DD-WRT :: View topic - Wireguard site-to-site setup

Wireguard site-to-site setup

DD-WRT Forum Index -> Advanced Networking

View previous topic :: View next topic

Author

Message

markush6302
DD-WRT Novice

Joined: 21 Aug 2022
Posts: 3

Posted: Wed May 10, 2023 9:17 Post subject: Wireguard site-to-site setup

Hello!
I'm trying to connect to ddwrt devices (both running v3.0-r52459 std) with Wireguard over ipv6 (I only get an ipv6 address from my isp).

Here are my logs:

Site A, TP-Link TL-WDR3600 v1, Subnet 192.168.146.0/24:

Code:

root@DD-WRT:~# wg
interface: oet1
public key: WaQx**********D8=
private key: (hidden)
listening port: 51810

peer: HNvh**************MeU8BI=
endpoint: [2a07:****:****:*:****:****:****:ec45]:51810
allowed ips: 10.4.0.0/24, 192.168.147.0/24
transfer: 9.54 KiB received, 5.93 KiB sent
persistent keepalive: every 20 seconds
root@DD-WRT:~# wg showconf oet1
[Interface]
ListenPort = 51810
PrivateKey = gFwd****************a1E0=

[Peer]
PublicKey = HNvh**************MeU8BI=
AllowedIPs = 10.4.0.0/24, 192.168.147.0/24
Endpoint = [2a07:****:****:*:****:****:****:ec45]:51810
PersistentKeepalive = 20

root@DD-WRT:~# nvram show | grep oet
oet1_isolation=0
oet1_rtdownscript=
oet1_mit=0
oet1_endpoint0=0
oet1_multicast=0
oet1_dpbr_ip=
oet1_peerkey0=HNvh**************MeU8BI=
oet1_aip_rten0=1
oet1_usepsk0=0
oet1_obfkey=
oet1_namep0=wien
oet1_spbr=1
oet1_dns=
oet_tunnels=1
oet1_port=51810
oet1_dpbr=0
oet1_failgrp=0
oet1_hwaddr=00:00:00:00:00:00
oet1_obf0=0
oet1_peerport0=51810
oet1_failstate=0
oet1_mtu=1420
oet1_clend0=100.64.120.238
oet1_wdog=0
oet1_clka0=25
oet1_dns_redirect=0
oet1_ka0=20
oet1_fwmark=
oet1_cldns0=0.0.0.0
size: 27916 bytes (37620 left)
oet1_en=1
oet1_dns4=9.9.9.9
oet1_dns6=2620:fe::9
oet1_clip0=0.0.0.0/0
oet1_ip0=0.0.0.0
ip6tables -I INPUT -p udp --dport $(nvram get oet1_port) -j ACCEPT
oet1_bloop=0
oet1_rtupscript=
oet1_rem0=2a07:****:****:*:****:****:****:ec45
oet1_txq=0
oet1_peers=1
oet1_psk0=
oet1_ipaddrmask=10.4.0.1/24
oet1_spbr_ip=192.168.147.0/24
oet1_clconfig0=0
oet1_showadvanced=1
oet1_killswitch=0
oet1_dns_ipaddr=0.0.0.0
oet1_rem=192.168.90.1
oet1_natout=0
oet1_netmask=255.255.255.0
oet1_proto=2
oet1_wanac=1

oet1_private=gFwd****************a1E0=
oet1_bridged=0
oet1_lanac=1
oet1_ipaddr=10.4.0.1
oet1_failip=8.8.8.8
oet1_obf=0
oet1_dnspbr=0
oet1_id=1
oet1_nat=0
oet1_public=WaQx**********D8=
oet1_local=0.0.0.0
oet1_aip0=10.4.0.2/24, 192.168.147.0/24
oet1_firewallin=0
oet1_obfkey0=

