Hello! I’ve struggled long enough trying (and failing) to successfully setup a Site-to-Site VPN with WireGuard on two ASUS routers and decided to ask for help.
GOAL: To connect the two networks together via WireGuard S2S VPN so that any client on either network can connect to any client on the other network. In other words, I’d like these two LANs to function as one larger LAN. Ultimately, I want LAN1 clients to be able to do offsite backups to LAN2 NAS and LAN2 clients to be able to do offsite backups to LAN1 NAS.
- I also want all devices to route internet traffic via their local ISP
Below is a diagram of my current setup and config:
Thanks in advance!
UPDATE 2024-04-15:
Revised settings below:
- With this, I’m able to ping LAN 2’s router (10.20.0.1) from LAN 1 successfully; however, I’m unable to ping any other LAN 2 devices from LAN 1.
- I’m unable to ping any LAN 1 devices from LAN 2 including LAN 1’s router (10.10.0.1).
Set each router’s AllowedIPs for the other router peer to the other router’s Address and the /24 of its LAN subnet.
Also set the peer endpoint to that peer’s DDNS host name.
Just wanted to provide an update to say that I FINALLY figured it out.
There are 2 key things that the ASUS guide doesn’t mention:
- The client side setup MUST have the VPN connection set as the default connection
- To prevent all traffic from the client side being routed thru the tunnel, you have to change the Allowed IPs (client) from 0.0.0.0/0 to the server’s tunnel IP (ex: 10.6.0.1/32) AND the server’s LAN IP pool (ex: 10.10.0.0/24).
You may need to add entries to the routing tables on each router to tell them to route requests for the other LAN via the WireGuard interface.
I don’t know what routers you have from those UI screeenshots. The differentiation between server and peer allowed IPs is puzzling. In the WireGuard protocol the allowedIPs are defined only per-peer.
Thanks u/gfunkdave! I’ve added an updated screenshot to the main post along with current status:
- With this, I’m able to ping LAN 2’s router (10.20.0.1) from LAN 1 successfully; however, I’m unable to ping any other LAN 2 devices from LAN 1.
- I’m unable to ping any LAN 1 devices from LAN 2 including LAN 1’s router (10.10.0.1).
u/TheLegendary87, how do you make the Client side connection default? I can’t find such a setting anywhere.
Give me an idea where to look to figure it out.
To get to this point, I started by following ASUS’s WireGuard guide for setting up Site-to-Site VPN here, specifically following “Scenario 3: Two-way communication.”
FWIW, I successfully setup a S2S IPSEC VPN years ago between the two; I’m not sure if it was the “correct” way, but I setup a server on each router and then a client on each router, with each client connecting to the opposite server.
In the ASUS WireGuard S2S guide above, you only setup the server on one router, and the client on the other and, per the guide, this enables two-way comms. I certainly don’t expect WireGuard setup to be the same as what I did previously via IPSEC, but I’m surprised by how tricky this has been (perhaps it’s just ASUS’s implementation of it).
Asus seems to have a really wonky implementation. You also need to turn off that NAT slider.
And it seems the client allowed IPs should all be 0.0.0.0/0 and the server ones should be the other router’s WireGuard IP and LAN subnet. Reread item 3 in that article you linked and make sure you’re doing everything it says.
Cool, thanks. I figured our that my problem was with too high MTU which made TCP connection unreliable. Since the MTU has been corrected everything worked smoothly with only one Wireguard connection from ASUS ZenWifi router to my Linux-based server.
I originally followed that guide exactly (and just set it up that way again to ensure I’m not going crazy) and still have these issues:
- I’m able to ping LAN 2’s router (10.20.0.1) from LAN 1 successfully; however, I’m unable to ping any other LAN 2 devices from LAN 1.
- I’m unable to ping any LAN 1 devices from LAN 2 including LAN 1’s router (10.10.0.1).
FWIW, here’s what the routing tables look like after following the ASUS guide: https://imgur.com/a/aTWkc3V
