[CodeName.Lobo]

This is just the text, attached is a file with screenshots.

I saw a post that is asking for something like what I am trying to do but there is no solution in the post; I already read the WG guides and make the tunnel as described in the Server guide, it is working except for the bidirectional part. The guidance is going thru the site to site section in the Advanced guide, however the guide is for 3 peers, this case is only 2. Also, the guide assumes both peers to have a public ip, in this case only the server has one.

Going to start with the client that is “almost” working fine.

WG client is a WRT32X router connected to a 5g Internet (do not know the public IP, but assuming is behind CGNAT); configured as Gateway, no IPV6, no DDNS, no MAC Clone, all wireless disabled, all services disabled except for SSH demon, Password login, Syslog & Telnet server, SPI firewall disabled, also disabled all VPN passthrough.

Running a trace route in the client is this:
• 192.168.12.9 is the DDWRT client
• 10.20.28.4 is the WG server side tunnel
• 192.168.76.1 is the gateway in the remote network (going out to the cable modem)
• After that it goes to the Internet

I know you can figure this, I mentioned just because if I am wrong, please let me know. This side is working fine, can see the local computers, the remote computers and go out thru the remote internet. This works on both, from the WG client via telnet and from my laptop connected to the WG client.

Well, I said at the beginning it works “almost” fine, the only issue is that the Endpoint Address cannot be resolved, it only works with the explicit public IP. (The DDNS for the domain is working fine, it can be resolved from the web browser)


Now the server side; the router is behind another router that is behind the cable modem.
The reason is that my wife works from home and I cannot reboot the gateway every time that I am testing the tunnel.

Not sure if it is relevant, but the Gateway is a WRT1200 running 53028 (will update to 59887 after this tunnel works fine), here the port forwarding is configured. SPI is enabled with the default other options and VPN passthrough disabled. The WAN is connected to a cable modem with a public IP, since this IP is dynamic, also the DDNS service is enabled.

WG server is a WRT1900AC router; configured as Router, no IPV6, no DDNS, no MAC Clone, all wireless disabled, all services disabled except for SSH demon, Password login, Syslog & Telnet server, SPI firewall disabled, also disabled all VPN passthrough.

From this side, I can see the local computers, the tunnel and the WG client (from both the WG server via telnetand another laptop connected to it), beyond that, I cannot see the remote computers nor get out from the remote internet.

The trace, goes to the internet via the local gateway, not the remote.

I already tried turning on the Allow Clients WAN Access and Bypass LAN Same-Origin Policy on the WG client, but does not work. Also tried adding the following rule to the client but does not work as well. (it works on the server side though with subnet 192.168.12.0/24 of course)
iptables -t nat -A POSTROUTING -s 192.168.76.0/24 -o $(get_wanface) -j MASQUERADE

The current configuration is just following the guides and removed all my “tries”. Thank you for the guides, they are very good.

My guess is that I have a rule/route missing on the client side that stops the traffic to the client subnet (except the client itself).

Any advice to allow the access to the client subnet from the server subnet? (and resolve the domain to the end point)

Thank you to Brainslayer for this project and also egc for his dedication to WG.

[egc]

Both server and client appear to be setup on a Wireless Access Point (WAP) which complicate things.
Consider just using the routers as a gateway router instead of a WAP.

But for setting up on a WAP see the WireGuard Advanced Setup guide for instructions.

Do not forget to set static routes on the main routers so not on the WireGuard routers

[CodeName.Lobo]

First off thank you very much for you fast reply.

[egc]

From your PDF it seems both server and client have their WAN disabled with the router in the same subnet as the main router and DHCP and DNS off, this means that both are setup as a WAP.

See the instructions in the Advanced setup guide

[CodeName.Lobo]

Good morning,

In order to do the suggestion, for the client, I took a WRT1200 running 53028, Factory Reset it in the webUI, then installed 59887, once running 59887, Factory reset it again in the webUI and then started from scratch.

The very first time the tunnel connected to the server, after a reboot it stop working, after a while I noticed that the Interface Public Key changed, I tough that somehow I regenerated it by mistake, so I Factory reset it again in the WebUI and started again from scratch.

Same behavior, connected the first time and stop after a reboot and the Interface Public Key changed. This time I know I did not hit Generate Key by mistake.

Via telnet I see the Interface Private key does not change but the Interface Public does after restart the tunnel with the shell script. (see attachment please) Hence, the server refuses the connection due a wrong key. As the test shows, it generates the correct key at random, but even so it does not connect after the first time.

Any idea on what is happening? Thank you again for your help.

[egc]

Regarding the WireGuard interface, the public key is always calculated from the private key with:

[CodeName.Lobo]

Please see attachment, same behavior with the commands suggested.

[egc]

DDWRT only stores the private key in its nvram.

WireGuard itself with the "wg pubkey" command calculates the public key with its built-in curve25519.

What you shows is that this produces random outputs with the same private key which is hard to imagine as this code has not been updated and of course if this would produce random output then more reports would have surfaced.

Of course it could be wrong only on your router but that is also hard to imagine.

The only logical conclusion is that the private key is changing so please double check with a compare/diff that the private key is exactly the same as shown with "wg show oet1" if it changes just one character you will have a different public key.

If the private key does not change but you see different public keys calculated from this I do not have an explanation especially as you are the only one having problems.

[CodeName.Lobo]

Good afternoon.

Thank you Master for your time an help in this matter.

My final word is that MY WRT1200 does not work (only this one not all!), I did a lot of tests, reflashing, restoring and reconfiguring by hand and with files, all resulting in the same behavior. Then I went back to the WRT32x, flashed with same version, same configuration files and it worked at the very first time.

Once the tunnel was up, I followed the WAP configuration. I found that the problem were not the routes but the iptables. With so many reading back and forth, I was confusing the POSTROUTE rule in the server configuration and the WAP configuration. (I thought it was the same thing)

Well that made the bidirectional flow to work except for the internet. It only goes out FROM the server side. I cannot put an Allowed Ip 0.0.0.0/1 on the server side because it triggers an error. My guess is that I need to start removing the Allowed Ip 0.0.0.0/1 from the client since it will create a loop trying to go out from the client side.

The Advanced Setup guide mentions that after Build 56490 a PREROUTING rule must be deleted, however I do not see that rule in the raw table:

Chain PREROUTING (policy ACCEPT 138K packets, 135M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 11331 packets, 8585K bytes)
pkts bytes target prot opt in out source destination

At this point the server goes to the Internet thru the cable modem and the client thru the 5g. Also both subnets can see and comunicate with each other.

[egc]

Please post for both routers:
Screenshot of Settings page and screenshot of wireguard page (whole pages)
Output of:
wg
ip route show


Did you set static routes on the main routers, if so also this ouptut from both Main routers"
ip route show

[CodeName.Lobo]

Please find it attached.

[egc]

The server side looks OK, but to be able to connect from client connected on the server side you have to set a static route on the main router e.g."

[CodeName.Lobo]

The replies on this post pointed to the right configuration for the bidirectional flow, however the Internet access on the CLIENT side from the SERVER only could be achieved adding the specific ip address for the site in the Allowed IPs on the server side.