Posted: Thu Feb 16, 2023 12:44 Post subject: Wireguard client/server config
Hi all, as few of you suggested Wireguard, I have decided to give it a try and moving my VPN configuration to it. But I think something is wrong in the configuration as I assumed many things which were not clear to me from the documentation.
Here the scenario:
I have two routers, one in my place, a WRT1900ACSv2 and another one in another apartment, a WRT1200AC (we'll call them First Router and Second Router). Both of them were configured as OpenVPN client/server talking to each other, so that when I am in my place I could reach the Internet with Second Router IP and when I am in the other apartment I can reach the internet with First Router IP.
With OpenVPN everything works fine (I made few posts in the past about this, sharing my configuration), but now with Wireguard I think I am doing something wrong, not exploiting the P2P functionalities.
I'll go more in details now:
I have set two tunnels for each router, so that oet1 is the server tunnel and oet2 is the client tunnel. Basically Second Router uses its oet2 to connect to oet1 tunnel of First Router and First Router uses oet2 to connect to oet1 of Second Router. I DO THINK THIS IS NOT RIGHT! Am I correct?
Even if the configuration has too many tunnel, it works, the only thing is that I am experiencing a big packet loss (sometimes 20%!), while with OpenVPN I have 0% loss.
I have tried with other client against each server and the packet loss is still a problem.
I'll share two screenshots of my two routers configs, please let me know your thoughts.
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Thu Feb 16, 2023 12:50 Post subject:
With OpenVPN you do not use two tunnels either.
You can just use one tunnel.
I suggest you start new by deleting everything and just follow the WireGuard Server setup guide.
Amazing how complicated some people can make things
WireGuard by design has no server or client side, but it needs one side which starts that is the side we call "client" and has an endpoint set to the "server" side.
Hi have read the WireGuard Server setup guide more than once, but, at least too me, it is not very clear and are steps and screenshots that differ from what I have on my build.
Now, I know that I could get things overcomplicated, I have said it myself in my post, but I guess this is the whole purpose of a forum, getting advices and sharing knowledge and own experiences.
Let’s forget about the double tunnel thing first, disabling one side of the connection I am still getting packet loss, so I assume there is something else wrong with the configuration. Do you see something suspicious?
Then if you have it handy, could you share the site-to-site config? Or at least what would you do, I don’t need one side host to reach other side’s, I just need to let hosts access the internet with opposite IP.
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Thu Feb 16, 2023 14:17 Post subject:
Nightbridge wrote:
Hi have read the WireGuard Server setup guide more than once, but, at least too me, it is not very clear and are steps and screenshots that differ from what I have on my build.
Now, I know that I could get things overcomplicated, I have said it myself in my post, but I guess this is the whole purpose of a forum, getting advices and sharing knowledge and own experiences.
Let’s forget about the double tunnel thing first, disabling one side of the connection I am still getting packet loss, so I assume there is something else wrong with the configuration. Do you see something suspicious?
Then if you have it handy, could you share the site-to-site config? Or at least what would you do, I don’t need one side host to reach other side’s, I just need to let hosts access the internet with opposite IP.
Regards
If you just need to let one side route its internet via the other side you need just one tunnel setup according to the WireGuard Server setup guide that is all.
Be sure to always get the latest guide as it is frequently updated.
Your problems can be caused by the second tunnel or look in the guide under troubleshooting e.g.:
Quote:
MTU size problems (Connection, but hang, slow loading, no streaming media, no RDP, packet loss etc.)
No, both sides have IPv4 IPs, I tried MTU changes indeed, following the guide I tried the default IPv4 1440, then I lowered to 1420 and 1412. But unfortunately the have the same behaviour.
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Thu Feb 16, 2023 14:35 Post subject:
Well like I earlier suggest just download the latest guide and start fresh.
After much tinkering a reset to defaults might even be necessary to clear out all the gremlins.
If both sides use IPv4 and have a public IPv4 WAN address (not a CGNAT IPv4 address) then usually an MTU of 1420 will work but in rare cases I have seen MTU's between 1200 and 1280 being necessary.
I have actually upgraded both routers recently and reconfigured them from scratch. Apart from the MTU changes I haven't done much.
Yes, they both have public IPv4 IPs.
SFE was disabled straight away after I flashed with new versions as it was causing me issues with OpenVPN.
Can you please share how the routers configuration would look like with one tunnel? I get confused when adding peers and how they need to be configured. Thanks.
Hi, yes that is basically the config I have if you have alook at oet1 from First Router and oet2 from Second Router.
But how can I achieve that bi-directionally?
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Thu Feb 16, 2023 16:17 Post subject:
Nightbridge wrote:
Hi, yes that is basically the config I have if you have alook at oet1 from First Router and oet2 from Second Router.
But how can I achieve that bi-directionally?
But you stated:
Quote:
I don’t need one side host to reach other side’s, I just need to let hosts access the internet with opposite IP.
If you want bidirectional traffic you need a site-to-site setup.
In case of a site-to-site setup you do not enable NAT via tunnel on the client side and if you followed the guide then that actually already allows bidirectional traffic.
My advice delete everything, start fresh and follow the guide.
You might need to tweak the MTU size for whatever reason.
Hi, I have done a fresh configuration and here it is, with only one tunnel per router. With this config though, if I disable "NAT via tunnel" I have no internet access.
I tried several values as MTU, but I am still experiencing some packet loss.
Some config specs of the two routers:
WRT1900ACS:
- It is the main router
- clients subnet: 192.168.1.0
- Tunnel IP Adresses / Netmask 10.4.1.2/24
WRT1200AC:
- It is a secondary router
- clients subnet: 192.168.3.0
- Tunnel IP Adresses / Netmask 10.4.1.1/24
Do you see something else that needs to be addressed in the config?
Hi, I am bringing this up as I haven't found a solution for the packet loss yet. Tried several MTU settings.
Does anyone see something wrong in the configurations?