I have setup a site-to-site WG VPN that somewhat works --
Names resolve correctly on on both LANs across the VPN. RDP and VNC work flawlessly on machines on either LAN to access remote hosts by name.
However, ping times out and I am unable to browse shares on the computers across the VPN either by name or IP address.
I only have a PASS rule to allow IPv4 UDP between the firewalls; I suspect that I need another PASS rule on both sides to allow other IPv4 traffic into the LAN across the VPN.
Any pointers on what this rule(s) are would be helpful. Should this rule be between the two LANs or the firewalls? Which protocols? Which interface? Do I need to manually setup an outbound-NAT rule? I am somewhat new to this and I don't want to accidentally open up the two networks to the world! Thanks.
Maybe you need a rule to allow TCP and UDP on the wireguard interface (or the wireguard group), and another one for ICMP if you want ping.
I will give it a try, but wouldn't the general rule that allows *any* traffic already cover this? I have this on the Wireguard (group) interface --
Adding an explicit "Allow ICMP" rule to the wireguard interface made no difference.
Quote from: kss on June 12, 2022, 02:31:36 PM
I will give it a try, but wouldn't the general rule that allows *any* traffic already cover this? I have this on the Wireguard (group) interface --
Yes, that should work.
Are you sure that the devices you're trying to ping do answer pings at all?
Yes, the devices on the two LANs respond to pings within their own subnets; Pings across the VPN time out but the names resolve to the correct IP addresses.
It is still weird that I can connect to any machine on the "other" side by name via RDP or VNC -- but cannot directly browse their shared folders.
Wonder if if I need some kind of outbound NAT -- I shouldn't need it according to the documentation because the WG interface is assigned and enabled. And I am not yet knowledgeable enough to know what/how to go about it!
You could take a look at the firewall log and/or make a packet capture to figure out what happens to these ICMP packages. You don't need to set up any NAT for that.