OPNsense Forum
English Forums => Virtual private networks => Topic started by: bmt on January 04, 2024, 07:54:10 pm
-
Edit: Just a note that the s2s VPN was working perfectly on all versions before 23.7.10. The site is 800km away from me, so a little nervous to roll back to previous Opnsense version remotely.
At a total loss here...have checked every post, guide etc and can't figure out what I'm doing wrong.
Firewall rules on both sites are configured to allow connections on port 5180 and traffic from WG to LAN. There is a handshake, and this is the result.
However, I cannot ping from one site to the next.
Site 1 shows transfer rx and tx.
Site 2 shows zero transfer rx but traffic on tx. Any suggestions on what to check, or output I can share that will help?
Site1:
interface: wg2
public key: pnRhuA2blsBbPLsaZCA3bgQcB36fJzpZTXPy5DvZVhg=
private key: (hidden)
listening port: 51820
peer: DjojsEKBxxxxxxxKzX6/Dk76Munatg4=
endpoint: 102.xxx.xxx.15:51820
allowed ips: 10.11.0.1/32, 192.168.1.0/24
transfer: 23.41 KiB received, 16.87 KiB sent
persistent keepalive: every 25 seconds
Site2:
interface: wg2
public key: DjojsEKxxxxxxxxxx/Dk76Munatg4=
private key: (hidden)
listening port: 51820
peer: pnRhuxxxxxxxxxxfJzpZTXPy5DvZVhg=
endpoint: 102.221.100.138:51820
allowed ips: 10.11.0.2/32, 192.168.0.0/24
transfer: 0 B received, 23.12 KiB sent
persistent keepalive: every 25 seconds
Thanks
-
Here is my S2S config, that is working...
Site A
Tunnel Address: 10.10.0.1/24
Listen Port: 51820
Peer: SiteBS2S
Site B Peer
Allowed IPs: 10.0.0.2/32, 10.0.1.0/24
Endpoint Address: Site B Public IP
Endpoint Port: 51820
Site B
Tunnel Address: 10.0.0.2/24
Listen Port: 51820
Peer: SiteAS2S
Site B Peer
Allowed IPs: 10.10.0.1/32, 192.168.2.0/24
Endpoint Address: Site A Public IP
Endpoint Port: 51820
I hope that gets you going. Now after that there are firewall rules that need to be in place. Did you setup an interface for WG or are you running all your WG to LAN rules via the Wireguard(Group)? Do you have a normalization rule for WG?
Steve
-
Thanks Steve, I changed allowing the tunnel IP from /24 to the individual /32. Didn't make a difference... Yes, I created a WG interface per site, set the dynamic gateway option and confirmed that outbound NAT is configured. I also ensured the firewall rules allow UDP port 51280 on the "WAN Address" of each site, and for now, allowed * on both the WG and WG (Group) interfaces.
Thinking about it, site 1 always had dual WAN...site 2 now has dual WAN. Not sure if there's anything I need to consider in terms of this new setup? I disabled site 2's second WAN during troubleshooting, but it made no difference.
Any other suggestions?
-
Have you checked every setting in reference with the documentation?
https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
Are you using wireguard-kmod or wireguard-go? I had problems with wireguard-go not doing handshakes anymore. So wireguard-kmod is the choice to go imo.
-
Correct, I followed this guide, among others. I've tried both go and kmod. This makes me think there's a config somewhere that's preventing bidirectional traffic.
What terminal diags can I run to show some helpful output?
Have you checked every setting in reference with the documentation?
https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
Are you using wireguard-kmod or wireguard-go? I had problems with wireguard-go not doing handshakes anymore. So wireguard-kmod is the choice to go imo.
-
Until I watched this YouTube post I was all screwed up. I filled his road warrior setup and things started to work.
https://youtu.be/qX1Y91ko7uc?si=U4BeOGakF1S5reCB
-
Try to create an additional wireguard tunnel on port 51821, but only with allowed IPs in a network that doesn't exist on both firewalls yet. Don't re-use anything, the keys should be new.
For example 10.80.80.0/24, where one site has 10.80.80.1/24 and the other site has 10.80.80.2/24.
Configure everything again while not touching the non working tunnel. If the second tunnel comes up, there might be a configuration issue in the first tunnel (like keys stopped matching or something)
-
Thanks Monviech and spetrillo - I'll give these suggestions a try
-
Thanks everyone...
https://forum.opnsense.org/index.php?topic=36403.msg177980 (https://forum.opnsense.org/index.php?topic=36403.msg177980)
This was a weird one... I had to add my local WG tunnel IP/32 into config.xml manually (both sites). Immediately the handshake was confirmed on both ends, bidirectional traffic, and tunnel is stable.
Is this a bug? I followed every guide to the letter, watched multiple video tutorials, and all my settings were 100% correct. Anyway, just glad it's working now.
-
Thought I'd update here as the issue came back. The config.xml config changed (by itself), and the tunnel broke again. One-way traffic issue came back. I was also unable to ping the public IP from one site to the other, so I contacted the ISP. They found a route filter that was misconfigured. Once this was resolved, everything worked perfectly, and has been for the last 2 weeks. Stock standard Wireguard config, as per the Opnsense guide, working 100% fine.