Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: petersk on November 16, 2022, 10:48:43 PM

Title: Route "the other way" through wireguard
Post by: petersk on November 16, 2022, 10:48:43 PM
I have wireguard working from Europe to the US using a GliNet Slate (Slate AX (GL-AXT1800) https://www.gl-inet.com/products/gl-axt1800/ (https://www.gl-inet.com/products/gl-axt1800/)).  The IP CIDR address on that side is 192.168.8.0/23. And my Roku on that side (connected through WIFI) properly  streams stuff as if it's in the US.

For Wireguard that device is 172.16.16.4/32, where I have an interface named HomeWireGuard set up under OPNsense.  The wireguard server is in the US and is 172.16.16.1/23 with the .4/32 as a peer. The "tunnel address" is 172.16.16.1/23.

I have the client allowing all IPs  0.0.0.0 from Europe to the US and everything is working perfectly or at least, as expected.

What I want now is to allow a device on the US side to connect to the WAN on the European side.  What I was thinking is setting up a Roku device on the US side and being able to stream as if I were in the European region. The VPN tunnel should be two-way, right?

I'm thinking I'd have to have the device on the US side have an IP address like 172.16.16.6, but what else do I need to set up in terms of routes, etc.?  I looked at trying to go to System: Routes: Configuration, but I don't even see the HomeWireGuard interface there nor wg1.  It only has these options on the pull down: Null4 - 127..., Null6 - 127..., and WAN_DHCP- IP.

Any  thoughts on how I'd do this?  Do I need a new route on the GLiNET side too?
Title: Re: Route "the other way" through wireguard
Post by: bartjsmit on November 17, 2022, 07:24:18 AM
There is no "way" in routing. Packets need to go both ways.

Check for deny entries in the firewall log. It is much more restrictive inbound.

Bart...
Title: Re: Route "the other way" through wireguard
Post by: chemlud on November 17, 2022, 08:44:01 AM
...but there is a "way" with a stateful firewall as the initial side of the communication counts.

What you want is the setup of a site-to-site WG tunnel. Did you follow the how-to in the opnsense documentation for this (! site-to-site) WG tunnel including NAT?
Title: Re: Route "the other way" through wireguard
Post by: petersk on November 17, 2022, 04:14:39 PM
If you're referring to this one, then yes, those steps were done in the follow on one about setting up a wireguard client, unless you know something I didn't see there:
https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html (https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html)

I will check the firewall log as Bart, the other  person, suggested, on both links.
I found this one which might get me there. I'm going to try it.
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html)

OK, I tried doing that link, but it is hard to follow with no specific example. Here's my network layout if someone could lend a hand that  would be great.
https://imgur.com/YDQNGUg (https://imgur.com/YDQNGUg)
K
Title: Re: Route "the other way" through wireguard
Post by: petersk on November 20, 2022, 07:07:26 PM
Bump
Text only | Text with Images