root@DD-WRT:~# grep -E -i 'oet|wireguard' /var/log/messages
Jan 1 01:00:05 DD-WRT user.info root: WireGuard number of non failed tunnels in fail set: 0
Jan 1 01:00:13 DD-WRT user.info root: WireGuard number of non failed tunnels in fail set: 0
May 8 16:46:34 DD-WRT user.info root: WireGuard number of non failed tunnels in fail set: 0
May 8 16:47:23 DD-WRT user.info root: WireGuard number of non failed tunnels in fail set: 0
May 8 16:47:30 DD-WRT user.info root: WireGuard number of non failed tunnels in fail set: 0
May 8 16:47:35 DD-WRT user.info root: WireGuard number of non failed tunnels in fail set: 0
May 8 16:48:33 DD-WRT user.info root: WireGuard number of non failed tunnels in fail set: 0
May 8 16:48:33 DD-WRT user.info root: Enable WireGuard interface oet1 on port 51810
May 8 16:48:34 DD-WRT user.info root: WireGuard 10.4.0.1/24 added to oet1
May 8 16:48:34 DD-WRT user.info root: WireGuard acquiring /tmp/oet.lock for 4094
May 8 16:48:34 DD-WRT user.info root: WireGuard /tmp/oet.lock acquired for 4094
May 8 16:48:34 DD-WRT user.info root: WireGuard waited 1 seconds to set routes for oet
May 8 16:48:35 DD-WRT user.info root: WireGuard PBR via oet1 table 21
May 8 16:48:35 DD-WRT user.info root: WireGuard PBR 192.168.147.0/24:IPv4 via oet1 table 21
May 8 16:48:35 DD-WRT user.info root: WireGuard route 10.4.0.2/24 added via oet1
May 8 16:48:35 DD-WRT user.info root: WireGuard route 192.168.147.0/24 added via oet1
May 8 16:48:36 DD-WRT user.info root: WireGuard IPv4 internet access for 10.4.0.1/24 enabled
May 8 16:48:37 DD-WRT user.info root: WireGuard adding local routes to table 21
May 8 16:48:37 DD-WRT user.info root: WireGuard Inbound Firewall deactivated on oet1
May 8 16:48:37 DD-WRT user.info root: WireGuard released /tmp/oet.lock for 4094

root@DD-WRT:~# ip -6 route show
::/1 dev oet1 metric 1024
fe80::/64 dev eth0 metric 256
ff00::/8 dev eth0 metric 256
8000::/1 dev oet1 metric 1024
unreachable default dev lo metric -1 error -128
2a07:3740:6440::/64 dev vlan2 metric 256 expires 2591879sec
fe80::/64 dev eth0 metric 256
fe80::/64 dev br0 metric 256
fe80::/64 dev vlan1 metric 256
fe80::/64 dev vlan2 metric 256
default via fe80::62f1:8aff:fe3b:8669 dev vlan2 metric 1024 expires 1679sec
default dev vlan2 metric 2048
unreachable default dev lo metric -1 error -128
ff00::/8 dev eth0 metric 256
ff00::/8 dev br0 metric 256
ff00::/8 dev vlan1 metric 256
ff00::/8 dev vlan2 metric 256
unreachable default dev lo metric -1 error -128

root@DD-WRT:~# ip6tables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
77 15092 ACCEPT udp * * ::/0 ::/0 udp dpt:51810
0 0 ACCEPT all oet1 * ::/0 ::/0 state NEW
0 0 ACCEPT udp vlan2 * ::/0 ::/0 udp dpt:51810
0 0 DROP all * * ::/0 ::/0 rt type:0
76 14288 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED
0 0 DROP all * * ::/0 ::/0 ctstate INVALID
0 0 ACCEPT all lo * ::/0 ::/0
0 0 DROP all !lo * ::1 ::/0
0 0 DROP all vlan2 * fc00::/7 ::/0
0 0 ACCEPT udp * * fe80::/10 fe80::/10 udp spt:547 dpt:546 ctstate NEW
0 0 ACCEPT all br0 * ::/0 ::/0
5 456 ACCEPT all * * fe80::/10 ::/0
0 0 ACCEPT all * * ::/0 ff00::/8
0 0 ACCEPT all oet1 * ::/0 ::/0
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128 limit: avg 30/min burst 5
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 1
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 2
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 3
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 4
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 129
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 133 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 134 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 135 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 136 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 141 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 142 HL match HL == 255
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 130
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 131
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 132
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 143
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 148 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 149 HL match HL == 255
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 151 HL match HL == 1
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 152 HL match HL == 1
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 153 HL match HL == 1
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 144
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 145
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 146
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 147
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all oet1 * ::/0 ::/0 state NEW
0 0 DROP all * * ::/0 ::/0 rt type:0
0 0 DROP all * * ::1 ::/0
0 0 DROP all vlan2 * fc00::/7 ::/0
0 0 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all br0 * ::/0 ::/0 ctstate NEW
0 0 ACCEPT all oet1 * ::/0 ::/0 ctstate NEW
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 1
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 2
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 3
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 4
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 129

Chain OUTPUT (policy ACCEPT 387 packets, 41900 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all * * ::/0 ::/0 rt type:0
root@DD-WRT:~# ip6tables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Site B, Linksys EA6700, Subnet 192.168.147.0/24:

