Partiell routing over Wireguard connection

Started by JasMan, May 29, 2022, 02:15:52 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 29, 2022, 02:15:52 PM
Hey,
I've connected two sites over a Wireguard VPN connection. There's an OPNsense at site A and a OpenWRT router at site B.
Everything works fine. Each site can reach the internal addresses of the other site over the WG tunnel.

Now I want to route a hugh amount of external addresses from site A over the Internet connection of site B.

I've tested it already successfully with an single IP address. I've added the single IP address to the WG peer configuration on the OPNsense as allowed IP, created a FW rule for the traffic to this address and choosed the WG gateway of site B as gateway.

But it's not very conveniant for more than a few addresses, because I've to add them all to the WG peer configuration as allowed addresses.
So I added 0.0.0.0/0 instead, but then I've two default routes on the OPNsense and the WG route is prefered. Every external traffic is routed to site B then.

Next try: I disabled the routes in the local WG configuration of the OPNsense to prevent routing entries for the WG tunnel allowed IP addresses. That works perfect at site A. But in this case, site B is not able to reach the clients at site A anymore. The packet arrives at the host at site A, but the answer packets are routed back over the default route of site A, means to the Internet.

Did I missed something? Or what would be the preffered solution for my needs?

Thanks.
Jas Man
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
May 29, 2022, 08:01:54 PM #1
What are you trying to accomplish?
May 30, 2022, 03:45:25 PM #2
It seems that I've latency issues with some CDNs at site A.
Site B is using a different ISP, and they don't have this latency issues.

I was not able to find the cause so far.
And the only difference between the both location is, that the last three hops to the CDN servers are different. Therefore I would like to do some tests from location A over location B.
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
May 30, 2022, 10:12:34 PM #3
How about you use a tunnel (if you want through a wg tunnel) to route through the tunnel?  Maybe that would remove the need to add all the IP addresses to the wireguard config.

IIUC there is versions of VPN that aren't routed and which act as if you would use a (long) network cable between two sites.  Maybe wireguard isn't the right tool for your purpose.
Print
Go Up Pages1
User actions