Print Page - Routing Issue on a VPS with OpnSense and WireGuard

Title: Routing Issue on a VPS with OpnSense and WireGuard
Post by: kluk42 on June 16, 2024, 07:34:03 PM

Hi there, I am currently trying to set up a WireGuard server with the following main goals:

bridge two sites (10.0.0.0/8 and 192.168.1.0/24) for local traffic

e.g. a server on Site A with the IP address 10.0.0.70/8 should be able to connect to a server on Site B with the IP address 192.168.1.99/24 and vice versa

For site a and b only the traffic in those two subnets should be routed through the tunnel
access to both sites for mobile devices so that I can communicate with both subnets from my phone

For mobile devices I would also like to route internet traffic through WireGuard

The current plan is to have a server with a public static IP address running OPNSense, WireGuard and AdGuard Home (see attachment)

Both Sites will run a Unifi Cloud Gateway Ultra as their Router/Firewall because it's affordable and supports WireGuard. I already have it set up on Site A, the unit for Site B did not arrive yet.

What I already did:

Rented a fresh server with a static IP address and installed OPNSense 24
Configured WireGuard according to the official Road Warrior Setup
Added a client for my mobile device with AllowedIPs being 0.0.0.0/0, ::/0
Added a client for Site A, because its running on the Cloud Gateway Ultra I manually added rules for 172.21.21.0/24 and 192.168.1.0/24 in the controller to be passed to the vpn connection

What already works:

Mobile devices route all their traffic to the server and can access the internet
Ping from one wireguard client to another (e.g. 172.21.21.3 to 172.21.21.1)
Ping from a local machine in Site A (10.0.0.0/8) to all other WireGuard clients

What doesn't work is to ping anything in the local network of Site A (10.0.0.0/8) with my mobile device.
A ping from 172.21.21.3 to 10.0.0.50 for example will not work.

I skimmed through the logs of the OPNSense firewall and found that the icmp package that is transmitted (and forwarded through the firewall) has the static IP address of the server as its origin.
Maybe thats an issue, maybe thats expected - I don't really know, my knowledge with this kind of setup is very limited, could you maybe help me out ? :)

I very much appreciate your insights :)

Let me know if you need any additional data (e.g. client configs).

OPNsense Forum

English Forums => Virtual private networks => Topic started by: kluk42 on June 16, 2024, 07:34:03 PM