Code:

root@DD-WRT:~# wg
interface: oet1
public key: HNvh**************MeU8BI=
private key: (hidden)
listening port: 51810

peer: WaQx**********D8=
endpoint: [2a07:****:****:*:****:****:****:8335]:51810
allowed ips: 10.4.0.0/24, 192.168.146.0/24
transfer: 0 B received, 3.76 KiB sent
persistent keepalive: every 20 seconds
root@DD-WRT:~# wg showconf oet1
[Interface]
ListenPort = 51810
PrivateKey = WLB5****************/T/VQ=

[Peer]
PublicKey = WaQx**********D8=
AllowedIPs = 10.4.0.0/24, 192.168.146.0/24
Endpoint = [2a07:****:****:*:****:****:****:8335]:51810
PersistentKeepalive = 20

root@DD-WRT:~# nvram show | grep oet
oet1_peerport0=51810
size: 29072 bytes (36464 left)
oet1_bloop=0
oet1_spbr=1
oet1_obfkey=
oet1_rem0=2a07:****:****:*:****:****:****:8335
oet_tunnels=1
oet1_endpoint0=1
oet1_rem=192.168.90.1
oet1_private=WLB5****************/T/VQ=
oet1_peers=1
oet1_lanac=1
oet1_fwmark=
oet1_namep0=hzbg
oet2_nat=1
oet1_bridged=0
oet1_multicast=0
static_route=192.168.146.0:255.255.255.0:10.4.0.1:0:oet1:0:0:0.0.0.0:0:0:1500:1460
oet1_ka0=20
oet1_killswitch=0
oet1_obf0=0
oet1_rtdownscript=
oet1_mtu=1420
oet1_wanac=1
oet1_failip=8.8.8.8
oet1_dpbr=0
oet1_netmask=255.255.255.0
oet1_en=1
oet1_dns_ipaddr=0.0.0.0
oet1_psk0=
oet1_wdog=0
oet1_failstate=0
oet1_firewallin=0
oet1_isolation=0
oet1_port=51810
oet1_obf=0
oet1_dns_redirect=0
oet1_showadvanced=1
oet1_ip0=0.0.0.0
oet1_ipaddrmask=10.4.0.2/24
oet1_clconfig0=0
oet1_spbr_ip=192.168.146.0/24
oet1_dns4=9.9.9.9
oet1_clka0=25
oet1_dns6=2620:fe::9
oet1_hwaddr=00:00:00:00:00:00
oet1_peerkey0=WaQx**********D8=
oet1_obfkey0=
oet1_proto=2
oet1_dnspbr=0
iptables -I INPUT -p udp --dport $(nvram get oet1_port) -j ACCEPT
oet1_nat=0
oet2_bloop=0
oet1_id=1
oet1_aip0=10.4.0.1/24, 192.168.146.0/24
oet1_usepsk0=0
oet1_cldns0=0.0.0.0
oet1_ipaddr=10.4.0.2
oet1_natout=0
oet1_aip_rten0=1
oet1_dns=
oet1_public=HNvh**************MeU8BI=
oet1_dpbr_ip=
oet1_local=0.0.0.0
oet1_txq=1
oet1_mit=0
oet1_clend0=
oet1_clip0=0.0.0.0/0
oet1_failgrp=0
oet1_rtupscript=
bat_oet1_bridge=br0

