Thank you for all your help.
I got my home RB now sucessfully connected to my office RB via wireguard.
RB home is 192.168.10.0/24
RB office is 10.10.10.0/24
with 10.255.255.0/30 between (10.255.255.1 in office and 10.255.255.2 home) for the wg tunnel (and as a route with the opposite wg gateway).
All working great.
I even changed in the home WG peer setting now instead of 10.10.10.0/24 to 0.0.0.0 to route (or better ALLOW) all internettraffic through my WG tunnel, but I'm stuck with defining the route to get the routerboard properly sending all traffic through the WG tunnel.
A simpel 0.0.0.0 default route of course won't make the tunnel any longer esablished.
If my home GW decides to route all traffic through WG furthermore I then would like to SRC-NAT the home network (192.168.10.0/24) to a certain outside IP which is on my office RB, and even port forward eg tcp,443 then to my home nas (192.168.10.10)
for the moment I'm stuck with routing rules, to get my internettraffic routed through the tunnel (and then masqueraded or SRC-NAT) to my additional IP.
Any help, ideas on that?
kind regards
Requirement: Deal with a wireguard connection where at one end, the First Router is not within one's control. This means that you have a MT Router under admin control attached to and behind an ISP ( a router or modem/router) and the other end is an MT device that is directly connected to the internet (only behind a straight type of modem). Many times you can still gain access to the ISP router but only to forward ports or dmz etc......... in this case thats easy and either side can be the Server or Client.
However we are talking a NO CONTROL/ACCESS to ISP router at one end.
Two things should be noted, 1 - For any WG connection one needs to establish the Server and the Client. This is just for the initial connection only
2- After initial connection consider the tunnel a two way street dependent upon the setups at either end.
So to answer the question, do not despair, assuming you are allowed internet traffic (from the MT device) through the ISP router you are good to go and should view this MT Device as the CLIENT for the initial setup.
Client WG Settings
add listen port but not really required I think needed to generate public key in any case put the the same port as you will set on teh server Router
name=remoteWG
public key to give to the main server (in its peer settings)
Client PEER Settings
allowed addresses - destinations for the remote users (assuming you want to access the internet and possibly subnets on the main router) use 0.0.0.0/0
endpoint address - IP of main server and associated port , could be ipcloudname:port etc...
public key (given by the main server).
keep alive set it to something like 30secs....
Now on the CLIENT side you probably have a default route already of some sort probably created dynamically so that your LAN users go out the wan port of the MT and then hit the main router etc.....
and traffic gets returned.
Next you have to make a table............ via Terminal cli
/routing table add add name=useWG fib
You need to add a route for the subnet or user that is going out the tunnel, lets say its one of the subnets on the router (192.168.50.0/24)
dst-address=0.0.0.0/0 gwy=remoteWG table=useWG
Then make the associated route rule
src-address=192.168.50.0/24
Action: Lookup-only-in-table {note if you wanted users to be able to access internet locally if WG is down then use ACTION: "Lookup" }
Table: useWG
+++++++++++++++++++++++++++++++++++++++++++++++++++
So The remote router Wireguard service will go out the wan of the Remote router, through the ISP router, to the internet and reach the Main MT Server Router and establish the tunnel.
The sourcenat rule on the Remote Server takes care of this normal (visible traffic).
With this tunnel active, however, the subnet 192.168.50.0/24 users will be directed by the route rule to go out the tunnel........... and bypass the ISP router (transparent)
On the OTher Server router side you have to ensure that the subnet is allowed in WIREGUARE PEER settings......
Typically set an IP address for the subnet as such
address=192.168.50.254 network=192.168.50.0 and you are good to go for the most part...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In other words as long as one end of the tunnel is connected directly to the internet and not behind an ISP router you can connect.
Its simply a matter of having the hidden side be the CLIENT at least just for the connection, after that traffic according to wireguard and a few other rules can go both ways.