OPNsense Forum

Dear all,

I have a problem setting up a site to site connection using WireGuard. After following the instructions in the documentation https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html the following configuration has been generated:

# site1 /usr/local/etc/wireguard/wg0.conf ip subnet 10.1.1.1/24

[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <PrivateKey1>
[Peer]
PublicKey = <PublicKey2>
AllowedIPs = 10.10.0.2/32
[Peer]
PublicKey = <PublicKey3>
AllowedIPs = 10.10.0.3/32


# site2 /usr/local/etc/wireguard/wg0.conf ip subnet 10.2.1.1/24

[Interface]
Address = 10.10.0.2/24
ListenPort = 51820
PrivateKey = <PrivateKey2>
[Peer]
PublicKey = <PublicKey1>
AllowedIPs = 10.10.0.2/32,10.1.1.0/24
Endpoint = <VPN Address of Site1>:51820
PersistentKeepalive = 60


The firewall rule for port 51820 has been added.

From the opnsense box at site2 (10.2.1.1) it is possible to ping the following addresses 10.10.0.2, 10.10.0.1, 10.1.1.1 (LAN address of opnsense on site1 and 10.1.1.2 (a host on the LAN).

From a workstation 10.2.1.2 it is possible to ping 10.10.0.2, 10.10.0.1 but not possible to ping 10.1.1.1 or 10.1.1.2

I'm sure that I'm making basic mistake but cannot figure out how to fix it, can someone help so that it is possible to reach the hosts behind the opnsense box at site1?

Thank you

The cause is that packets from workstation at 10.2.1.2 to 10.1.1.1 are going out via the WAN interface instead of through the WireGuard tunnel.

On the OPNsense firewall the packet go correctly through the WireGuard tunnel.

Do you know how to configure the routing so that LAN hosts go through the WireGuard interface? What I tried hasn't worked.

Thanks.

Do you use multiwan or loadbalancing or any kind of gateway rules?

QuoteDo you use multiwan or loadbalancing or any kind of gateway rules?

Both sides have a single gateway on the WAN interface. The Office side has gateways on OpenVPN client interfaces.

Installing a gateway on the WireGuard interfaces does not work and adding a route through that interface breaks the WireGuard VPN tunnel.

Why does the gateway not work?

Quote
Why does the gateway not work?

Why do I think it is not working, because it says the gateway is offline and 100% packet loss.

The gateway is configure is:
interface=WG
IP address=10.10.0.2
Disable Gateway Monitoring=false
Monitor IP =10.10.0.1

The 10.10.0.2 opnsense host can ping 10.10.0.2 and 10.10.0.1

I would say this means it is not working.

Thanks for your help.

What happens when you disable Monitoring, does it work?

QuoteWhat happens when you disable Monitoring, does it work?

With monitoring enabled the routing table says:

Destination        Gateway            Flags     Netif Expire
10.10.0.1          10.10.0.2          UGHS        wg0
10.10.0.2          link#9             UH          wg0
10.10.0.2/32       wg0                US          wg0
<snip>
10.1.1.0/24       wg0                US          wg0

With monitoring disabled or the gateway removed the routing table says

10.10.0.2          link#9             UH          wg0
10.10.0.2/32       wg0                US          wg0
<snip>
10.1.1.0/24       wg0                US          wg0


When the gateway exists with or without monitoring then the host 10.10.0.2 cannot ping hosts on the 10.1.1.0/24 network.
When the gateway is removed the hosts can be pinged again. The odd thing is that the routing table is the same with and without the gateway.

Is there another way to test if this is working?

Thanks again.

The following is very similar to what I would like to achieve:
https://hbh7.com/2018/09/30/setting-up-a-wireguard-site-to-site-vpn-between-2-edgerouters/

This also looks the same for FreeBSD
https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-quicklook/

Can you post wgX.conf without gateway of both please ...

They were in the first post. I've removed the keys and external IPs. Is that what you wanted?

BTW RoadWarrior connection work like a dream.

Thanks

On Site1 I'm missing network of Site2 in any of the two peers?

I had updated the configuration from the host1 the following but it didn't make any difference.

[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <PrivateKey>
[Peer]
PublicKey = <PublicKey2>
AllowedIPs = 10.10.0.2/32,10.2.1.1/24
[Peer]
PublicKey = <PublicKey3>
AllowedIPs = 10.10.0.3/32

If it is possible to ping any of the hosts behind the opnsense box at site1 from the opnsense box at site2 (10.2.1.1) then the tunnel is working and the routing is also working.

What is strange is that from a host behind site2 it can ping both sides of the tunnel but cannot ping the hosts behind the opnsense box site 1.

Doesn't this mean that the routing is not working from the LAN to hosts at the other side of the tunnel. Shouldn't the route have a gateway bit set, similar to openvpn?

When I tcpdumped the network traffic it was going out through the WAN interface and not the WG interface. From the opnsense box the traffic was going though the WG interface.

Thanks again.

Can you Join IRC next week and we fix via Teamviewer?

Yes that's no problem. What time and timezone? I'm CEST.

Me too, can you check if you have manual routes for the networks too? I just set up a lab and stumbled upon this. It only works ifcthere is no other route

There are no manual routes set. I tries to add one, using the command line, but there were already defned.

What is the current state of your lab?

Is it completely working so hosts on site 1 can reach hosts on site 2?

As an aside  I keep getting notifications of posts but don't see a new post.

Yes it works fine. Just come to irc tomorrow

The cause is that I'd enabled a Wireguard interface and called it wg0.

Removing the interface and everything worked as expected.

Thanks for your help.