Open rradkov opened 2 years ago
peacey
commented
2 years ago Hi @rradkov,
Are you still having this issue? The problem is how the routing is setup on the UDM because it's a router. You can't just override the default route (AllowedIPs = 0.0.0.0/0). You also need to add an explicit route to the VPN endpoint via your WAN, and a masquerade rule for the tunnel, so clients can use the tunnel too.
Do you want every client to go through the tunnel or you want to be selecive?
lowrisk75
commented
2 years ago Hey, I know I'm asking a lot, but anyone is aware of a tutorial ? I need to setup a WG site to site between two UDM PRO (or one Raspberry PI > UDM PRO). No clue how to setup a route to the VPN endpoint and the masquerade rule ....
What's I'm hopping to accomplish > UDM PRO 2 to connect one VLAN (inside the UDM PRO 2) and sent all the traffic to the UDM PRO 1 so the clients in this specific VLAN all get an IP from the UDM PRO 1 (hope that's make sense?).
peacey
commented
2 years ago Hi @lowrisk75,
Basically you setup a wireguard server on UDM 1. On UDM 2, you setup wireguard as a client. Then you add policy-based routing rules on UDM 2 to route your VLAN's Internet through the tunnel.
There is a script called split-vpn that takes care of adding those policy rules and other steps. You can use it to setup wireguard as a client on UDM 2 and then configure it to force a VLAN through the tunnel really easily.
That script also works with the built-in site-to-site, so you don't have to even use wireguard unless you specifically want to use wireguard instead of the built-in site-to-site (which is fair, wireguard might be faster or have other advantages).
lowrisk75
commented
2 years ago Thanks a lot, I'll try this, (I think L2TP is way to slow) I'll gonna setup wireguard as advised, thank again!
Hello I have a strange problem with my setup. So i have two locations with UDMs. In the UDM the network is created 192.168.140.0/24 without DHCP, the firewall rule to forward port 51820 to WG server is created. Wireguard server with the following setup: [Interface] Address = 192.168.140.1 PrivateKey = XXXXXXXXXXX ListenPort = 51820 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE [Peer] PublicKey = YYYY AllowedIps = 192.168.140.2/32
The second UDM - client config: [Interface] Address = 192.168.140.2/32 ListenPort = 21841 PrivateKey = ZZZZ [Peer] PublicKey = YYYY Endpoint = myIp:51820 AllowedIPs = 0.0.0.0/0 PersistentKeepalive = 25 The tunnel is up, but then the second locations don't have any internet. Do I need to add to WG client config routing ? If i connect my phone with the same setup my phone has internet and all of the traffic is routed via the WG server. Any help will be appreciated !