@firefox111 

I haven't tested with WireGuard Site to Site  but you may need to add the OpenVPN IP pool to the allowed IP on WireGuard. I don't know

  @MR.S 

In theory I've tested that config with wireguard without VPN IP Pool added and it still worked with Full Mode.

But it's never a bad idea to give it a try.

All:

The official implementation of Wireguard VPN server has a setting for "Allowed local subnets" so that clients from anywhere are allowed access to these defined local subnets.

The Wireguard setup in the ER605 has nothing for defining local networks.  Where, in ER605, can these be defined? In the static routing? 

RaRu wrote

  @MR.S 

 

In theory I've tested that config with wireguard without VPN IP Pool added and it still worked with Full Mode.

 

But it's never a bad idea to give it a try.

  @RaRu 

The "Full Mode" in ER605 tunnels all traffic.  I don't think I will go for that because I want Split Tunneling.

Unlike iPSec where you can enumerate Local Networks, TP-Link's implementation of Wireguard in the ER605 does not allow for "Allowed Networks".

  @firefox111 

It's not called L2L but S2S or Ipsec site to site.

But IPsec site to site is a better solution for you, it is faster than wireguard too. much faster..
use this encryption to get the most secure and fastest communication on ER605v2

IKEv2
Phase1
SHA-256 - AES256 - DH14
phase2
ESP - SHA-256 - AES256

i am not very familiar with how to configure this in stand alone, i only use controllers.

And OpenVPN server config is like this when configured on Omada Controller and Splitt tunnel

As you can see in the client log, all the necessary routes are added.

0 [route] [192.168.60.0] [255.255.255.0]
1 [route] [192.168.30.0] [255.255.255.0]
2 [route] [10.87.65.0] [255.255.255.0]
3 [dhcp-option] [DNS] [1.1.1.2]
4 [route] [1.1.1.2] [255.255.255.255]
5 [dhcp-option] [DNS] [1.0.0.2]
6 [route] [1.0.0.2] [255.255.255.255]
7 [comp-lzo] [no]
8 [route] [10.87.65.0] [255.255.255.0]

  @firefox111 

I looked at a TP-Link emulator and you can't use split tunnel when you're in stand alone if you're going to reach more than one network. So you have to use full tunnel to get it to work.
IPsec site to site settings so you can define multiple networks in stand alone.

  @firefox111 

I do a test with Wireguard site to site and splitt tunnel and OpenVPN server, no change on OpenVPN server config, you have to add routes like this in your wireguard config.

but I recomand you to upgrade to controller to get splitt tunnel to work with OpenVPN

OR you can use Wireguard and split tunnel, that might be the easiest for you. then you add allowd ip in the configuration file of the wireguard client like this.

AllowedIPs = 192.168.60.0/24, 192.168.30.0/24

  @firefox111 

ok, I see, in stand alone they have called it LAN to LAN, ;-)

  @firefox111 

Hi,

There are multiple versions of controllers:

1. You can buy additional HW - OC200 - which is phisical controller

2. You can set up Cloud COntroller directly in TP-Link Omada Cloud Environment (there are paid and free (essential) plans for that)

3. You can host your own controller on your server / NAS / docker container / Raspberry Pi or whatever that can handle it - free of charge if you have the device to run it.

I'm using that cuz it allows me to handle multiple devices and differen sites, change their configuration remotely even if those don't have public IP address from ISP.

If it's worth using - it's totally up to you and your needs ;)

BTW. I'm glad you made it work for yourself in the end ;) 

Cheers