Hi,
I want to connect my OPNSense-Wireguard as "vpn-client" to an other wireguard-server.
I´ve aleready read wireguard docu site to site, but it doesn´t work.
This ist my config file, on windows-wireguard-connector it runs perfectly
Now I want to connect with OPNSense to the server
[Interface]
ListenPort = 55522
PrivateKey = pv123
Address = 10.100.100.37/31
[Peer]
PublicKey = pub123
EndPoint = XX.XX.XX.XX:55522
AllowedIPs = 10.1.3.0/24
PersistentKeepalive = 10
I created at Local->Server:
Public Key pub123 (Key from Config file)
Private Key pv123 (Key from Config file)
ListenPort 55522
TunnelAddress 10.100.100.37/31
Peers MyPeer
I created at Endpoints:
Name MyPeer
PublicKey pub123 (Key from Config file)
Allowed IPs 10.1.3.0/24
Endpoint Address XX.XX.XX.XX:55522
Enpoint Port 55522
Keepalive 10
But it doesn´t work...
On Firewall I set Rule Wireguard pass all
Pls help.
Greets
Byte
Do you see any traffic on that connection?
Are there any handshakes in VPN: WireGuard in the tab Handshakes?
Nope,
Handshakes:
wg1 pub123 0
List Configuration
interface: wg1
public key: anohter pubkey!
private key: (hidden)
listening port: 55522
peer: pub123
endpoint: XX.XX.XX.XX:55522
allowed ips: 10.1.3.0/24
transfer: 0 B received, 3.76 KiB sent
persistent keepalive: every 10 seconds
All Howtos I saw was to set site2site to OPNSense and nothing got config to set on ONE OPNSense.
An Wireguard-Server I can´t set anything.
Greets
Byte
Did you enable the WireGuard service in the general tab?
Do you allow traffic on the WAN interface to the WireGuard port?
Wireguard is enabled, I have a second wireguard server running on OPNSense as roadwarrior, this works fine.
And NO I don´t want allow Traffic over WAN to THIS wireguard, because it´s should be a wireguard client!
Traffic should go OUT over WAN to Wireguard-server and backwards it´s allowed by default (stateless firewall).
So when I start wireguard on my desktop-pc, I don´t have to open a WAN port to get a connection, it´s an outgoing connection.
OPNSense should connect AS CLIENT to the wireguard server on the other side!
Greets
Byte
OK,
looking at the intern config of wireguard in OPNSense looks good:
sudo cat ls /usr/local/etc/wireguard/wg1.conf
[Interface]
Address = 10.100.100.37/31
ListenPort = 55522
PrivateKey = pv123
[Peer]
PublicKey = pub123
AllowedIPs = 0.1.3.0/24
Endpoint = XX.XX.XX.XX:55522
PersistentKeepalive = 10
You should see traffic leaving your OPNsense box then. Have a look in the Firewall: Log Files: Live View
There should be traffic towards the endpoint you defined. It should be covered by the "Let out anything from firewall host itself".
Mildyl OT, but is "PersistentKeepalive = 10" the standard used by opnsense?
Make sure you don't have any other site to site VPN's enabled while trying to get this to work between the sites. I had an OpenVPN vpn between the two sites up while trying to get this to work and no traffic would pass through the Wireguard VPN. Once I disabled the OpenVPN vpn everything worked.