Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: bos_fam on September 18, 2025, 03:17:46 PM

Title: Site to Site Wireguard (dynamic ip/VPS) Config Question and Troubleshooting
Post by: bos_fam on September 18, 2025, 03:17:46 PM
Network

Code Select
    192.168.10.x                    192.168.20.x
    ┌─────────┐                    ┌───────────┐
    │ parents │                    │  sis/bro  │
    └─────────┘                    └───────────┘
            │                              │
            │                              │
            └──────────┐        ┌──────────┘
                       │        │
                    ┌──▼────────▼──┐
                    │     VPS      │ 192.168.100.x
                    └──────┬───────┘
                           ▲
                           ║
                    ┌──────▼──────┐
                    │   Primary   │
                    └─────────────┘
                    192.168.50.x

Disclaimers:
- I'm putting this in General since it feels like a fw issue rather than a VPN specific issue.
- I'm aware of tailscale (and use it), but don't want to add another external service and want to learn something as I roll this out

I'm trying to setup a way for my parents and siblings to occaisonally share pdf documents and family photos. The traffic will be bursty when upload/download/viewing, but relatively low traffic most of the time.
A computer on `192.168.10` should be able to access the pdf server on `192.168.50`; no need to support traffic from `192.168.50` back to the other nodes. In general only want to support using ssh, http/https, and icmp (troubleshooting) traversing the tunnels

Connection Info:
- none of the ISPs provide static ipv4 addresses, only one has ipv6 (which seems flaky)
- picked up a low-cost VPS to get static ipv4 (and ipv6) address
- no pass-through mode on any of the ISP boxes
- all "internal" fw ip are `.1`

So Far:
- I've created WG clients and connected to the VPS per various descriptions in the official docs
- the WG status indicates traffic is flowing
- each WG has an associated interface
- the mss clamping is set
- all firewall rules have 'enable logging' selected
- I'm not able to ping the remote wg ip nor the remote fw "inside" ip
- The firewall live view doesn't show block/accept for ping, traceroute, etc

Questions:
- Any big picture comments? (oh, you're just missing <...>)
- With the logging enabled, I'd expected to see firewall rules firing as packets hit the WG interface.
- How to capture packets on the "other side" of the interfaces to help track down if packets are even getting out the 'local' firewall

I can add the interface and firewall details; left out for now to start at the high level and work down to the details
Text only | Text with Images