OPNsense Forum

English Forums => Virtual private networks => Topic started by: itngo on February 23, 2023, 07:01:06 pm

Title: Wireguard Site2Site only one site public IP.
Post by: itngo on February 23, 2023, 07:01:06 pm
Hi,

while you can have Client2Server VPN Site2Site with OpenVPN, the seems not to be possible with Wireguard?

We have a setup and can see that our "designated" Client-Side is sending packets but those get never answered.

Is this configuration possible to have a WireGuard Server on opnSense in Datacenter and let branch sites connect which have no real public IP, cause of carrier grade nat or shared IPs?
Title: Re: Wireguard Site2Site only one site public IP.
Post by: nzkiwi68 on March 10, 2023, 05:30:12 am
Yes, I think that would be possible.

On the Data Center side, you would have an endpoint set for each branch:
Branch1 endpoint:
endpoint address: blank/empty
endpoint port: blank/empty
Allowed IPs: (1- tunnel IP address, say 10.10.10.4/32 (unique for each branch) PLUS 2 - the LAN subnet of that branch, e.g. 192.168.88.0/24)

On the branch side:
endpoint address: the IP address of the data center firewall
endpoint port: the port for wireguard, say 51820
Allowed IPs: (1- tunnel IP address, say 10.10.10.254/24 (this is the data center, note the /24) PLUS 2 - the LAN subnet or subnets of the data center, e.g. 192.168.18.0/24)


The branch could only ever initiate the connection to the data center. To make sure that happened, you could enable "keeapalive interval" on the branch site and make that 25.


Create Local listeners in the normal way....

Title: Re: Wireguard Site2Site only one site public IP.
Post by: itngo on March 22, 2023, 04:43:29 pm
Thank you very much.
We will try that....