root@DD-WRT:~# grep -E -i 'oet|wireguard' /var/log/messages
Jan 1 01:00:15 DD-WRT user.info root: WireGuard number of non failed tunnels in fail set: 0
Jan 1 01:00:29 DD-WRT user.info root: WireGuard number of non failed tunnels in fail set: 0
May 8 16:47:09 DD-WRT user.info root: WireGuard number of non failed tunnels in fail set: 0
May 8 16:51:31 DD-WRT user.info root: WireGuard number of non failed tunnels in fail set: 0
May 8 16:51:31 DD-WRT user.info root: Enable WireGuard interface oet1 on port 51820
May 8 16:51:31 DD-WRT user.info root: WireGuard 10.4.0.2/24 added to oet1
May 8 16:51:31 DD-WRT user.info root: WireGuard acquiring /tmp/oet.lock for 3048
May 8 16:51:31 DD-WRT user.info root: WireGuard /tmp/oet.lock acquired for 3048
May 8 16:51:31 DD-WRT user.info root: WireGuard waited 1 seconds to set routes for oet
May 8 16:51:31 DD-WRT user.info root: WireGuard PBR via oet1 table 21
May 8 16:51:31 DD-WRT user.info root: WireGuard PBR 192.168.146.0/24:IPv4 via oet1 table 21
May 8 16:51:32 DD-WRT user.info root: WireGuard route 10.4.0.1/24 added via oet1
May 8 16:51:32 DD-WRT user.info root: WireGuard route 192.168.146.0/24 added via oet1
May 8 16:51:33 DD-WRT user.info root: WireGuard NAT via oet1 for 10.4.0.2 enabled
May 8 16:51:33 DD-WRT user.info root: WireGuard IPv4 internet access for 10.4.0.2/24 enabled
May 8 16:51:33 DD-WRT user.info root: WireGuard adding local routes to table 21
May 8 16:51:33 DD-WRT user.info root: WireGuard Inbound Firewall deactivated on oet1
May 8 16:51:33 DD-WRT user.info root: WireGuard released /tmp/oet.lock for 3048
May 8 16:52:28 DD-WRT user.info root: WireGuard number of non failed tunnels in fail set: 0
May 8 16:52:29 DD-WRT user.info root: Flush delete PBR interface oet1, table : 21
May 8 16:52:29 DD-WRT user.info root: Enable WireGuard interface oet1 on port 51810
May 8 16:52:29 DD-WRT user.info root: Establishing WireGuard tunnel with peer endpoint 2a07:****:****:*:****:****:****:8335:51810
May 8 16:52:29 DD-WRT user.info root: WireGuard experimental endpoint routing for oet1 to endpoint 2a07:****:****:*:****:****:****:8335:51810 is IPv6: [2a07:****:****:*:****:****:****:8335]
May 8 16:52:29 DD-WRT user.info root: WireGuard 10.4.0.2/24 added to oet1
May 8 16:52:29 DD-WRT user.info root: WireGuard acquiring /tmp/oet.lock for 3984
May 8 16:52:29 DD-WRT user.info root: WireGuard /tmp/oet.lock acquired for 3984
May 8 16:52:29 DD-WRT user.info root: WireGuard waited 1 seconds to set routes for oet
May 8 16:52:29 DD-WRT user.info root: WireGuard PBR via oet1 table 21
May 8 16:52:29 DD-WRT user.info root: WireGuard PBR 192.168.146.0/24:IPv4 via oet1 table 21
May 8 16:52:29 DD-WRT user.info root: WireGuard route 10.4.0.1/24 added via oet1
May 8 16:52:29 DD-WRT user.info root: WireGuard route 192.168.146.0/24 added via oet1
May 8 16:52:31 DD-WRT user.info root: WireGuard adding local routes to table 21
May 8 16:52:31 DD-WRT user.info root: WireGuard released /tmp/oet.lock for 3984
May 8 16:52:31 DD-WRT user.info root: WireGuard IPv4 internet access for 10.4.0.2/24 enabled
May 8 16:52:31 DD-WRT user.info root: WireGuard Inbound Firewall deactivated on oet1

root@DD-WRT:~# ip -6 route show
2a07:****:****:*:****:****:****:8335 via fe80::62f1:8aff:fe3b:8669 dev vlan2 metric 1024
::/1 dev oet1 metric 1024
fe80::/64 dev eth0 metric 256
ff00::/8 dev eth0 metric 256
8000::/1 dev oet1 metric 1024
default via fe80::62f1:8aff:fe3b:8669 dev vlan2 metric 1024
unreachable default dev lo metric -1 error -101
2a07:****:****:*:****:****:****:8335 via fe80::62f1:8aff:fe3b:8669 dev vlan2 metric 1024
2a07:3740:6440::/64 dev vlan2 metric 256 expires 2591831sec
fe80::/64 dev eth0 metric 256
fe80::/64 dev vlan1 metric 256
fe80::/64 dev eth1 metric 256
fe80::/64 dev eth2 metric 256
fe80::/64 dev br0 metric 256
fe80::/64 dev vlan2 metric 256
default via fe80::62f1:8aff:fe3b:8669 dev vlan2 metric 1024 expires 1631sec
default dev vlan2 metric 2048
unreachable default dev lo metric -1 error -101
ff00::/8 dev eth0 metric 256
ff00::/8 dev vlan1 metric 256
ff00::/8 dev eth1 metric 256
ff00::/8 dev eth2 metric 256
ff00::/8 dev br0 metric 256
ff00::/8 dev vlan2 metric 256
unreachable default dev lo metric -1 error -101

