OPNsense Forum

English Forums => Virtual private networks => Topic started by: nathanfr on March 28, 2024, 09:13:30 pm

Title: Wireguard - Unable to open tunnel from one side
Post by: nathanfr on March 28, 2024, 09:13:30 pm

Hello,

I have set up a site-to-site tunnel following this procedure:
https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

It's impossible to open the connection from my first opnsense (which is at home) to the second (which is in a datacenter rack) but if the second opnsense initializes the handshake, then the tunnel is established.

Both opnsenses use port 51820 in UDP and there is no NAT between the two.

To clarify, in the first photo you can see the result when my opnsense initializes the connection.

On the second photo, when the opnsense in the datacenter initializes the connection.

Title: Re: Wireguard - Unable to open tunnel from one side
Post by: chemlud on March 28, 2024, 09:44:06 pm

mildly related: Why do you want to initiate the tunnel from both sides? One side ist totally enough and for road warrior setups standard and working just fine...

And: Is port 51820 on your data center WAN open?

Title: Re: Wireguard - Unable to open tunnel from one side
Post by: nathanfr on March 28, 2024, 09:48:16 pm

I want to initiate the tunnel from both sides because the tunnel is not open all the time and sometimes the LAN behind my home opnsense needs to open the tunnel to access the LAN behind the data center opnsense and vice versa.

Yes, port 51820 in UDP is open on both sides.

Title: Re: Wireguard - Unable to open tunnel from one side
Post by: chemlud on March 28, 2024, 09:49:35 pm

once the tunnel is established (with keep-alive) its up and running. no further initiation necessary.

do a package capture on the data center side to see if UDP is arriving at your wireguard client (OPNsense?)

Title: Re: Wireguard - Unable to open tunnel from one side
Post by: nathanfr on March 28, 2024, 09:52:43 pm

Yes, that's true, but you have to keep sending packets through the tunnel otherwise it closes, and you have to restart a handshake:
wg1: Zeroing out keys for peer 21, since we haven't received a new one in 540 seconds

Here is the return from the socksat command to show that the port is open:

USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS     
? ? ? udp4 *:51820 *:*

Title: Re: Wireguard - Unable to open tunnel from one side
Post by: nathanfr on March 28, 2024, 09:54:17 pm

Quote from: chemlud on March 28, 2024, 09:49:35 pm

once the tunnel is established (with keep-alive) its up and running. no further initiation necessary.

do a package capture on the data center side to see if UDP is arriving at your wireguard client (OPNsense?)

You can see the UDP packets arriving at the data center opensense (1.jpg attachment in the first message).

Title: Re: Wireguard - Unable to open tunnel from one side
Post by: chemlud on March 28, 2024, 10:02:11 pm

This is not the traffic for initiating the tunnel (public IP to public IP), but some traffic (PING?) for LAN clients on both sides.

Start with package captures on WAN of both OPNsense and have a look at the status of the tunnel.

How do you "stop" your tunnel? If you enable wireguard on both sides the tunnel will come up and stay up until you stop wireguard on one side.