Print Page - WireGuard: Routing site-to-site

Title: WireGuard: Routing site-to-site
Post by: euant on January 19, 2023, 04:05:58 PM

I've just set up a brand new install of OpnSense 22.7.11 and followed the WireGuard Site-to-Site Setup (https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html) guide. However, clients on my LAN cannot ping remote IPs nor can I ping them from OpnSense unless I specifically set the Source Address.

I have an existing pfSense setup which I'm conencting to.

My existing network has several networks accessible via WireGuard (provable using WireGuard on a laptop or mobile - I can access the required networks) such as "192.168.3.0/24".

I've configured an Endpoint in the WireGuard config with this network in the "Allowed IPs", and can see that in "System > Routes > Status" there is a route for "192.168.3.0/24" going down the WireGuard interface.

If I go to "Interfaces > Diagnostics > Ping" and ping a host on this network with the "Source Address" set to the WireGuard interface, I get a response. If I leave the "Source Address" set to "Default" or set it to "LAN", I don't get a response.

Any ideas?

Title: Re: WireGuard: Routing site-to-site
Post by: mimugmail on January 19, 2023, 08:37:46 PM

Screenshots please :)

Title: Re: WireGuard: Routing site-to-site
Post by: Demusman on January 19, 2023, 09:09:58 PM

Quote from: euant on January 19, 2023, 04:05:58 PM

I have an existing pfSense setup which I'm conencting to.

I've configured an Endpoint in the WireGuard config with this network in the "Allowed IPs", and can see that in "System > Routes > Status" there is a route for "192.168.3.0/24" going down the WireGuard interface.

So then you know the wireguard plugin is vastly better in pfSense. Being so the setup is a lot different.
One thing is Wireguard doesn't add routes automatically, are you sure the route exists?
Did you add interfaces for the tunnel? Gateway?
I would try to follow the pfSense guide and try to get through it that way.

Title: Re: WireGuard: Routing site-to-site
Post by: euant on January 20, 2023, 09:20:06 AM

Yep, I added an interface for the tunnel, but no manual routing config or gateway config.

Screenshots incoming:

Title: Re: WireGuard: Routing site-to-site
Post by: Demusman on January 20, 2023, 12:07:35 PM

Firewall Rules on the interface and WG group interface?

Title: Re: WireGuard: Routing site-to-site
Post by: euant on January 20, 2023, 12:23:13 PM

Firewall rules are to pass everything with a wildcard source and destination for both the specific and WG group interface.

Title: Re: WireGuard: Routing site-to-site
Post by: Demusman on January 20, 2023, 12:53:13 PM

Is that subnet involved in any other rules that would effect this?
Floating maybe?

Title: Re: WireGuard: Routing site-to-site
Post by: mimugmail on January 20, 2023, 06:34:10 PM

Via CLI

/usr/local/etc/rc.d/wireguard restart

OPNsense Forum

English Forums => Virtual private networks => Topic started by: euant on January 19, 2023, 04:05:58 PM