wireguard-kmod icon indicating copy to clipboard operation
wireguard-kmod copied to clipboard

Published 20 hours ago verified publisher icon tusc

UDM Wireguard server to UDM WG client

Open rradkov opened this issue 4 years ago • 4 comments

Hello I have a strange problem with my setup. So i have two locations with UDMs. In the UDM the network is created 192.168.140.0/24 without DHCP, the firewall rule to forward port 51820 to WG server is created. Wireguard server with the following setup: [Interface] Address = 192.168.140.1 PrivateKey = XXXXXXXXXXX ListenPort = 51820 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = YYYY AllowedIps = 192.168.140.2/32

The second UDM - client config: [Interface] Address = 192.168.140.2/32 ListenPort = 21841 PrivateKey = ZZZZ [Peer] PublicKey = YYYY Endpoint = myIp:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25 The tunnel is up, but then the second locations don't have any internet. Do I need to add to WG client config routing ? If i connect my phone with the same setup my phone has internet and all of the traffic is routed via the WG server. Any help will be appreciated !

rradkov avatar Jul 25 '21 22:07 rradkov

Hi @rradkov,

Are you still having this issue? The problem is how the routing is setup on the UDM because it's a router. You can't just override the default route (AllowedIPs = 0.0.0.0/0). You also need to add an explicit route to the VPN endpoint via your WAN, and a masquerade rule for the tunnel, so clients can use the tunnel too.

Do you want every client to go through the tunnel or you want to be selecive?

peacey avatar Nov 08 '21 23:11 peacey

Hey, I know I'm asking a lot, but anyone is aware of a tutorial ? I need to setup a WG site to site between two UDM PRO (or one Raspberry PI > UDM PRO). No clue how to setup a route to the VPN endpoint and the masquerade rule ....

What's I'm hopping to accomplish > UDM PRO 2 to connect one VLAN (inside the UDM PRO 2) and sent all the traffic to the UDM PRO 1 so the clients in this specific VLAN all get an IP from the UDM PRO 1 (hope that's make sense?).

lowrisk75 avatar Feb 11 '22 18:02 lowrisk75

Hi @lowrisk75,

Basically you setup a wireguard server on UDM 1. On UDM 2, you setup wireguard as a client. Then you add policy-based routing rules on UDM 2 to route your VLAN's Internet through the tunnel.

There is a script called split-vpn that takes care of adding those policy rules and other steps. You can use it to setup wireguard as a client on UDM 2 and then configure it to force a VLAN through the tunnel really easily.

That script also works with the built-in site-to-site, so you don't have to even use wireguard unless you specifically want to use wireguard instead of the built-in site-to-site (which is fair, wireguard might be faster or have other advantages).

peacey avatar Feb 11 '22 19:02 peacey

Thanks a lot, I'll try this, (I think L2TP is way to slow) I'll gonna setup wireguard as advised, thank again!

lowrisk75 avatar Feb 11 '22 20:02 lowrisk75