.255.255.0 peer-id 0 cipher AES-256-GCM' (status=1)
20220605 18:12:51 179M-client1/remote.remote.remote.remote:54011 MULTI: Learn: d2:f0:76:b1:ea:84@0 -> 179M-client1/remote.remote.remote.remote:54011
20220605 18:12:51 179M-client1/remote.remote.remote.remote:54011 MULTI: Learn: 14:91:82:67:34:76@0 -> 179M-client1/remote.remote.remote.remote:54011
20220605 18:12:51 179M-client1/remote.remote.remote.remote:54011 MULTI: Learn: dc:a6:32:56:18:88@0 -> 179M-client1/remote.remote.remote.remote:54011
20220605 18:12:51 179M-client1/remote.remote.remote.remote:54011 NOTE: --mute triggered...
20220605 18:12:55 12 variation(s) on previous 3 message(s) suppressed by --mute
20220605 18:12:55 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20220605 18:12:55 D MANAGEMENT: CMD 'state'
20220605 18:12:55 MANAGEMENT: Client disconnected
20220605 18:12:55 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20220605 18:12:55 D MANAGEMENT: CMD 'state'
20220605 18:12:55 MANAGEMENT: Client disconnected
20220605 18:12:55 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20220605 18:12:55 MANAGEMENT: Client disconnected
20220605 18:12:55 NOTE: --mute triggered...
20220605 18:12:55 1 variation(s) on previous 3 message(s) suppressed by --mute
20220605 18:12:55 D MANAGEMENT: CMD 'status 2'
20220605 18:12:55 MANAGEMENT: Client disconnected
20220605 18:12:55 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20220605 18:12:55 D MANAGEMENT: CMD 'status 2'
20220605 18:12:55 MANAGEMENT: Client disconnected
20220605 18:12:55 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20220605 18:12:55 D MANAGEMENT: CMD 'log 500'
20220605 18:12:55 MANAGEMENT: Client disconnected
20220605 18:12:55 179M-client1/remote.remote.remote.remote:54011 MULTI: Learn: 50:d4:f7:de:6d:79@0 -> 179M-client1/remote.remote.remote.remote:54011
20220605 18:12:56 179M-client1/remote.remote.remote.remote:54011 MULTI: Learn: c6:2e:ec:11:99:3f@0 -> 179M-client1/remote.remote.remote.remote:54011
20220605 18:12:56 179M-client1/remote.remote.remote.remote:54011 MULTI: Learn: 00:d0:2d:7e:d6:6e@0 -> 179M-client1/remote.remote.remote.remote:54011
20220605 18:12:58 179M-client1/remote.remote.remote.remote:54011 NOTE: --mute triggered...
20220605 18:19:25 23 variation(s) on previous 3 message(s) suppressed by --mute
20220605 18:19:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20220605 18:19:25 D MANAGEMENT: CMD 'state'
20220605 18:19:25 MANAGEMENT: Client disconnected
20220605 18:19:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20220605 18:19:25 D MANAGEMENT: CMD 'state'
20220605 18:19:25 MANAGEMENT: Client disconnected
20220605 18:19:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20220605 18:19:25 MANAGEMENT: Client disconnected
20220605 18:19:25 NOTE: --mute triggered...
20220605 18:19:25 1 variation(s) on previous 3 message(s) suppressed by --mute
20220605 18:19:25 D MANAGEMENT: CMD 'status 2'
20220605 18:19:25 MANAGEMENT: Client disconnected
20220605 18:19:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20220605 18:19:25 D MANAGEMENT: CMD 'status 2'
20220605 18:19:25 MANAGEMENT: Client disconnected
20220605 18:19:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20220605 18:19:25 D MANAGEMENT: CMD 'log 500'
19691231 19:00:00
Not sure if there is anything helpful here, except a few things do stand out but nothing I think would attribute to my problem.
20220605 18:11:18 W WARNING: normally if you use --mssfix and/or --fragment you should also set --tun-mtu 1500 (currently it is 1400)
and this one, which seems a bit odd:
20220605 18:11:18 W WARNING: Failed running command (--route-up): external program exited with error status: 2
and lastly:
20220605 18:11:18 W WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want _________________ Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate
Wireless 5ghz only
Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r55779
Features in use: multiple VLANs over single trunk port
Linksys EA8500 WDS Station x2 - DD-WRT r55799
Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port. DD-WRT r55779
OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.
Yeah, that makes perfect sense. It was late last night and I was not thinking clearly.
So, I added the ebtables rules on both sides. However it didn't seem to make any difference. I connect just fine and can access all remote IPs. However, I lose local access to the router and no local Internet access. I am unable to look at the local EA8500 logs as I cannot connect to it at all. I can't even ping it but I can still ping everything else on the local network. Just not the router. Very weird!
Are you sure both routers are using *different* private IPs? Seems to me it would be very likely BOTH would be configured for the same IP (e.g., 192.168.1.1) before this attempt to bridge them. One or the other has to be changed!
Everything on the remote side are static IPs, and yes, both ends are on the same internal subnet. _________________ Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate
Wireless 5ghz only
Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r55779
Features in use: multiple VLANs over single trunk port
Linksys EA8500 WDS Station x2 - DD-WRT r55799
Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port. DD-WRT r55779
OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.