Wireguard linking 2 subnets

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
uler
DD-WRT Novice


Joined: 02 Mar 2022
Posts: 4

PostPosted: Mon May 30, 2022 18:33    Post subject: Wireguard linking 2 subnets Reply with quote
HI can someone help me to understand why i cant connect.

See attached PDF for explanation of my problem.
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Mon May 30, 2022 21:36    Post subject: Reply with quote
Please consider upgrading to the current release while waiting for Sir @egc to respond.

Sticky: WireGuard guides and documentation

https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2022/05-30-2022-r48996/

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2028

PostPosted: Mon May 30, 2022 21:48    Post subject: Reply with quote
Disable CVE 14899 Mitigation on DD-WRT2.
_________________
Forum Guide Lines (with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips!)
How to get help the right way

Before asking for help - Read the forum guidelines AND Upgrade DD-WRT!
Adblock by eibgrad + Blocklist Collection
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Mon May 30, 2022 21:54    Post subject: Reply with quote
Thanks for that, @bushant. Would've been much easier to spot with screenshots instead of a PDF attachment.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
uler
DD-WRT Novice


Joined: 02 Mar 2022
Posts: 4

PostPosted: Tue May 31, 2022 4:17    Post subject: Upgraded firmware Reply with quote
HI!

I upgraded the firmware to 05-30-2022-r48996.

I have also disabled the CVE-2019-14899 Mitigation.

Its still not working!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Tue May 31, 2022 6:47    Post subject: Reply with quote
The former speakers already gave you some good advice Smile

Start with setup by using the Server setup guide, the Advanced setup guide has instructions for a site-to-site setup, that is what you are doing with traffic in both directions.

I will throw in my two cents.

DDWRT 1
Your network setup has an uncommon subnet /22 do you really need that much IP addresses?

Your Gateway is wrong, the gateway is the routers gateway and should be the next hop, the router cannot send traffic to itself.
Luckily DDWRT will override this (depending on settings) but just keep the gateway at its default 0.0.0.0, meaning it will find the gateway automatically (if the router is used in gateway mode with WAN)

Your start ip address is .100 this is the old default (new default is .64) but your Maximum DHCP users is 190 which is the new default, why?
The last DHCP address will be .290 which is not working on a /24 subnet, you escape this problem by using a /22 subnet.
Again why these choices?

About the WG setup on DDWRT it looks OK save the Keepalive.
It is set at 10 which generates unnecessary traffic as 20 or 25 is more than adequate, but as this side is playing the Server role setting Keepalive is not necessary that is already been done by the client side so just keep it at its default 0.


DDWRT 2
The same questions about subnet DHCP range and Gateway only this time you are using /21 as subnet ?
Note under Allowed IP's on DDWRT 1 you used /22 so you cannot reach all clients if you keep it this way

About WireGuard setup
CVE mitigation should be off as already mentioned by @Bushant
You are using PBR where you can enter source IP addresses from your subnet which can use the the tunnel but you entered sources from the other side that is wrong, remove that entry and just use "Route all sources via VPN".
If you want PBR (which is uncommon in this setup as you only use a specific route to the other side) read up on it.

Keepalive 20 or 25 should be more than sufficient.

I am traveling and have to do this with my phone so I hope I have caught all the details.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Tue May 31, 2022 11:40    Post subject: Reply with quote
Forgot to mention, the setting "Allow Clients full LAN access" is for VPN clients and technically in this setup you are connecting two subnets.

So if you want to connect to clients on the other subnet the clients firewall must allow that other subnet.

Alternatively add:
iptables -t nat -I POSTROUTING -o br0 -s <ipaddress/subnet of other side> -j MASQUERADE

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 2028

PostPosted: Tue May 31, 2022 17:39    Post subject: Reply with quote
Egads! I missed a lot.
That is why @egc makes the big 💲💲 Laughing

TBH I quit looking when I saw the CVE problem Rolling Eyes

That's my story and I'm sticking with it!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum