Jump to content

Connecting to Local Computers with Wireguard on EdgeRouter

AeglosGreeenleaf
By AeglosGreeenleaf
in Networking
 Share
Posted

I have been setting up a Wireguard VPN network to access computers on a local network. The LAN I need access to created by an EdgeRouter X (v1.10.9) who's WAN connection is provided by a larger network which I cannot port forward or control. To circumvent this, I setup a remote server (VPS/Droplet) running Wireguard, and plan on connecting both the EdgeRouter and remote clients to that.

I am able to connect both the EdgeRouter and remote client (my laptop) to the server successfully, but cannot access the computers behind the router. I have been roughly following this guide: https://gist.github.com/insdavm/b1034635ab23b8839bf957aa406b5e39

Looking at my configuration below, what do I need to change? My local network is 10.10.1.1 and my VPN is 10.10.2.1.

Server Wireguard config (using wg-quick): 

[Interface]
Address = 10.10.2.1/24
PrivateKey = <private server key>
ListenPort = 51820

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wgo -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# EdgeRouter
[Peer]
    PublicKey = <public router key>
    AllowedIPs = 10.10.2.2/32, 10.10.1.0/24
# laptop
[Peer]
    PublicKey = <public laptop key>
    AllowedIPs = 10.10.2.3/32

Laptop Wireguard config (using wg-quick): 

[Interface]
    PrivateKey = <private laptop key>
    ListenPort = 51820
    Address = 10.10.2.3/24

[Peer]
    PublicKey = <public server key>
    AllowedIPs = 10.10.0.0/16
    Endpoint = <public server ip>:51820
    PersistentKeepalive = 25

Router Wireguard Config (EdgeMax commands): 

configure
edit interfaces wireguard wg0
set address 10.10.2.2/24
set listen-port 51820
set route-allowed-ips true

set peer <public server key> endpoint <public server ip>:51820
set peer <public server key> allowed-ips 10.10.2.1
set peer <public server key> allowed-ips 10.10.0.0/16
set peer <public server key> persistent-keepalive 25
set private-key <private router key>
exit
commit
save
exit

 

The router also has a firewall rule in WAN_LOCAL which allows 51820/udp. The server also has a firewall but 51820/udp is allowed.

Again, both the router and laptop connect and can ping 10.10.2.1, but neither can ping each other and the laptop cannot ping anything on the 10.10.1.0/24 range.

Please let me know if you need more information, and thank you!

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Networking

×