EDIT: changed title to reflect new solution from WireGuard to Tailscale, see issue from post #7
Hello,
I'm following this https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html document to configure a site-to-site VPN with WireGuard.
My current situation is the following:
[Net A]-[OPNSense A]-[Router A]-(internet)-[Router B]-[OPNSense B]-[Net B]
Router A and B are directly exposed to the internet and have dynDNS configured. I replaced "Endpoint Address" with the two DNS.
In VPN: WireGuard: Status I see interface and peer both green, only peer has the handshake and few KB in sent and received. Which should mean that the the WireGuard is enabled and the connection established.
Unfortunately when from OPNSense A Interfaces: Diagnostics: Ping I try to ping the address of OPNSense B or any address on the Net B this fails.
both routers have the 51820 port open and forwarding traffic on the same port of OPNSense.
Any idea please?
Is not there the need to define a specific rule/gateway all traffic for Net B needs to go via WireGuard?
In addition in step 3a is using Allowed IPs: 10.2.2.2/32 but in step 2b in Tunnel Address is using 10.2.2.2/24 can anyone explain why is that?
Kind regards,
dk
Quote from: d82k on April 12, 2025, 07:40:02 PMAny idea please?
Can you put the ISP routers in modem mode? At the moment you have net|vpn|nat|nat|vpn|net.
If your ISP's do CGNAT, you could even have net|vpn|nat|nat|nat|nat|vpn|net. You can check for CGNAT by browsing to https://ifconfig.co/ and compare the address shown with the WAN IP of your router.
Much simpler than configuring a VPN through multiple routers is an overlay network such as Tailscale or Zerotier. Both are available as OPNsense plugins.
Bart...
On the firewall rules there should be a Wireguard entry, have you set any traffic rule there?
/32 refers to allowing traffic only from this IP of the Wireguard range.
Hope this helps
Appreciate the feedback. Unfortunately I was not able to make it work.
I did installed Tailscale, this works partially, from the OPNsense I can access any remote ip but unfortunately from any other machine on the network of the OPNSense I cannot reach the remote network.
I created an interface for Tailscale, added any-any rule on the firewall even tried configuring a gateway and adding route for the remote network but nothing. It's not working still...
Make sure OPNsense is set up as a subnet router:
- advertised routes tab shows your LAN in VPN: Tailscale: Settings on OPNsense
- on the Tailscale admin page, you see a blue 'Subnets' label and in 'Edit route settings...' on the ... menu for your OPNsense node you have approved the subnet
https://youtu.be/XXx7NDgDaRU
Bart...
Thanks for the note Bart, yes I activated the subnet router and authorized those on the tailscale portal.
I also created an interface, enabled it, and in the "Interfaces: Overview" I see it as active and see in the "Routes" the two /24 remote networks and the tailscale ips as well for the tailscale interface.
If SSH into the OPNSense I can ping the remote addresses, and access the remote web portals, but not from a client in the Lan network where the OPNSense is my gateway.
Getting a bit crazy...
I think it's time to start tracing. Install Wireshark on a client and capture its and the firewall packets.
I have simplified the environment hopefully to make it work. Here the design:
[Lan A .2.0/24 ]---[192.168.2.1 OPNSense_A 192.168.1.2]---|
| 192.168.1.1 ISP router (public_ip) ---
[Lan B .3.0/24 ]---[192.168.3.1 OPNSense_A 192.168.1.3]---|
I have done the following:
- Installed tailscale plugin, defined subnets and approved on the adminconsole
- Created new interface OPT1 for tailscale and enabled it
- Installed upnp plug in and enabled it with check on "Allow PCP/NAT-PMP Port Mapping"
- Routes shows the correct way as below table
- Both WAN interfaces have the "Block private networks" disabled
- Both OPNSense are able to connect to the internet and resolve DNS
- Firewall rules are the standard ones automatically created.
Routes
OPNSense_A
ipv4 192.168.3.0/24 link#9 US NaN 1280 tailscale0 OPT1
ipv4 192.168.2.0/24 link#1 U NaN 1500 igc0 LAN
OPNSense_B
ipv4 192.168.2.0/24 link#8 US NaN 1280 tailscale0 OPT1
ipv4 192.168.3.0/24 link#1 U NaN 1500 igc0 LAN
What works:
- from OPNSense_A/B I can ping and reach any device on subnet B/A
- from a device outsise of Lan A/B via tailscale client in can access any device on Lan A/B
What does not work:
- from Lan A/B devices I cannot reach any device on Lan B/A nor the OPNSense_B/A.
I tried adding any any firewall rule on OPT1 and add NAT outbound hybrid adding the following rule:
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port
OPT1 LAN net * * * OPT1 address * NO
Any suggestion or further tests I can perform to troubleshoot this please?
Kind regards.
dk
I have partially solved this with the following:
- Configured Tailscale as above, including advertised subnets
- Added the Tailscale interface and enabled it (OPT1)
- Added two firewall rules on the OPT1 interface accepting in/out any any traffic
- Set Firewall: NAT: Outbound as Hybrid and added the following rules
OPNSense_A
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port
OPT1 LAN net * 192.168.3.0/24 * Interface address * YES
OPNSense_B
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port
OPT1 LAN net * 192.168.2.0/24 * Interface address * YES
I did not activated "Allow PCP/NAT-PMP Port Mapping" nor the "Disable SNAT" options
so far the few test performed, looks like it's working properly.