I think I found the error.
The Wireguard allowed IP on the NS8 cluster does not match to the Wireguard IP address of the NS7 migration tool.
First use the migration tool on NS7 to connect to NS8 until you get the “The NS8 cluster already has a user domain for the ‘ad.xxxxxx.xxx’ domain” error.
On NS8:
In /etc/wireguard/wg0.conf you can find the IP in AllowedIPs that NS8 allows for the peer endpoint. My NS7 has the IP 192.168.3.162.
AllowedIPs = 10.5.4.21/32
Endpoint = 192.168.3.162:39408
On NS7:
Set the IP address for Wireguard to the one you found above, in my case 10.5.4.21:
config setprop wg-quick@wg0 Address 10.5.4.21
Expand the wireguard template:
expand-template /etc/wireguard/wg0.conf
Restart wireguard:
systemctl restart wg-quick@wg0
Ping to NS8 should work now:
ping 10.5.4.1
Now the NS8 migration tool should work if you reload the migration tool page.
EDIT:
OK, it just worked once, the second test failed but for sure it’s an issue if the IP address doesn’t match the allowed IP.