Hi there,
I want to connect two home networks via Wireguard with the setup like so:
Site A: 192.168.1.0/24
Site B: 192.168.2.0/24
WG-Tunnel: 10.0.0.0/24
The Wireguard connection itself is working. I can reach the full network of Site A from Site B, I can ping/traceroute from Site A to Site B.
However, I cannot reach any service within Site B from Site A.
If I observe the live firewall log I see the following:
192.168.1.111 goes through the firewall and hits 192.168.2.222
However, the answer comes from 10.0.0.5 and wants to call back to 192.168.1.111 but hits the default deny rule.
The strange part is that I tried almost any rule to open for traffic from 10.0.0.0/24 to 192.168.1.0/24. And in general it needs to work as Site B can reach any device within the network of Site A.
Do you have any clues where I can start looking for a solution?
Thank you so much!
Quote from: DrZoidberg on August 04, 2023, 11:33:00 PM
The strange part is that I tried almost any rule to open for traffic from 10.0.0.0/24 to 192.168.1.0/24. And in general it needs to work as Site B can reach any device within the network of Site A.
Do you have any clues where I can start looking for a solution?
Show your rules here?
Here you find the rules for the wg interface and floating rules. I tried one or the other are both at the same time. No luck.
The strange part is that traffic from Site B is coming in, but only if is originated there or if it is ICMP.
Your not showing the floating rues, why do you have those anyway? Also it is unclear where we are on those caps. Has your tunnel its own interface?
Quote from: DrZoidberg on August 04, 2023, 11:33:00 PM
If I observe the live firewall log I see the following:
192.168.1.111 goes through the firewall and hits 192.168.2.222
However, the answer comes from 10.0.0.5 and wants to call back to 192.168.1.111 but hits the default deny rule.
Firewall log of which site? Which interface is 10.0.0.5? Do you NAT traffic going through the tunnel on either site?
-v
The snapshot with two rules is floating rules. I actually tried it just because I have no idea how to proceed. Usually, the one rule from the wg device letting all traffic should be sufficient according to all tutorials. And yes, there is a dedicated wg device assigned.
The firewall log is from the OPNSense side which also runs the WG server. The client side is a router (Fritzbox) with a wg client.
On the router side (Site B) there is no specific options for nat, but I would as it is a router it would do it like it should.
On the OPNSense side I tried with and without outbound nat, but it doesnt really change anything. Still the incoming traffic on 10.0.0.0/24 is blocked.
You shouldn't use NAT for this use case at all. If site B performs outbound NAT, firewall states at site A will break. (Site A sends a packet to destination address 192.168.2.222, but the reply has source address 10.0.0.5.)
So make sure NAT is disabled at site B.
You are right, I just checked it, the router at Site B has NAT always activated and it is not possible to change this.
Now my question: what are the options?
1.) If I use outbound NAT at the OPNSense they should communicate only in the 10.0.0.0/24 space? e.g. 10.0.0.1 as OPNSense to 10.0.0.5 as Fritzbox. What I see there is: 192.168.1.111 wants to reach 192.168.2.222, then NAT hits and translates it to 10.0.0.1 to 10.0.0.5, but 10.0.0.5 calls back still to 192.168.1.111 - But why? Is there a way to change it?
2.) Any other reasonable option?
With Outbound NAT it looks like this (192.168.178.x is what I called for simplicity 192.168.1.x):
Why is traffic 10.0.0.5 to 10.0.0.1 blocked? I really don't get it with the rules I have shown that all traffic on the wg interface is allowed in...
Did you follow AVM's guide for WireGuard S2S?
https://avm.de/service/vpn/wireguard-vpn-zwischen-fritzbox-und-anderem-router-einrichten/
It seems unlikely that they perform NAT for S2S, if correctly set up.
Quote from: DrZoidberg on August 05, 2023, 02:52:17 PM
(192.168.178.x is what I called for simplicity 192.168.1.x):
Bad idea to begin with...
Quote from: Maurice on August 05, 2023, 02:56:17 PM
Did you follow AVM's guide for WireGuard S2S?
https://avm.de/service/vpn/wireguard-vpn-zwischen-fritzbox-und-anderem-router-einrichten/
It seems unlikely that they perform NAT for S2S, if correctly set up.
Unfortunately, it seems to do it and AVM thinks that this is right:
https://www.fritzbox-info.com/forum/viewthread.php?thread_id=405
Quote from: Bob.Dig on August 05, 2023, 02:59:50 PM
Quote from: DrZoidberg on August 05, 2023, 02:52:17 PM
(192.168.178.x is what I called for simplicity 192.168.1.x):
Bad idea to begin with...
What exactly do you mean?
AVM explicitly says not to use a dedicated transfer network for S2S, but you did (10.0.0.0/24). I'm not sure why they have this restriction, but would suggest doing it their way first and see if that works.
Outbound NAT for bi-directional S2S makes no sense at all.
Now I understand what they mean. Thanks a lot!
I dont have access to the Fritzbox right now, but will try asap.
In case my previous post wasn't clear:
At site A (OPNsense), set the tunnel address in the local wg instance to 192.168.2.x/24 (where x must be unused at site B). Set the allowed IPs in the endpoint config to 192.168.2.0/24.
At site B (AVM), do the opposite (192.168.178.x/24 / 192.168.178.0/24).
Good luck.
[edit] The AVM how-to seems to suggest setting the wg interface's tunnel address to the same address and subnet as the local LAN interface. Really weird. So if the above doesn't work, try this. [/edit]
Thank you so much! AVM is sometimes really handy, but also pretty weird. I will let you know once I have access to the router. Problem is also that every change needs to be confirmed with a physical feedback from the user.
One side question if I may ask: Why isnt it possible to overrule the firewall an let traffic from 10.0.0.5 in? It may be not secure or advisable etc. but why is there no way to force allow it?
You could allow it by creating stateless firewall rules. A "normal" stateful rule will fail because the address mismatch causes a state violation.
Whether your hosts accept replies from an address other than the address they sent the request to is a different question. In most cases probably not.
Quote from: Maurice on August 05, 2023, 03:31:09 PM
In case my previous post wasn't clear:
At site A (OPNsense), set the tunnel address in the local wg instance to 192.168.2.x/24 (where x must be unused at site B). Set the allowed IPs in the endpoint config to 192.168.2.0/24.
At site B (AVM), do the opposite (192.168.178.x/24 / 192.168.178.0/24).
Good luck.
[edit] The AVM how-to seems to suggest setting the wg interface's tunnel address to the same address and subnet as the local LAN interface. Really weird. So if the above doesn't work, try this. [/edit]
This setup considering the comment you made keeping the same interface address did it. Thank you!