I am trying to set up a site 2 site VPN between 2 locations. The idea is that the LAN of site 1 can be reached via the LAN of site 2 and vice versa. The OPNsense on site 1 is version 25.1 and 25.1.1 on site 2. Both firewalls have direct internet access without NAT. I followed this guide exeactly: https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html (https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html)
I get absolutely nothing routed through the tunnel. I can't ping from one firewall to the other. When I ping from Site 1 to Site 2, I see the traffic coming from the tunnel with tcpdump in the shell on the firewall of site 2, so the VPN tunnel is working.
root@OPNsense:~ # tcpdump -n -i wg0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wg0, link-type NULL (BSD loopback), snapshot length 262144 bytes
01:21:48.611192 IP 10.0.6.2 > 192.168.15.1: ICMP echo request, id 2664, seq 0, length 64
01:21:49.616304 IP 10.0.6.2 > 192.168.15.1: ICMP echo request, id 2664, seq 1, length 64
01:21:50.616633 IP 10.0.6.2 > 192.168.15.1: ICMP echo request, id 2664, seq 2, length 64
I have no idea what is going on.
I am trying to set up a site 2 site VPN between 2 locations. The idea is that the LAN of site 1 can be reached via the LAN of site 2 and vice versa. The OPNsense on site 1 is version 25.1 and 25.1.1 on site 2. Both firewalls have direct internet access without NAT. I followed this guide exeactly:
I get absolutely nothing routed through the tunnel. I can't ping from one firewall to the other. When I ping from Site 1 to Site 2, I see with tcpdump in the shell on the firewall of site 2 the traffic coming from the tunnel so the VPN tunnel is working.
I have no idea what is going on. I use Linux but have little BSD experience.
Thanks in advance for reading this. Any help is greatly appreciated.
Regards,
Patrick
Some more info.
Site 1
LAN: 192.168.12.0/22
Tunnel endpoint: 10.0.6.1/24
output of netstat -rn (related part):
Internet:
Destination Gateway Flags Netif Expire
10.0.6.0/24 link#10 U wg0
10.0.6.1 link#5 UHS lo0
10.0.6.2 link#10 UHS wg0
192.168.2.0/23 link#10 US wg0
192.168.12.0/22 link#2 U igc1
Site 2
LAN: 192.168.2.0/23
Tunnel endpoint: 10.0.6.2/24
output of netstat -rn (related part):
Internet:
Destination Gateway Flags Netif Expire
default 94.110.192.1 UGS igb1
10.0.6.0/24 link#7 U wg0
10.0.6.1 link#7 UHS wg0
10.0.6.2 link#3 UHS lo0
192.168.2.0/23 link#1 U igb0
192.168.12.0/22 link#7 US wg0
Your ping is not coming from the LAN but from the firewall on the other side itself, it seems. Have you tried from a device on LAN? What do your AllowedIPs settings on both sides look like?
Thanks for your reply!
Allowed IPs on Site 1: 192.168.2.0/23 10.0.6.2/32
Allowed IPs on Site 2: 192.168.12.0/22 10.0.6.1/32
Ping from Site 1 while monitoring wireguard interface on Site 2
First ping: from LAN addr on site 1 to LAN addr on site 2 (nothing coming through)
Second ping: from LAN addr on site 1 to tunnel endpoint on site 2
Site 1 LAN: 192.168.12.0/22
Site 1 Tunnel endpoint: 10.0.6.1/24
12:39:53.206777 IP 192.168.15.51 > 10.0.6.2: ICMP echo request, id 42540, seq 1, length 64
12:39:54.186279 IP 192.168.15.51 > 10.0.6.2: ICMP echo request, id 42540, seq 2, length 64
12:39:55.207374 IP 192.168.15.51 > 10.0.6.2: ICMP echo request, id 42540, seq 3, length 64
12:39:56.232088 IP 192.168.15.51 > 10.0.6.2: ICMP echo request, id 42540, seq 4, length 64
Ping from Site 2 while monitoring wireguard interface on Site 1
First ping: from LAN addr on site 2 to LAN addr on site 1
Second ping: from LAN addr on site 2 to tunnel endpoint on site 1
Site 2 LAN: 192.168.2.0/23
Site 2 Tunnel endpoint: 10.0.6.2/24
root@OPNsense:~ # tcpdump -i wg0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wg0, link-type NULL (BSD loopback), snapshot length 262144 bytes
12:05:34.021200 IP 192.168.3.79 > 192.168.15.51: ICMP echo request, id 1, seq 5097, length 40
12:05:38.845414 IP 192.168.3.79 > 192.168.15.51: ICMP echo request, id 1, seq 5098, length 40
12:05:43.838024 IP 192.168.3.79 > 192.168.15.51: ICMP echo request, id 1, seq 5100, length 40
12:05:48.840141 IP 192.168.3.79 > 192.168.15.51: ICMP echo request, id 1, seq 5101, length 40
12:06:13.801336 IP 192.168.3.79 > 10.0.6.1: ICMP echo request, id 1, seq 5103, length 40
12:06:18.337397 IP 192.168.3.79 > 10.0.6.1: ICMP echo request, id 1, seq 5105, length 40
12:06:23.330453 IP 192.168.3.79 > 10.0.6.1: ICMP echo request, id 1, seq 5106, length 40
12:06:28.337835 IP 192.168.3.79 > 10.0.6.1: ICMP echo request, id 1, seq 5107, length 40
Firewall rules on the WireGuard interfaces (if assigned) or the group?
I have on both locations:
- A firewall rule (direction in) on the LAN interface that allows traffic from the local LAN net to the remote LAN net.
- A firewall rule (direction in) on the wireguard group interface that allows traffic from the remote LAN net to the local LAN net.
As advised in this tutorial: https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html (https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html)
Windows systems you are trying to ping? Or anything else which would not answer echo requests from outside of its own local network?
I have to apologize to anyone who read this and/or spent time on it!
The problem was an IPsec tunnel that was still running.
A quick explanation. Site 1 has been running OPNsense for over 8 months. The firewall on site 2 was replaced with OPNsense a few days ago. The site to site VPN on the old firewall was IPsec. I forgot to turn off IPsec on the OPNsense firewall on site 1. Now everything works perfectly.
Again, my apologies for this post.