Hello,

I am trying to setup a wireguard VPN, but so far failed to do so.

My ER605 WAN port is connected to the LAN port of my ISP modem, and the modem is setup so that the ER605 is fully exposed to the internet. Between the modem and the router, the IPs are respectively 192.168.0.1 and 192.168.0.2

On internet side, I have a static IP address and the DMZ for the ER605 works pretty well - I have ports 80 and 443 forwarded from the 605 to a reverse proxy, and several services that just work.

I use the local controller (no standalone mode), and I have set up a wireguard interface that listens on the default port, and the local IP address is 192.168.0.2. I have then set up a single client - I am using 10.101.0.0/24 for wireguard, and this client is set up as 10.101.0.2/32. All private/public keys are there, and other options at default

Now, from my client, the handshake is successfull, and I have internet access through the tunnel, but I can only ping 192.168.0.1, which is my ISP modem. I cannot ping 192.168.0.2, which is quite odd, but most importantly I cannot ping any address in the 10.0.0.0/16 range, which is my LAN.

I suspect that my particular topology is confusing the ER605, which thinks that the LAN is 192.168.0.0/something.

On LAN side, the ER605 is 10.0.0.1, but if I use this address as the local IP address in the wireguard interface, the handshake fails altogether.

I am sure I am missing some pretty obvious thing here - can anyone help on this topic? Another very, very odd thing is that normally a "server" should have an IP in the wireguard range, so in my case in 10.101.0.0/24 - and then you just setup ip forwarding. I feel that some of this stuff is happening behind the scenes, which makes the whole process a lot more difficult to debug, and, quite frankly, frustrating.

Thanks for your help and support.