1
Virtual private networks / Re: routing wireguard traffic site-to-site behind OPNsense
« on: August 08, 2024, 11:22:28 pm »
Any help would be appreciated!
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
For the second thing, updating each site’s routing tables, unfortunately you can’t do via WireGuard config. You could configure each endpoint in both sites individually to route the traffic it generates destined for the other site through the WireGuard host in its own site — but the easiest thing to do is simply update the configuration of an existing gateway in each site to do that routing.
So for Site A, you want to update the gateway for the subnet that subsumes Site B’s subnet (192.168.200.0/24), which usually would be the default gateway for Site A (like if Site A is a small office, it’s probably the Internet router for the office). You want to add a route to this gateway to make it route Site B’s subnet (192.168.200.0/24) via Host α (192.168.1.1) on the Site A (LAN) side of the gateway.
If this gateway is a Linux box, run the ip route command on the gateway to check what (IPv4) routes it currently is using (for IPv6, run ip -6 route). On Site A, the result might look something like this:
$ ip route
192.0.2.0/24 dev eth0 proto kernel scope link src 192.0.2.100
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.128
default via 192.0.2.1 dev eth0
The example above shows the gateway having an IP address of 192.0.2.100 on its eth0 network device, and 192.168.1.128 on its eth1 device. The eth1 device is connected to the Site A subnet, 192.168.1.0/24.
So run the following command on the gateway to (temporarily) add a route to Site B through Host α on the eth1 device:
ip route add 192.168.200.0/24 via 192.168.1.1 dev eth1
Replace the subnet for Site B (192.168.200.0/24) with the actual Site B subnet you’re using, the IP address for Host α (192.168.1.1) with the actual Host α IP address you’re using, and the network device name (eth1) with the actual name of the device through which the gateway is connected to Site A.
Note that adding a route this way just adds it temporarily, until the gateway is restarted or reconfigured — if you test out the WireGuard tunnel and everything works out, you’ll want to make the route change permanent via whatever mechanism you regularly use to configure the gateway (like via networkd or netplan config files, or your own hand-built shell scripts, or some tool with a graphical user interface).
Similarly, check the routes used on Site B’s default gateway with ip route, and then run a command on it like the following on it to add a route to Site A through Host β:
ip route add 192.168.1.0/24 via 192.168.200.2 dev eth1
Do you have a fully populated reverse zone on your DNS server? Windows clients do a reverse lookup of the DNS server itself.
Try a packet capture on the client to see any failed lookups.
Bart...