Hi,
I am trying to set up a S2S VPN with Wireguard. Unfortunately the documentation (https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html) is a little bit unclear for me.
It states I have to create a "local" entry on site 1. Then is written:
QuoteWhen this VPN is set up on OPNsense only do the same on the second machine and exchange the public keys.
So I have to create a "local" entry on the second side. Makes sense so far but what is meant with "exchange the public keys"? When I create a local it will generate a different public key but where do I have to put the exchanged public keys? On the endpoint-entry?
Later I have to select the created endpoint in the local entry- but isn't this the endpoint from the other site (With different key?)?
I am confused here... :o
Thanks!
/KNEBB
opn1 - create local instance (name eg. wg1-opn1)
opn2 - create local instance (name eg. wg1-opn2)
opn1 - create Endpoint (name eg. wg1-opn2), insert the public key from the local instance opn2
opn2 - create Endpoint (name eg. wg1-opn1, insert the public key from the local instance opn1
Dont forget to select the peers in the local instance config and activate wireguard.
Hi,
looks like it got some way better, indeed.
This is what I am getting on the console:
root@opnsense1:~ # wg show all
interface: wg1
public key: FotG72RR5IJ86plz0VuT8X39tfqSmanyrmGSxgX/5i4=
private key: (hidden)
listening port: 1199
peer: gUs58TDRJYY24esbSfLULUH0SFWASvF6cUWjrdqH7go=
endpoint: 192.168.22.156:1198
allowed ips: 192.168.0.0/16
latest handshake: 4 minutes, 23 seconds ago
transfer: 66.57 KiB received, 88.05 KiB sent
And on the second:
root@opnsense2:~ # wg show all
interface: wg2
public key: gUs58TDRJYY24esbSfLULUH0SFWASvF6cUWjrdqH7go=
private key: (hidden)
listening port: 1198
peer: FotG72RR5IJ86plz0VuT8X39tfqSmanyrmGSxgX/5i4=
endpoint: 192.168.22.157:1199
allowed ips: 192.168.0.0/16
latest handshake: 5 minutes, 40 seconds ago
transfer: 68.39 KiB received, 70.67 KiB sent
So I tend to say the tunnel is up, isn't it?
But I can not even ping the "other side":
root@opnsense2:~ # ping 10.200.0.1
PING 10.200.0.1 (10.200.0.1): 56 data bytes
ping: sendto: Capabilities insufficient
92 bytes from 127.0.0.1: Destination Host Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 ccf7 0 0000 40 01 981f 10.200.0.2 10.200.0.1
So I guess there might be some firewall rules waiting to be implemented, right?
I addedd two "Allow ALL" rules to the Firewall - Wireguard (Group) on both sides but still no luck.
Any ideas what is wrong here?
Thanks!
/KNEBB
Nevermind. I edited the field "Allowed IPs" and it apears to be working somehow.
I have to elaborate what IP ranges I have to set there (remote? local?) but at least it apears to be working.
Your Allowed IP range 192.168.0.0/16 includes the Endpoint IPs 192.168.22.156 - 157.
If you do that there can be handshake and traffic problems because the packets for the handshakes will be pushed through the wireguard tunnel by the route "192.168.0.0/16 next hop wg".
Make sure the endpoint IPs aren't in the same subnet as the allowed IPs.
Hi,
thansk for the advice. I haven't had time to check again. So am I right I put here the remote network ranges in?
Thanks!
/KNEBB