UDM Wireguard server to UDM WG client

[rradkov]

Hello
I have a strange problem with my setup.
So i have two locations with UDMs.
In the UDM the network is created 192.168.140.0/24 without DHCP, the firewall rule to forward port 51820 to WG server is created.
Wireguard server with the following setup:
[Interface]
Address = 192.168.140.1
PrivateKey = XXXXXXXXXXX
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = YYYY
AllowedIps = 192.168.140.2/32

The second UDM - client config:
[Interface]
Address = 192.168.140.2/32
ListenPort = 21841
PrivateKey = ZZZZ
[Peer]
PublicKey = YYYY
Endpoint = myIp:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
The tunnel is up, but then the second locations don't have any internet. Do I need to add to WG client config routing ?
If i connect my phone with the same setup my phone has internet and all of the traffic is routed via the WG server.
Any help will be appreciated !

[peacey]

Hi @rradkov,

Are you still having this issue? The problem is how the routing is setup on the UDM because it's a router. You can't just override the default route (AllowedIPs = 0.0.0.0/0). You also need to add an explicit route to the VPN endpoint via your WAN, and a masquerade rule for the tunnel, so clients can use the tunnel too.

Do you want every client to go through the tunnel or you want to be selecive?

[lowrisk75]

Hey, I know I'm asking a lot, but anyone is aware of a tutorial ? I need to setup a WG site to site between two UDM PRO (or one Raspberry PI > UDM PRO).
No clue how to setup a route to the VPN endpoint and the masquerade rule ....

What's I'm hopping to accomplish > UDM PRO 2 to connect one VLAN (inside the UDM PRO 2) and sent all the traffic to the UDM PRO 1 so the clients in this specific VLAN all get an IP from the UDM PRO 1 (hope that's make sense?).

[peacey]

Hi @lowrisk75,

Basically you setup a wireguard server on UDM 1. On UDM 2, you setup wireguard as a client. Then you add policy-based routing rules on UDM 2 to route your VLAN's Internet through the tunnel.

There is a script called split-vpn that takes care of adding those policy rules and other steps. You can use it to setup wireguard as a client on UDM 2 and then configure it to force a VLAN through the tunnel really easily.

That script also works with the built-in site-to-site, so you don't have to even use wireguard unless you specifically want to use wireguard instead of the built-in site-to-site (which is fair, wireguard might be faster or have other advantages).

[lowrisk75]

Thanks a lot, I'll try this, (I think L2TP is way to slow) I'll gonna setup wireguard as advised, thank again!