Hello everyone,
I'm setting up a site-to-site VPN between two sites using WireGuard on OPNsense.
Here is a diagram of my setup:
VPN Site-to-Site (WireGuard)
============================
Internet
|
|
------------------
| |
[WAN IP] [WAN IP]
198.51.100.1 203.0.113.1
(Site A) (Site B)
| |
----------------- -----------------
| OPNsense A | | OPNsense B |
|---------------| |------------------|
| LAN IP: | | LAN IP: |
| 192.168.10.253| | 192.168.20.253 |
| WG IP: | | WG IP: |
| 10.2.2.1 | | 10.2.2.2 |
----------------- ------------------
| |
------------------ ------------------
| LAN Site A | | LAN Site B |
| 192.168.10.0/24 | | 192.168.20.0/24 |
------------------ ------------------
Problem:
From OPNsense A, I can successfully ping LAN devices on Site B.
From OPNsense B, I can successfully ping LAN devices on Site A.
But from LAN Site A, I cannot reach devices on LAN Site B, and vice-versa.
Notes:
The WireGuard interfaces are properly assigned and enabled on both sides.
The firewalls have "allow all" rules on LAN and WireGuard interfaces for testing.
Each LAN device uses the local OPNsense router as its gateway (192.168.10.253 and 192.168.20.253).
The OPNsense VMs are hosted on XCP-ng servers at both sites.
Question:
What could be preventing direct LAN-to-LAN communication if the OPNsense boxes themselves can already talk across the tunnel?
Thanks in advance for your help!
What are the "AllowedIPs" for the respective peer on each side?
Quote from: Patrick M. Hausen on April 29, 2025, 12:53:26 PMWhat are the "AllowedIPs" for the respective peer on each side?
On site A : 10.2.2.2/32 and 192.168.20.0/24
On site B : 10.2.2.1/32 and 192.168.10.0/24
Looks good. "Disable routes" is not checked?
Quote from: Patrick M. Hausen on April 29, 2025, 01:13:44 PMLooks good. "Disable routes" is not checked?
Thanks, I just checked, it's unchecked on both sides.
Then - no idea why it does not work. Try a packet capture on both ends of the tunnel and the LAN interfaces.
Wild guess: does your allow rule on LAN explicitly set a gateway? It should not.
Thanks,
No explicit gateway on allow rule. I'll try to debug with a packet capture. I'll be back ;)
Update after further testing:
I ran a packet capture on Site A (OPNsense), LAN interface, while pinging 192.168.20.250 from a client (192.168.10.80) on the LAN.
Here's a sample from the capture:
192.168.10.80 > 192.168.20.250: ICMP echo request
192.168.20.250 > 192.168.10.80: ICMP echo replyThis confirms that:
✅ The ICMP request is leaving the client and reaching the remote site
✅ The ICMP reply is coming back through the WireGuard tunnel and reaching OPNsense Site A
Then, I ran a tcpdump directly on the Linux client at 192.168.10.80, and here's the interesting part:
✅ I can see the ICMP echo requests going out
❌But I do not see the ICMP echo replies arriving
➤ Conclusion:
The echo reply reaches OPNsense but never makes it to the LAN client.
🔍 My other checks:
- I verified that the LAN rule on Site A does not define a gateway (it's set to default — unchecked)
- I reviewed the LAN firewall rules on Site A to ensure they allow traffic from 192.168.20.0/24 to LAN net
- I also double-checked Outbound NAT to make sure no NAT is interfering with inter-site LAN traffic
- And I'll make sure the client firewall (iptables or ufw) isn't dropping the reply silently
Let me know if there's anything else you recommend I check at this point — I feel like I'm close! 😅
Thanks again to everyone helping out