Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: spetrillo on August 09, 2023, 07:21:19 PM

Title: WG S2S Between Two OPNsense Firewalls
Post by: spetrillo on August 09, 2023, 07:21:19 PM
Hello all,

Have a curious one and hoping someone can point out to me what I am doing wrong. The S2S connection is up and somewhat working.

Site A (Where I am located)
Local Networks: 192.168.1.0/24, 192.168.2.0/24(carved up into 5 /27 subnets)
WG IP: 10.0.0.2/24
Endpoint: 10.0.0.1/24
Endpoint AllowedIPs: 10.0.1.1/24, 10.0.10.1/24
Port:51821

Site B
Local Networks: 10.0.1.0/24, 10.0.10.0/24(carved up into 3 /26 subnets)
WG IP: 10.0.0.1/24
Endpoint: 10.0.0.2/24
Endpoint AllowedIPs: 192.168.1.0/24, 192.168.2.0/24
Port: 51821

From site B I can ping Site A 192.168.2.99 from the source of Site B 10.0.1.1. This is the OPNsense interface IP. If I try to ping Site A 192.168.2.99 from the source of Site B 10.0.1.7 it fails. This is a PC on the subnet. I checked my routes at Site B and it shows that it knows how to get to the Site A 192.168.1.0/24 and 192.168.2.0/24 networks.

Not sure what I am doing wrong. If I can ping from the OPNsense interface I should be able to ping from a device on the same network.

Help,
Steve
Title: Re: WG S2S Bwtween Two OPNsense Firewalls
Post by: Maurice on August 09, 2023, 08:28:22 PM
First screenshot: You can only set the source address to an address that is assigned to an OPNsense interface. That's what the error message says.

Also, you might be mixing up addresses inside and outside the tunnel. "Tunnel Address" and "Allowed IPs" is inside, "Endpoint Address" is outside. Your terminology doesn't really match, but if "WG IP" is "Tunnel Address" and "Endpoint" is "Endpoint Address", that won't work (same subnet inside and outside the tunnel).

Cheers
Maurice
Title: Re: WG S2S Bwtween Two OPNsense Firewalls
Post by: spetrillo on August 09, 2023, 08:47:10 PM
Thats really disappointing. I thought the diagnostic Ping would allow me to do this from a device on a particular interface subnet.

Attached is the local and endpoint setup from site A and then site B. I do not believe I am mixing things up but what do I know. Site A has a tunnel address of 10.0.0.2 and site B has a tunnel address of 10.0.0.1. From site B I want to be able to get to site A networks of 192.168.1.0/24 and 192.168.2.0/24. From site A I want to be able to get to site B networks of 10.0.1.0/24 and 10.0.10.0/24.

If I have not done it correctly what is wrong?
Title: Re: WG S2S Between Two OPNsense Firewalls
Post by: Maurice on August 09, 2023, 09:25:31 PM
Looks good, except for the tunnel addresses not being included in the allowed IPs of the endpoint config on the other side. I'd recommend that, shouldn't be the root cause of your issue though.

Did you actually try to ping from 10.0.1.7 itself? There is no way OPNsense could make that device perform the ping test.
Title: Re: WG S2S Between Two OPNsense Firewalls
Post by: spetrillo on August 09, 2023, 09:40:55 PM
I did it from another device...but with all the changes I made I am not sure where I am at this point.

I have added the tunnel IPs to the AllowedIPs list, as a /32 address. I am going to fire up a vm at site B and see what I can figure out.
Text only | Text with Images