My goal is to make it so that half a dozen devices from Site A can access Site B devices as if they were in the same network (albeit in different subnets). And vice versa?
I set up Bidirectional WG based Site-to-Site VPN on Site A and selected a few devices which communicate see Site B. But the fact that I had to select a few devices make me think that despite being named bidirectional, it has to all be set up on Site B as well.
Am I thinking of this right?
One site is an FWG (1.9740 (3b84b678)) the other a FWP (same)
To allow specific devices from site A to access site B, you just need to select these devices in VPN configuration on site A. No need to change anything on site B.
To allow specific devices from site B to access site A, you will need to add allow rule in site A to allow traffic from these devices. No need to change anything on site B.
Please be aware that only IP address or subnet can be used in allow rule, it can’t be mac address or device names.
Yes, it needs to be configured on each side for which traffic you want sent via tunnel.
Example:
Side A is 10.10.10.0/24
Side B is 192.168.12.0/24
On side A, WG needs to know that requests to 192.168.12.0/24 are supposed to go through the tunnel
On side B, WG needs to know that requests to 10.10.10.0/24 are supposed to go through the tunnel
Configuration on both sides is needed so that each side knows how to route traffic appropriately.
EDIT: I realized that I posted this with a generic IPSEC site to site VPN in mind. WG may be slightly different in this case. Will look into that today.
Here is the official guide on site to site VPN:https://help.firewalla.com/hc/en-us/articles/5515850433683, it mentions at step 3:
"To connect devices to VPN, on the VPN Client Box, just switch on the “VPN” button, and you’ll see the status become “Connected”. At this point, devices from the VPN server site are able to access the network on the VPN client site.
On the VPN client site, to selectively send your devices’ traffic through the VPN, under the VPN connection, tap Apply To, select the devices/networks/group you’d like to connect to the peer(server) site, and tap save. "
u/gnapoleon Does this document answers your question? You only need to select your devices on one of the boxes (the client site). Allow rules are created automatically when the connection is established.
Do you want it to just be those half dozen devices? If you don’t mind if A and B have full connectivity, then just set up a S2S WG VPN between the FWG and the FWP and it will work. I have this working right now and it didn’t require any traffic rules or added routes. The WG setup added the routes and rules automatically.
I have a Plex server in Site A and I can get to it from FireTV sticks in Site B with no issues. Same for a NAS and other devices. I also run the Omada controller in Site A and it manages APs in Site B. This requires connections initiated in both directions.
And if I do a remote WG VPN to site A, I can get to anything in site B from the remote device. It was a lot easier to get working than I was expecting. But I’m fine with all devices in both sites have full connectivity with each other as they are both mine.
I should have followed up on my previous comment. I didn’t think all the way through before saying I would test it.
I did a set up with my FWG and a WG instance in AWS but it’s not nearly the same as FWG ↔ FWP as proposed in the original question. It involved setting up manual routes on each client to the WG server for relevant traffic.
Unless someone wants to donate some hardware to me I can’t directly speak to it
