OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: cclloyd on September 13, 2021, 12:59:43 am

Title: Wireguard no LAN access
Post by: cclloyd on September 13, 2021, 12:59:43 am

Situation: I'm trying to create a site-to-site tunnel with a VM in the cloud.  Currently it can connect to OPNSense's wireguard and traffic can flow freely between OPNSense (10.0.0.1) and the VM (10.0.2.10).  But trying to access any other LAN IP from the VM will timeout, and vice versa.

So trying to ping 10.0.0.20 from the VM fails, and 10.0.0.20 can't ping the VM.

I assume the issue is somewhere with rules, but I can't find out where.  Can someone help me figure out why the VM can't connect to other devices on my LAN?

Attached are the rules I currently have applied.

Some network info:
- 10.0.0.0/16 is the LAN subnet
- 10.0.2.0/24 is the range of addresses I will assign to wireguard clients
- 10.0.0.1/16 is the OPNSense LAN address
- 10.0.2.10/16 is the intended VM address.
- wg_networks is an alias for 10.0.2.0/24
- WG0 is the interface I created for wireguard
- WireGuard interface is the hidden interface that the plugin creates.

Title: Re: Wireguard no LAN access
Post by: Greelan on September 13, 2021, 02:30:34 am

And WG config at both ends?

I must admit though to being a bit bamboozled by the overlapping subnets…

Title: Re: Wireguard no LAN access
Post by: cclloyd on September 13, 2021, 03:03:10 am

Client:

Code: [Select]

[Interface]
Address = 10.0.2.10/16
ListenPort = 42001
PrivateKey = redacted


[Peer]
PublicKey = redacted
Endpoint = vpn.example.com:42001
# Route only vpn trafic through vpn
AllowedIPs = 10.0.0.0/16
# Route ALL traffic through vpn
#AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21

Server:

Code: [Select]

interface: wg0
  public key: redacted
  private key: (hidden)
  listening port: 42001

peer: redacted
  endpoint: PUBLIC:42001
  allowed ips: 10.0.2.10/32
  latest handshake: 1 minute, 45 seconds ago
  transfer: 1.86 KiB received, 2.43 KiB sent
  persistent keepalive: every 21 seconds


Title: Re: Wireguard no LAN access
Post by: Greelan on September 13, 2021, 03:08:24 am

So if I am understanding correctly you have assigned the tunnel a /24 that is within the LAN /16? Trying to figure out how that would work…

Title: Re: Wireguard no LAN access
Post by: cclloyd on September 13, 2021, 03:13:24 am

My whole LAN resides on the same `10.0.0.0/16` subnet currently.  The addresses I want to use for wireguard clients is `10.0.2.0-10.0.2.255`.

Title: Wireguard no LAN access
Post by: Greelan on September 13, 2021, 03:22:06 am

I think you need to distinguish between the IPs of LAN clients that you want to use the VPN, and the IPs assigned to the WG tunnel itself. At the moment it seems you are mixing the two

The only WG peers that exist in your setup are the VM and OPNsense. WG is not running on any LAN client. However you are trying to force normal LAN clients to use the tunnel

That’s my take on the situation at least

Title: Re: Wireguard no LAN access
Post by: cclloyd on September 13, 2021, 03:38:01 am

So then what would I use for the addresses?  The end goal is the VM be accessible from everything on the 10.0.0.0/16 subnet and vice versa.

Title: Re: Wireguard no LAN access
Post by: Greelan on September 13, 2021, 03:49:12 am

Any other RFC1918 range

Have a look at the WG tutorial for selective routing in the OPNsense docs. That’s essentially what you are trying to do, with the addition that you want the remote client to access LAN IPs (so like for the road warrior setup, you need a fw rule on the WG interface on OPNsense to allow the remote tunnel IP to access the LAN IPs)