Hello,
I had my road warrior WireGuard setup running on OPNsense_A at Site_A for quite some time now.
My mobile clients have access to my LAN or can even tunnel their entire traffic through my OPNsense.
At Site_B I have my OPNsense_B and SOME clients in that network need access to the services at Site_A.
So I added the OPNsense_B "sort of" as another road warrior client to the WireGuard instance of OPNsense_A.
I didn't enable the pull routes feature of the wireguard interface since I only want some clients to go through the tunnel. So I added the gateway IP to the wg_interface and created a gateway in settings of OPNsense_B.
At this point the tunnel was already working and I was able to ping the wireguard interface address at Site_A using the OPNsense diagnostics tool.
I then created a firewall rule (see attached files) that will only route selected clients to the network of Site_A and thought that would be enough. I was wrong, I also needed to add a NAT outbound rule (see attached files) that translates everything to the OPNsense_B_WG_interface address.
Can someone please explain to me why that outbound NAT rule is necessary? I know what it does but I just can't figure out why it is necessary. Without the outbound rule I can see that my OPNsense_B is routing the traffic to OPNsense_A but in the logs of OPNsense_A is no sign of it. The Site_B networks are listed in the Allowed IPs of Site_B peer.
Ultimately I would like OPNsense_A and the services in that network to know the real local IP of Site_B clients that accessed them.
(I know that the firewall rule is currently giving the whole VLAN_CLIENT network access to the network of Site_A. I will change this when everything is working as expected.)
This may help for setup, in particular the firewall rules at the beginning: https://www.thomas-krenn.com/en/wiki/OPNsense_WireGuard_VPN_Site-to-Site_configuration
I think you misunderstood the issue.
I already have the tunnel up and running! I was just asking why the outbound NAT rule is necessary.
I think you misunderstood my response.
I am suggesting that with the right firewall rules in place you won't need an outbound NAT rule. Try it or not as you wish.
Well, I totally overlooked that firewall rule part.
Going to try this.
But why didn't the firewall live log on Site_A display any blocked/dropped traffic from the Site_B networks.
By default it is showing everything that is getting blocked.
So I removed the NAT outbound rule and allowed both remote networks on the wireguard interfaces firewall rules.
Still not working. Though I now have firewall logs on both sides indicating that the traffic goes from Site_B to Site_A but it is still not coming back.
EDIT: The easiest solution was to just leave "Disable Routes" unticked. One could also create a static route, but then you would also need to create a gateway.