Trying to set up a Wireguard Site to Site setup between my Proxmox Server running an Opnsense VM and a raspberry pi at another location. Followed all the tutorials (I think) and I am close. I get a handshake and I can ping the Wireguard interfaces in both directions. From the raspberry pi I can also ping all the addresses on my OPNsense Lan. I cannot ping any IP addresses on the Raspberri pi except the Wireguard interface. UFW is not running on the Pi. The Pi is connected to a Verizon Fios Router port forward on for 58020 to the PI. I have setup Wireguard connection to this Pi in the past and was able to access other devices on the network so I don't think there is anything going on at that end but willing to entertain ideas.
Opnsense set up
LAN network 10.10.0.1
Wireguard Local
Listen Port: 58020
Tunnel Address: 10.20.20.1
Endpoints
AllowedIps: 10.20.20.2/32, 192.168.1.0/24
Endpoint address and Port set to WAN address of Pi and port 58020
Raspberri Pi setup
Lan: 192.168.0.1
wg0.conf
[Interface]
PrivateKey = ???????????????
ListenPort = 58020
Address = 10.20.20.2/32
[Peer]
PublicKey = ??????????????????????????????
AllowedIPs = 10.20.20.1/32,10.10.0.0/24,10.10.20.0/24
Endpoint = #############:58020
PersistentKeepAlive = 21
I have a wide open firewall rule set on the OPNsense WG interface.
The only thing that I have noticed that might be off is when I set up the Wireguard Interface it set up as wg1 instead of wg0. I do not have a wg0 so that seemed weird to me.
I am one of those follow the tutorial/youTube vidio guys who can follow directions but have only a passing knowledge of why anything works. I am new to OPNsense and am just at a loss as to how to trouble shoot this. Makes no sense to me that I can ping the wireguard interface but not any devices on the PI's network given I am pretty sure I have the allowed ip setting correct. As I said, I have accomplished this with my old Ubuntu server so I feel like it should work.
Thanks for any ideas.
You say the Pi LAN is x.x.0.1 but allowed IPs on the endpoint on OPNsense says x.x.1.0. Typo or misconfiguration?
Thanks for reply
The Lan is 192.168.1.0, the router is 192168.1.1
Address = 10.20.20.2/32
[Peer]
PublicKey = ??????????????????????????????
AllowedIPs = 10.20.20.1/32,10.10.0.0/24,10.10.20.0/24
The 10.10.20.0 is a VLAN on the OPNSense machine, which I can connect to from the Pi over the Wireguard connection.
The 10.20.20.1 & 2 are the Wireguard interface IPs at either end.
Is the PI the default gateway on it's end?
I would do some packet captures to see where the replies are going.
The LAN gateway is on on a Verizon Fios Router. The Pi's only reason to exist is this Wireguard Tunnel. The Pi is plugged directly into the Fios Router so no wifi etc. I have a HDHR Prime that is also plugged into the same Router. That is acutally what I want to pass through the tunnel.
Had this working perfectly for a long time but I got greedy I guess and am upgrading my setup at home to make use of opnsense. Had just an Ubuntu server with a wireguard connection to the Pi, Now I'm trying to graduate to Proxmox and OPNsense. Thought this would be the easy part. :-\
Have you done a packet capture on the Pi to see what is happening to the incoming packets? Do you have static routes on your router on the Pi end so that network knows to send packets destined for the network on the other side via the Pi?
Quote from: RSpin on February 14, 2023, 03:58:44 AM
The LAN gateway is on on a Verizon Fios Router. The Pi's only reason to exist is this Wireguard Tunnel. The Pi is plugged directly into the Fios Router so no wifi etc. I have a HDHR Prime that is also plugged into the same Router. That is acutally what I want to pass through the tunnel.
Had this working perfectly for a long time but I got greedy I guess and am upgrading my setup at home to make use of opnsense. Had just an Ubuntu server with a wireguard connection to the Pi, Now I'm trying to graduate to Proxmox and OPNsense. Thought this would be the easy part. :-\
What is the gateway set to on the Pi?
Forgive me, I'm not exactly sure what you mean. I am pretty sure the LAN gateway is on the router and is 192.168.1.1. The IP of the Pi is 192.168.1.117.
Thank you by the way for trying to assist.
I will have do some research on how to do a packet search. Never had to so that before. I'll see what I can figure out.
With regard to the static routes. Is there a way to check to see if I already have some static routes. I set up that Ubuntu server like 3 years ago so I honestly don't remember if I set something up on the pi then or not. I most definately have not set up any static routes in the course of trying to get this set up running. Not of the how to's or youtubes I read mentioned the need to do that.
How did you setup the vpn server on the Pi? PiVPN maybe?
You need to check what the gateway is set to in it. Depending on what you used for the vpn and what OS you're running on the Pi, the commands will be different. So once you determine what was used, figure out what the IP settings on the Pi are. You say the Pi is 192.168.1.117 and the router is .1 so the Pi's gateway should be set to .1.
Verify it is.
pi@raspberrypi:~ $ cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 11 (bullseye)"
NAME="Raspbian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=raspbian
ID_LIKE=debian
I double checked in the add/remove software and I have wireguard installed not pivpn. Not familiar with what that is.
pi@raspberrypi:~ $ netstat -r -n
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
10.10.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
10.10.20.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
10.20.20.1 0.0.0.0 255.255.255.255 UH 0 0 0 wg0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 vethec925a4
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-a2ee912178f5
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
I hope this is what you are looking for? Looks like the wireguard tunnel wg0 is using gateway 0.0.0.0. Should it be 192.168.1.1? Not sure how I fix that though.
I don't think this is relevant but I am not trying to use this WG connection to allow either Site to use the others internet. That should be done locally only. Hope I said that right.
I was referring to routes on your router.
Sorry, I have not set up any static routes on ONPsense or on the router that the Pi is connected.
Your assistance so far has led me to start reading a little on IP routing and while I am not entirely sure I understand it all I think maybe what I need to add to the PI's wg configuration is the following:
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Does that sound right? What still has me confused is why the PI can see everything on my OPNsense network when I haven't added anything to the OPNsense config. Does the plugin do all that for me?
Before I try this, I want to be sure that I don't lock myself out of being able to connect to the PI via ssh and VNC should the tunnel go down. Will the above somehow result in the Pi only wanting to communicate via the tunnel given I have included the entire local network in the allowed IP. I think I saw some instructions on how to avoid that but not sure it was related to this. Sorry, but I get nervous when I'm not sure I understand exactly what is going on and it's a whole thing if I get locked out of the PI since it is remote.