Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: mauro on April 09, 2024, 01:38:54 PM

Title: Navigate the wireguard subnet
Post by: mauro on April 09, 2024, 01:38:54 PM
Dear all,
I got stuck somewhere with Wireguard and can't get my head around.

I've installed wireguard and set up an instance which I can reach and connect to. I can ping the WG server with no problem

At the moment I can't connect to the other machines connected to the same WG instance. If I try to ping the IPs all packets are lost. every PC can instead ping the server and revers.

I followed the official OPNSense tutorial but still no clue about why this is happening

Does anyone have sone leads to follow?

thanks
Title: Re: Navigate the wireguard subnet
Post by: Patrick M. Hausen on April 09, 2024, 01:48:45 PM
For a hub and spoke topology and e.g. a /24 for the tunnel network:

* on the hub/central instance configure e.g. 192.168.100.1/24 as the tunnel address
* on the spokes/clients configure e.g. 192.168.100.2/32, 192.168.100.3/32, etc. as the respective tunnel addresses
* on the hub place e.g. 192.168.100.2/32 in AllowIPs for the first client, 192.168.100.3/32 for the second, etc.
* on the clients place 192.168.100.0/24 in AllowedIPs

HTH,
Patrick
Title: Re: Navigate the wireguard subnet
Post by: mauro on April 10, 2024, 12:07:30 AM
thanks Patrick for your prompt reply.

I think I have the settings correct as far as I can connect to the server and ping it with no problem. By all mean, I list below briefly my configuration but unfortunately I don't know where the proper config files are stored

Server side
Instance setting
Code Select

Name: wg1
public and private key self generated
Port: 51820
tunnel address: 192.168.2.1/24
Peers: list of peer I allow to connect to this instance


Peer setting (one for all)
Code Select

name: wg1_peer1
public key: as generated by the client
allowerIPs: 192.168.2.100/32 (the other peers have different IPs but same subnet)
endpoint address: blank
Endpoint port: blank
Instance: wg1


Local config file (wg1_peer1):
Code Select

[Interface]
PrivateKey = XXXXXXXX
Address = 192.168.2.100/32


[Peer]
PublicKey = YYYYYYYY
AllowedIPs = 192.168.2.0/24
Endpoint = example.domain:51820


my doubt now about this issue is a forwarding problem. I have also an openvpn server set up and I can surf the openvpn net but obviously on different IPs. Is there anything I might need to specify to wireguard instance?

Regarding firewall rule, there is only one under the wg1 instance which allow everything from everyere

Cheers
Title: Re: Navigate the wireguard subnet
Post by: mauro on April 15, 2024, 01:17:07 PM
Hi there,

still working on it and further helps are welcome

After checking around I thoungt that assigning IP as X.X.X.X/32 to peers will cause the issue.

I changed all confs but it seams nothing has reall changed so I was possibly wrong.

Thanks for helping
Title: Re: Navigate the wireguard subnet
Post by: chemlud on April 15, 2024, 03:21:45 PM
You only have the tunnel net in the "Allowed IP" section of the config. If you add the remote net(s) you will be able to reach them via WG.
Text only | Text with Images