First off, I understand that I might be doing this all wrong but I've tried to get myself as far as I can before asking for help.
I want to implement WireGuard in a site to site configuration and since I'm learning, I've decided to put it into OpnSense first. Later I might install it bare metal.
Both setups are ISP Modem -> Asus Router. I still want to use both Asus routers for everything they currently do. As such I only want OpnSense to run WireGuard and nothing more.
I followed this guide up until Step 3. https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
Both instances of WireGuard initiate and stay that way so it appears I have done something right. Neither have WAN interfaces but both can ping the internet through the existing LAN. I can't ping from one network to the other. I do have an existing OpenVPN server running on one site and can log into it from the other. (Should I stop the OpenVPN server?) Both networks are using the same DHCP range but their servers assign to different subsets.
Running WireGuard from terminal produces:
- rm -f /var/run/wireguard/wg0.sock
- resolvconf -d wg0
- wireguard-go wg0
INFO: (wg0) 2020/12/14 06:53:51 Starting wireguard-go version 0.0.20201118
- wg setconf wg0 /tmp/tmp.vHeA3nWe/sh-np.Idyy4J
- ifconfig wg0 inet 192.168.5.1/24 192.168.5.1 alias
- ifconfig wg0 mtu 1420
- ifconfig wg0 up
- resolvconf -a wg0 -x
- route -q -n add -inet 192.168.5.2/32 -interface wg0
- route -q -n add -inet 192.168.1.0/32 -interface wg0
- Backgrounding route monitor
and
- rm -f /var/run/wireguard/wg0.sock
- resolvconf -d wg0
- wireguard-go wg0
INFO: (wg0) 2020/12/14 06:57:15 Starting wireguard-go version 0.0.20201118
- wg setconf wg0 /tmp/tmp.fKJLL0pk/sh-np.2X3j2S
- ifconfig wg0 inet 192.168.5.2/24 192.168.5.2 alias
- ifconfig wg0 mtu 1420
- ifconfig wg0 up
- resolvconf -a wg0 -x
- route -q -n add -inet 192.168.5.1/32 -interface wg0
- route -q -n add -inet 192.168.1.0/32 -interface wg0
- Backgrounding route monitor
The config files are:
[Interface]
Address = 192.168.5.1/24
DNS = 192.168.1.250
ListenPort = 51820
PrivateKey = {randomstring}=
[Peer]
PublicKey = {randomstring}=
AllowedIPs = 192.168.1.0,192.168.5.2
Endpoint = {correctWANip}:51820
and
[Interface]
Address = 192.168.5.2/24
DNS = 192.168.1.240
ListenPort = 51820
PrivateKey = {randomstring}=
[Peer]
PublicKey = {randomstring}=
AllowedIPs = 192.168.5.1,192.168.1.0
Endpoint = {correctWANip}:51820
All keys end in an equals sign. (is that correct?)
Both state in VPN -> WireGuard -> Handshakes = 0.
I haven't added any routes or anything to the firewall as WireGuard isn't using a Wan interface (I understand this could be the problem).
Like I said, I'm new to this so understand I might have a fundamental problem that I can't see.
Try changing the AllowedIPs to CIDR notation, eg 192.168.5.1/32
Thanks. I just tried that but I'm still not getting a handshake and still can't ping from one vm to the other.
Quite possibly a routing issue as you have guessed. I haven't implemented WG on a host behind my firewall, only on the OPNsense firewall itself, so haven't got any immediate ideas for your scenario
Thanks. I'll keep plugging away and hopefully someone might have an idea.
Have you thought about port forwarding on your router? Incoming requests on the WG port need to be directed to the WG host
On both routers I have forwarded port 51820 from all addresses to the relevant VM.
I also turned off the firewalls on both routers (temporarily) but that didn't help either.