root@DD-WRT:~# ip6tables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all oet1 * ::/0 ::/0 state NEW
0 0 ACCEPT udp vlan2 * ::/0 ::/0 udp dpt:51810
0 0 DROP all * * ::/0 ::/0 rt type:0
668 93140 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED
0 0 DROP all * * ::/0 ::/0 ctstate INVALID
1 172 ACCEPT tcp vlan2 * ::/0 ::/0 tcp dpt:22
0 0 ACCEPT all lo * ::/0 ::/0
0 0 DROP all !lo * ::1 ::/0
0 0 DROP all vlan2 * fc00::/7 ::/0
0 0 ACCEPT udp * * fe80::/10 fe80::/10 udp spt:547 dpt:546 ctstate NEW
0 0 ACCEPT all br0 * ::/0 ::/0
2 176 ACCEPT all * * fe80::/10 ::/0
0 0 ACCEPT all * * ::/0 ff00::/8
0 0 ACCEPT all oet1 * ::/0 ::/0
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128 limit: avg 30/min burst 5
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 1
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 2
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 3
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 4
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 129
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 133 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 134 HL match HL == 255
1 72 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 135 HL match HL == 255
1 72 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 136 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 141 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 142 HL match HL == 255
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 130
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 131
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 132
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 143
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 148 HL match HL == 255
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 149 HL match HL == 255
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 151 HL match HL == 1
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 152 HL match HL == 1
0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 153 HL match HL == 1
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 144
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 145
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 146
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 147
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all oet1 * ::/0 ::/0 state NEW
0 0 DROP all * * ::/0 ::/0 rt type:0
0 0 DROP all * * ::1 ::/0
0 0 DROP all vlan2 * fc00::/7 ::/0
0 0 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all br0 * ::/0 ::/0 ctstate NEW
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 1
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 2
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 3
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 4
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 129

Chain OUTPUT (policy ACCEPT 575 packets, 281K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all * * ::/0 ::/0 rt type:0
root@DD-WRT:~# ip6tables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

I double checked the keys and it looks like the Wireguard port (I'm using 51810) is open. Are there any further hints, why it isn't working properly?

Thanks in advance!

Sponsor

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12904
Location: Netherlands

Posted: Wed May 10, 2023 9:39 Post subject:

I did not look in detail but do not use PBR!

Just use "Route all sources via VPN"

Make sure to Disable the Firewall in the WG GUI on both sides.

The WireGuard Advanced setup guide has a paragraph about site-to-site setup, docs are a sticky in this forum
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12904
Location: Netherlands

Posted: Wed May 10, 2023 13:27 Post subject:

Scrolled through some of your settings, did you set any static routes?
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Per Yngve Berg
DD-WRT Guru

Joined: 13 Aug 2013
Posts: 6870
Location: Romerike, Norway

Posted: Wed May 10, 2023 16:00 Post subject:
You need 3 networks (site A, Site B and the Tunnel). I see only two in your setup.

Wildlion
DD-WRT Guru

Joined: 24 May 2016
Posts: 1416

Posted: Thu May 11, 2023 1:55 Post subject:
I am confused by the fact that you have only ipv6 from isp, but then you are trying to use that to create an ipv4 network address. Not saying that it is the problem, but there will be nuances in the configuration that need to be taken into account.

markush6302
DD-WRT Novice

Joined: 21 Aug 2022
Posts: 3

Posted: Fri May 12, 2023 9:46 Post subject:

egc wrote:

Thanks for your reply Smile

I disabled PBR and disabled the firewall on both sides but still no success...

markush6302
DD-WRT Novice

Joined: 21 Aug 2022
Posts: 3

Posted: Fri May 12, 2023 9:49 Post subject:

egc wrote:

Scrolled through some of your settings, did you set any static routes?

Yes.
On site A: 192.168.147.0 via 10.4.0.1 dev oet1
site B: 192.168.146.0 via 10.4.0.2 dev oet1

dale_gribble39
DD-WRT Guru

Joined: 11 Jun 2022
Posts: 1952

Posted: Fri May 12, 2023 13:37 Post subject: Re: Wireguard site-to-site setup

markush6302 wrote:

Wildlion wrote:

I am confused by the fact that you have only ipv6 from isp, but then you are trying to use that to create an ipv4 network address. Not saying that it is the problem, but there will be nuances in the configuration that need to be taken into account.

Both devices must support a 6to4 tunnel or use ipv6 only, perhaps(?).
_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.
--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5

Display posts from previous:

Page 1 of 1

DD-WRT Forum Index -> Advanced Networking

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Log in

Wireguard site-to-site setup

Quick Links

Log in