Hi! I'm new here and to opnsense, but an experienced net-admin. Can't get S2S Wireguard between two opnsense 24.1.1 getting UP for two days now..
Connecting against the instances of both opnsenses even works if I "recreate" each of the peer configs on an independent client machine. It just seems that
none of the opnsenses is trying to initiate a connection to the other:
Using tcpdump I can see no traffic to the respective tunnel endpoints on both opnsenses. Not even the local opnsense trying to connect to the remote one. As if they both just do nothing.
If I connect using an independent client, I can see the UDP traffic to the public-ip:endpoint-port as expected.
Both opnsense can reach each other fine using their WAN addresses. I can e.g. login via SSH from one opnsense to the other. For troubleshooting purposes, I just allowed all IPv4 traffic between the two bidirectional. I verified the interface configs with ifconfig.
My setup corresponds to the guides setup 1:1 - no NAT or anything. The WAN interfaces of both opnsenses are even in the same /24 public network. WAN connectivity between both is verified as described above.
Debug logs on both opnsenses (after clearing log & re-enabling Wireguard) only show these 3 entries:
2024-02-08T16:59:28 Notice wireguard wireguard instance ivslej (wg1) started
2024-02-08T16:59:28 Notice wireguard wireguard instance ivslej (wg1) stopped
2024-02-08T16:59:28 Notice wireguard wireguard instance ivslej (wg1) can not reconfigure without stopping it first.
- followed the official guide for WireGuard Site-to-Site Setup carefully, peer reviewed
- tried with and without including the LAN nets into "allowed IPs"
- always included the transfer net IPs as /32 into "allowed IPs"
- tried with and without assigning and enabling the wg interfaces, altough it's not required as per the guide
- desperately rebooted after setting up the intstance- and peer-configs
Has anybody seen this behaviour (no WG traffic between two opnsense endpoints)? Any thoughts on this?
I'm happy to post configuration or command outputs, but currently the configuration just copies the guide with different but analogous network- and node-addresses.. Six eyes checked the addresses & as mentioned above, the configurations work as expected If I copy'n'paste them into e.g. the Windows Wireguard client.
I don't want to setup routed IPSEC here, it's 2024 for God's sake! ;)
Thanks in advance for your help!