Site to site vpn between 2 raspberry pi's - how to route traffic?

I have been trying to set up 2 raspberry Pi’s in a site-to-site split tunnel vpn configuration. I started out with PiVPN, fairly easily set up a couple of working ‘road warrior’ VPN connections, then tried to progress to a site-to-site VPN and struck out completely with PiVPN. After giving up on PiVPN and instead following the https://www.wireguard.com/quickstart/ side-by-side video however I was able to establish a basic Site-to-Site VPN. the current status I have is I can ping the 10.x.x.x IP addresses of the connected clients on each end of the tunnel, from either side via a Raspberry Pi terminal sessions - but I can’t ping remote network addresses from the same terminal session. Can someone point me at how I would do that?

Config:

​

I don’t know much about Linux (I have just about figured out that ‘sudo’ means “pretty please”, but I still keep forgetting to ask nicely). And I’m intermediate at networking skills… I might have figured some of this out in a windows context, but throw in Linux and i’m basically lost!

Both sites are behind ASUS routers, and (if I get that far) I am hoping that adding a static route on the routers to direct traffic to the remote networks via the Raspberry Pi’s like this would complete the picture…, i.e. Setup → LAN → Route ‘Enable Static Routes’ = Yes,

Local network: Network: 192.168.1.0 Netmask: 255.255.255.0 Gareway 192.168.0.2 Metric 1 Interface LAN

Remote Network: Network: 192.168.0.0 Netmask: 255.255.255.0 Gareway 192.168.1.2 Metric 1 Interface LAN

LOCAL WG OUTPUT

interface: wg0

public key: (hidden)

private key: (hidden)

listening port: 41579

peer: (hidden)

endpoint: xxx.xxx.xxx.xxx:42566

allowed ips: 10.0.0.1/32, 192.168.1.0/24

latest handshake: 50 minutes, 30 seconds ago

transfer: 2.82 KiB received, 5.04 KiB sent

REMOTE WG OUTPUT

interface: wg1

public key: (hidden)

private key: (hidden)

listening port: 42566

peer: (hidden)

endpoint: xxx.xxx.xxx.xxx:41579

allowed ips: 10.0.0.2/32, 192.168.0.0/24

latest handshake: 52 minutes, 15 seconds ago

transfer: 11.44 KiB received, 9.52 KiB sent

​

Any tips appreciated! Thanks

In any site-to-site setup you must think about the routing of all the devices, not just the two ends of the VPN. Consider the route tables on every single device between a computer at each site. Does every device have a routes that will permit forwarding to another device that will get the packet closer to the destination. Also you must think about this bidirectionally. Are their routes that forward the packets correctly to return.

Start simple. Try doing a traceroute from a on one of the networks, to an address on the remote network.

Anyway the obvious solution is probably to add a static route on your routers 192.168.0.1, and 192.168.1.1, though if these are basic home/small office routers you may not have that option. In that case things get a lot more complicated.

post so I remember to check on this too

I do know openwrt can run as a wireguard server and client

and FYI, openwrt on a rpi4 works just great

I think you’ve got the AllowedIPs wrong on both sides WRT the tunnel IPs. Both are set to only route their own 10.0.0.x IPs down the tunnel, which is pointless.

On 10.0.0.1, try AllowedIPs = 10.0.0.2/30, 192.168.1.0/24

On 10.0.0.2, try AllowedIPs = 10.0.0.1/30, 192.168.0.0/24

Thanks, the static route was already in place

ASUS RT-AC87U Setup → LAN → Route ‘Enable Static Routes’ = Yes,

Network: 192.168.1.0 Netmask: 255.255.255.0 Gateway 192.168.0.2 Metric 1 Interface LAN

…I am not sure what I did now, but it seems to be working with some lag/packet loss…

There might be some remaining stuff from PiVPN causing problems, since I get two ‘Too few arguments’ messages when I do a wg-quick up on the local Pi:

sudo wg-quick up wg0

[#] ip link add wg0 type wireguard

[#] wg setconf wg0 /dev/fd/63

[#] ip -4 address add 10.0.0.2/24 dev wg0

[#] ip link set mtu 1420 up dev wg0

[#] resolvconf -a wg0 -m 0 -x

Too few arguments.

Too few arguments.

[#] ip -4 route add 192.168.1.0/24 dev wg0

[#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Traceroute from a device on the local network with no Wireguard client software installed is now reaching IP Addresses on the other side, giving (retyping/paraphrasing since Im too lazy to grab the text from my android)

Trace to 192.168.1.1

1 192.168.0.1 router.local

2 192.168.0.2 pivpn.local (Loss 1/5 25%)

3 -

4-

5- 192.168.1.1 (Avg 908ms)

…so I have signs of life, but its still not quite right!

The reason I am trying the Pi route is specifically to offload VPN from the ASUS routers! After an upgrade from 100mbps to Gigabit fiber, my RT-AC88U at the home location. and my RT-AC87U at the remote location, could not keep up. I was seeing signifcant packet loss (on ALL network connections, not just over vpn), and a 15% constant CPU load from the OpenVPN service, peaking to 100% every 30 seconds or so.
Offloading the VPN onto the raspberry Pi’s has given me back a stable 980 Mbps internet connection - the next step is to see how wireguard and the Raspberry Pi’s perform on their seperate VPN duty.
So far Wireguard seems very fast and lightweight, and feels a lot faster than the Router based OVPN. (I have 2 HD video cameras at the remote location, the most notable effect is less lag from issuing a PTZ commands to seeing the camera move)

This. The AllowedIPs = refer to the outgoing traffic you want routed over the tunnel.

Which openwrt are you running on the pi’s?

Wulfy23’s build have been quite stable for me.