OPNsense Forum

Archive => 22.1 Legacy Series => Topic started by: cake on May 23, 2022, 09:20:40 am

Title: Wireguard peer [subnet<->subnet]
Post by: cake on May 23, 2022, 09:20:40 am

I am using opnsense wireguard as a peer but,

I can't figure out is getting clients/peers such as phones connected to 10.8.0.0/24 to talk to  192.168.44.0/24

wg0 on opnsense is peer assigned 10.8.0.7, behind that is the LAN 192.168.44.0/24, but I can not ping anything there.

I can not get the two subnets to talk to each other. please suggestions?

wireguard is connected and there is a tiny bit of traffic.

Title: Re: Wireguard peer [subnet<->subnet]
Post by: defaultuserfoo on May 25, 2022, 02:37:29 am

You may need to add the 192.168.44.0/24 network as allowed in 'Allowed IPs' for the Endpoint at the peer where that network is not (i. e. at the pear which is remote from the peer where that network is).  Otherwise traffic from/to 192.168.44.0/24 will not be allowed to go over the tunnel.  (Don't add it at the wrong peer or it's gona really suck :)

(It's kinda weird and takes some getting used to, but it kinda makes sense ...)

Title: Re: Wireguard peer [subnet<->subnet]
Post by: cake on May 25, 2022, 05:48:43 am

Thank you kindly for the adivice. I did figure it out yesterday and it sounds like what you described. Had to add my subnet to the allowed section on the vps not on opnsense. added 192.168.44.0/24, 10.8.0.7
I plan to make a tutorial soon for others.  I use the setup becuase my router is behind a nat (cgnat) and as such i cant connect remotely with out a vpn. I was using openvpn for such a setup - server was the vpn and router was a client but that server (my own hardware) got nuked trying to update, so decided this is the time to switch everything to wireguard.. Using a cheap vps temporarly for this setup.

Title: Re: Wireguard peer [subnet<->subnet]
Post by: defaultuserfoo on May 25, 2022, 12:36:09 pm

Why don't you put your server behind OPNsense instead?  That's more like it's supposed to be :)

Title: Re: Wireguard peer [subnet<->subnet]
Post by: cake on May 25, 2022, 04:45:41 pm

yes but I'm double nat'd. My ISP ran out of IPv4 addresses so a bunch of us share a public ip. Its call CGNAT. I can not open a listen port on that outer nat  It means ip cameras and all that stuff cant be accessed from internet.
I think I am one of a few n that situation. Its fine though becuase its a fibre connection and cheap, 15$ a month.

Title: Re: Wireguard peer [subnet<->subnet]
Post by: cake on June 03, 2022, 04:42:43 pm

Well after I am far away from home I noticed my setup is not quite working the way I want.
The settings on the vps have  AllowedIPs = 10.8.0.7/32, 192.168.44.0/24 for my opnsense peer.

The 192.168.44.0 subnet (opnsense) is what I want to access from the remote peers. It does work, well sort of. It seems like the router (opnsense) is answering all the connections. So if I connect with wireguard remotely and ssh a computer lets say at 192.168.44.5 the router (192.168.44.1) answers the connection and not the computer (192.168.44.5) I can log into opnsense and use shell/terminal to open another connection to 192.168.44.5 but its a bit annoying.

Does anybody know what  setting I need to change to get this to work. I don't want to lock myself out. I wont be home for a few months.

Title: Re: Wireguard peer [subnet<->subnet]
Post by: defaultuserfoo on June 08, 2022, 01:27:45 am

Did you make firewall rules on the wireguard interface that would allow the client connecting to it to communicate with the clients you're trying to reach?

You can do that on the wireguard group or on the particular interface.  I much prefer the particular interface ...