OPNsense Forum

English Forums => Virtual private networks => Topic started by: johannes214 on August 11, 2023, 10:57:40 am

Title: Access host in subnet of wireguard peer
Post by: johannes214 on August 11, 2023, 10:57:40 am

Hi,

I've setup a tunnel from an old raspberry Pi to my opnsense firewall and want to connect both local subnets through this tunnel. The best solution would be a site-to-site connection between the two routers. Sadly this is not possible due to one of the boxes is "managed by the ISP" with very limited customization options.

For an overview of the network topology please see the attachment.

Additional information:
- clientA1 and routerB are connected through a wiregard tunnel
- routerA is Fritzbox
- routerB is my opnsense box

I'm able to ping the following hosts:
from clientB1: ping 192.168.2.142; ping 10.10.10.3
from clientA1: ping 192.168.15.1; ping 10.10.10.1; ping 192.168.15.100

My goal is to establish a connection from clientB1 to clientA2 (later on I want to extend this to open a connection in the reversed direction).

For clientA1 I enabled routing:

Quote

sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

and added two rules:

Quote

iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i wg0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Unfortunately this setup is not complete yet?!? Tracing the route from routerB to routerA ends at 10.10.10.3:

Quote

traceroute to 192.168.2.1 (192.168.2.1), 64 hops max, 40 byte packets
 1  10.10.10.3 (10.10.10.3)  83.402 ms  82.809 ms  57.917 ms
 2  * * *

Could you give me a hint what pieces are missing?

Regards
Johannes

Title: Re: Access host in subnet of wireguard peer
Post by: Maurice on August 11, 2023, 12:09:42 pm

Router A and client A2 don't know that 192.168.15.0/24 and 10.10.10.0/24 are reachable via client A1 (192.168.2.142). You need to create static routes on router A, or if that's not possible (because crappy CPE), directly on client A2.

Cheers
Maurice

Title: Re: Access host in subnet of wireguard peer
Post by: johannes214 on August 11, 2023, 01:12:52 pm

Hi Maurice,

thanks for your response. Ok will add these routes in routerA.

But I'm a little bit confused. Shouldn't I already be able to ping routerA from routerB? All neccesary routes should be available.

Routes on routerB:

Quote

netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            178.200.132.1      UGS        igc0
10.10.10.0/24      link#10            U           wg1
10.10.10.1         link#10            UHS         lo0
192.168.2.0/24     link#10            US          wg1

Routes on clientA1:

Quote

ip r
default via 192.168.2.1 dev eth0 proto dhcp src 192.168.2.142 metric 202
10.10.10.0/24 dev wg0 proto kernel scope link src 10.10.10.3
192.168.2.0/24 dev eth0 proto dhcp scope link src 192.168.2.142 metric 202
192.168.15.0/24 dev wg0 scope link

Johannes

Title: Re: Access host in subnet of wireguard peer
Post by: Maurice on August 11, 2023, 01:23:43 pm

Quote from: johannes214 on August 11, 2023, 01:12:52 pm

But I'm a little bit confused. Shouldn't I already be able to ping routerA from routerB? All neccesary routes should be available.

Router B and client A1 do have all the required routes, but router A doesn't. It doesn't know that 192.168.2.142 is the gateway for 192.168.15.0/24 and 10.10.10.0/24. So the ping (echo request) will reach router A, but it doesn't know that it should send the reply to 192.168.2.142. So the reply doesn't reach router B and the ping fails.

Title: Re: Access host in subnet of wireguard peer
Post by: johannes214 on August 12, 2023, 03:37:45 pm

Perfekt that did the trick  ;)