Text only | Text with Images

OPNsense Forum

English Forums => 25.7 Series => Topic started by: uspunop on September 19, 2025, 12:12:39 PM

Title: VPN Site to Site Debug
Post by: uspunop on September 19, 2025, 12:12:39 PM
I have to connect two separate building across a VPN Site to Site with 2 opnsense 25.7 installed.
Every building have a dsl connection with a public ip address and the opnsense firewall are behind the isp router with an assigned private ip address and nat 1:1 with a nat 1:1 (DMZ, exposed host) activated on the router to the wan ip address of the firewall.
I've tried IPSEC, Wireguard and OpenVPN with no success.
At the moment i'm triing again with wireguard with the official guide https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html and this videoguide https://www.youtube.com/watch?v=884RX3dKeek but the peer is always offline
Someone can help me to diagnose it ?
Thedebug log is very poor and i don't see any error in.

Thank You

Title: Re: VPN Site to Site Debug
Post by: uspunop on September 24, 2025, 04:38:14 PM
After days of testing i've found the only solution for a site to site VPN is PFsense.
With the latest OPNsense with every combination i've tried there's nothing to do.
Title: Re: VPN Site to Site Debug
Post by: Patrick M. Hausen on September 24, 2025, 04:42:26 PM
You did not provide any details so it was a bit difficult to help. Probably I skipped your initial post for that reason, instead of asking, sorry. I run site to site with OPNsense all the time - IPsec and WireGuard without problems.
Title: Re: VPN Site to Site Debug
Post by: uspunop on September 24, 2025, 05:06:13 PM
Some details:
I've created a test environment with 2 minipc 4 nic using exactly all settings in this example:
https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
The tunnel has never been online
Title: Re: VPN Site to Site Debug
Post by: Patrick M. Hausen on September 24, 2025, 05:31:12 PM
How exactly are the WAN sides of these two devices connected?
Title: Re: VPN Site to Site Debug
Post by: uspunop on September 25, 2025, 03:15:39 PM
There is a switch to which they are connected.
Title: Re: VPN Site to Site Debug
Post by: Patrick M. Hausen on September 25, 2025, 03:53:22 PM
So they share the same network as their WAN? OK, do they both have a default gateway in that network so they have an Internet uplink in addition to their local connection?

If yes, you need to check these boxes:

Firewall > Settings > Advanced > Disable reply-to
Firewall > Settings > Advanced > Disable force gateway

The default setup (and the documentation) assumes that the Internet uplink is the uplink only and that the two firewalls in the WG example are in different locations. All communication is forced out the default gateway. If you need communication in a local network on WAN you need to disable that.

HTH,
Patrick
Title: Re: VPN Site to Site Debug
Post by: uspunop on October 02, 2025, 08:47:07 AM
Excuse me for the long delay.
Yes, the two WAN are on the same network: Site A 203.0.113.1/24 - Site B 203.0.113.2/24
Later i will try the advanced firewall suggested settings
Thank You
Text only | Text with Images